Crowdsourcing Jihad: IS and al-Qa‘ida’s Use of the Internet and Social Media – Part IV

IS: Your Grandpa’s al-Qa‘ida This Ain’t

It is of no doubt that IS is the most advanced and effective terrorist organization that the world has ever seen. It is the very best at recognizing these previously discussed technological paradigm shifts, adjusting their narratives accordingly and taking advantage of the situation. Geography is of no consequence; their objective is world wide, global domination.

Al-Qa‘ida was a discreet structure and element; they tried to migrate their philosophies to others, but the organization was almost contained and the United States government was able to make a lot of progress against them. IS represents the very worst in development. IS is a phenomenon that has snowballed in terms of resonance and appeal. And they have been very successful at generated a lot of resonance and appeal in states such as Iraq, Syria, Saudi Arabia, Algeria, Nigeria, Yemen, Libya, South Asia and Egypt.

In the United States it is apparent that IS is targeting its propaganda machine at the emotional needs of young Americans, regardless of their social or economic backgrounds. They implore people to engage and speak with the youth of America about their hopes, dreams, religious questions, etc. Federal Bureau of Investigation Director James Comey elaborated on the novelty of IS social media use:

Your grandfather’s al Qaeda, if you wanted to get propaganda, you had to go find it. Find where Inspire magazine was and read it. If you want to talk to a terrorist, you had to send an email into Inspire magazine and hope that Anwar al Awlaki would email you back. Now all that’s in your pocket. All that propaganda is in your pocket, and the terrorist is in your pocket. You can have direct communication with a terrorist in Syria all day and night, and so the effect of that – especially on troubled minds and kids – it works! It’s buzz, buzz, buzz, buzz, buzz. It’s the constant feed, the constant touching, so it’s very, very different and much more effective at radicalizing that your grandfather’s al Qaeda model.

Director Comey is touching upon what is categorized in this paper as the bio-digital evolution. As discussed, the youth and population in general experiencing the preliminary effects of how increased technological capabilities and continuous access to the Internet are affecting everyday lives. Reducing the schism between human biology and our technological machinery, between our physical reality and the networked virtual reality. As this divide becomes smaller and smaller, and in some instances has begun to intersect and overlap, people are able to exchange more information faster, not just with machines, but also with other people; this is a bio-digital, integration evolution. And Islamic extremists around the world are recognizing these paradigm shifts, adjusting their narratives accordingly and taking advantage of new opportunities.

Policy Memo: Mobile Device Security Update Amendment to NIST Cybersecurity Framework

1. Overview

Since the inception of cloud computing, the number of publicly available cloud services has and will continued to increase exponentially. The rising trend of bring your own device (BYOD) expands the landscape of organizational IT (Information Technology) by enabling employees to use their personal devices and access a wealth of cloud applications to increase their productivity at work. However, wireless devices like cell phones and iPads can access cloud applications without going through the data center fire walls and pose a major exposure for the introduction of malware. While application vendors will provide patches for malware or vulnerabilities that are identified, each application that is not properly updated by the user or that is not automatically updated by the host company with security patches, represents a vulnerability to the enterprise that can be exploited by hackers.

2. Purpose

The purpose of this policy is to address the commercial app vulnerabilities that are introduced to organizations by personal mobile devices, which are not under datacenter controls. The NIST (National Institute of Standards and Technology) Framework for Improving Critical Infrastructure Cybersecurity provides a systematic process for identifying, assessing, and managing cyber security risk. Under the section of this framework, which refers to Risk Mitigation (RS.MI-2), there is a NIST policy SP 800-53 Rev. 4 IR-4 that should be updated with an additional section title “IR-4 (11) Incident Handling: Mobile Device Security Updates” that addresses the need for app vendors to periodically send out automatic application updates that combat newly identified software vulnerabilities. Since mobile devices access public cloud applications outside of the control of the data center, one cannot ensure that security updates are implemented unless the application provider automatically pushes them to the device.

3. Scope

A key productivity driver of today is the use of mobile devices and the access that they grant to cloud services. Organizations are discovering that enterprise mobility can yield measurable operational and business improvements. These benefits come in the form of additional mobile assets that employees are already familiar with, thus reducing the barriers of training needed for many IT professionals to provide similar support and administration related to mobile devices. Employees use these devices for work without the organization having to spend any additional capital expenditures. This also raises employee job satisfaction by giving them the flexible working hour alternatives that they require.ii In addition, workers are using commercial apps to aid in enterprise activity. These software solutions would otherwise be unavailable, as the organizational IT department would never have the time or bandwidth to create these programs. These apps give the organization data solutions outside of their software infrastructure, thus giving the enterprise a competitive advantage. With these productivity benefits, the BYOD and commercial app landscape will continue to grow. This mobile landscape is, for the most part, a positive trend. Unfortunately, this evolving ecosystem opens up the enterprise to many new cyber security vulnerabilities. Contemporary security models and voluntary guidelines must be established to protect organizations data infrastructure.

4. Policy

Adopting no new policies for the evolving mobile and commercial app landscape would leave any organization highly vulnerable to cyber-attacks. With the growing prevalence of personal mobile devices and commercial apps, not adopting any new policy would make the question “if” the organization will be hacked, obsolete. Instead the question would be “when” the organization will be hacked. Not adapting to the evolving landscape with new cyber security policies is highly ill advised and impractical.

Furthermore it is not feasible to adapt a policy that requires no outside mobile devices and no implementation of commercial applications. It is an unfortunate reality that since the consumerization of IT, many workers now see their organizations IT department as the blocker that restricts their productivity. A strict policy that would require no outside mobile devices and no implementation of commercial applications would only further foster this internal conflict. More importantly, it would impede technological advancement of the business landscape and reduce productivity. The policing of this environment would also be difficult and would not only hinder productivity, but would probably end up costing the organization valuable resources and manpower. A well- defined and implemented mobility strategy can change this perception while still providing the overarching security framework that secures devices and commercial apps.

A potential solution for securing the mobile enterprise landscape is requiring mobile access management solutions (such as MobileIron, AirWatch, etc.) to be installed on every employee’s mobile device. These management solutions bring the devices within the controls of the datacenter, allowing for the ability to block commercial applications that have been categorized as “high-risk” or “compromised”. This policy however requires that every employee remember to check-in and download the mobile access management solution to every outside product that they have purchased.

Another potential policy solution would be for the commercial app vendor to require each individual app owner to apply the patch within a short window of time. If the patch is not applied to the individual mobile device, the app will be blocked from the user until the patch is downloaded and installed. This however could infringe upon the users tasks at hand. If the user is in the middle of a work related project and must reload the app, thereby losing all of the work, this is not an effective solution and is therefore not an efficient alternative.

When it comes to mobile landscape implementation, organizations need to consider the scalability and flexibility of their mobile platform, while being grounded by the underlying need for security. Keeping this in mind, the best security policy is for the individual public app vendor to automatically send out patches and update the application on each device. “IR-4 (11) Incident Handling: Mobile Device Security Updates” addresses the need for public cloud vendors to periodically send out automatic security updates to mobile devices to ensure that mobile devices have implemented the latest fixes or are blocked from using the application until the fix is applied. This solution recognizes and addresses the evolving mobile device and commercial landscape, while also not requiring additional access management solution software. It also gives the commercial app users the peace of mind that the work they are currently doing will not be damaged by software updates, and that they are using a secure app. App vendors that adhere to the NIST Framework for Improving Critical Infrastructure Cybersecurity will adopt this policy “IR-4 (11)” if this is added to the Risk Mitigation Section (RS.MI-2).

5. Policy Compliance

Protecting the evolving mobile and commercial app landscape requires a well-defined and implemented cyber security strategy. The NIST Cybersecurity Framework provides invaluable guidance to organizations. The Framework is a key blueprint for improving the cyber security of our Nation’s critical data infrastructure while increasing the cyber security posture of our Nation as a whole.

OptionsAnalysis

Crowdsourcing Jihad: IS and al-Qa‘ida’s Use of the Internet and Social Media – Part III

Al-Qa‘ida Loves the Internet

Since the Internet gained a substantial, international users base in the 1990s, Islamic extremists have frequently exploited the networked infrastructure.

Due to his privileged family heritage, élite education and Arab cultural upbringing, it is no surprise that from the beginning usāmah bin lādin (UBL) was cognizant of the power of public relations and the media. Al-Qa‘ida from its beginning, knew the value of computers, using them to store data, provided coded instructions, create false documents, obtain information, and setup Websites.

Al-Qa‘ida was the first of its kind with the protean ability to transform itself from a physical to a virtual organization. It meticulously planned events that would cause mass casualties and has a global reach. It is safe to say that al-Qa‘ida loves the Internet. Before 9/11, instant messaging and emails allowed al-Qa‘ida to give and receive operational information for surveillance and attacks when phone or even person-to-person contact seemed too hazardous. In late 2001 a treasure trove of evidence emerged when Alan Cullison of the Wall Street Journal was able to purchase 2 computers used by UBL. Both of UBL’s computers contained diverse sets of communications between al-Qa‘ida members. Although the saved emails that Mr. Cullison was able to access did not look like they were communicating about any operations against the United States, they could have coded instructions for future operations worldwide. Al-Qa‘ida’s secrecy concerns led the organization to utilize heavily coded language, concealing coded messages and information within other nonsecret text, this technique is called steganography. Cullison notes:

As Al Qaeda established itself in Afghanistan in the late 1990s and began managing international operations of ever increasing complexity and audacity, the group focused on ensuring the secrecy of its communications. It discouraged the use of email and telephone and recommended faxes and couriers. The electronic files reflect the global nature of the work being done; much of the correspondence was neatly filed by country name. Messages were usually encrypted and often couched in language mimicking that of a multinational corporation; thus Osama Bin Laden was sometimes “the contractor,” acts of terrorism became “trade,” Mullah Omar and the Taliban became the “Omar Brothers Company,” the security services of the United States and Great Britain became “foreign competitors,” and so on. Especially sensitive messages were encoded with simple but reliable cryptographic system that had been used by both Allied and Axis powers during World War II.

A sample of what Mr. Cullison is describing can be found in an email communication sent on February 1, 1999 from Ayman al-Zawahiri, at that time UBL’s chief deputy, to al-Qa‘ida cell members in Yemen:

I would like to clarify the following with relation to the birthday [probably an unspecified attack]:

a) Don’t think of showering as it may harm your health.

b) We can’t make a hotel reservation for you, but they usually don’t mind making reservations for guests. Those who wish to make a reservation should go to Quwedar [a famous pastry shop in Cairo].

c) I suggest that each of you takes a recipient to Quwedar to buy sweets, then make the hotel reservation. It is easy. After you check in, walk to Nur. After you attend the birthday go from Quwedar to Bushra St., where you should buy movie tickets to Za’bolla movie theater.

d) The birthday will be in the third month. How do you want to celebrate it in the seventh? Do you want us to change the boy’s birth date? There are guests awaiting the real date to get back to their work.

e) I don’t have any gravel [probably ammunition or bomb-making material].

Al-Qa‘ida used encrypted messaging. The coded language that al-Qa‘ida used, mimicked that of a multinational corporation (MNC), which is interesting because they also physically acted like an MNC. An example of this is when al-Qa‘ida affiliates actually physically went to South East Asia, like an international corporation for recruitment and discussions. This is the old way of doing “business”.

Crowdsourcing Jihad: IS and al-Qa‘ida’s Use of the Internet and Social Media – Part II

Exponential Technological Advancement & Paradigm Shifts: Increasing Empowerment Given to the Nodes “fi sabilillah

In 1965, the then director of research and development at Fairchild Semiconductor, Dr. Gordon Moore, hypothesized that the number of components (transistors, resistors, diodes or capacitors) in a dense integrated circuit would double approximately every two years, equating to an exponential growth in digital and technological capabilities. In the three decades since 1970 the power of microprocessors has increased by a factor of 7,000. “Moore’s Law” is of course, not a natural or physical law, it is just one of many other projections for technological advancement. And as technology advances, becoming smaller, more powerful and easier to use, the more seamlessly integrated it is into our everyday lives. The entire concept of a user interface is changing; it is becoming ubiquitous.

The same year Dr. Moore published his projections; the Control Data Corporation (CDC) delivered what is generally thought to be the world’s first supercomputer, the CDC 6600, to the European Organization for Nuclear Research or CERN laboratory near Geneva, Switzerland. This and many of the other supercomputers sold after were primary used to perform nuclear study analyses. The CDC 6600 was about the size of a large room, had performance of up to 3 megaFLOPS and was not connected to the Internet because the Internet did not exist yet. Today, most people carry around a smartphone, which is about the size of a wallet, has performance of up to 115.2 gigaFLOPS and is connected to the Internet, a global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to link billions of devices worldwide.

Currently high-powered computers and the Internet are easily accessible by nearly half the world’s population. And by 2020, Google’s executive chairman Eric Schmidt projects that everyone in the world will be connected to the Internet. Furthermore, in January 2015, at the end of a panel discussion at the World Economic Forum in Davos, Switzerland, Dr. Schmidt predicted the end of the Internet:

I will answer very simply that the Internet will disappear. There will be so many IP (Internet Protocol) addresses… so many devices sensors, things that you are wearing, things that you are interacting with that you won’t even sense it. It will be part of your presence all the time. A highly personalized, highly interactive and very, very interesting world emerges.

A fascinating, bold new world with technologically advanced security concerns.

We are now experiencing the preliminary effects of how increased technological capabilities and continuous access to the Internet are affecting our everyday lives. The emergence of the Internet of Things (IoT) is reducing the schism between human biology and our technological machinery, between our physical reality and the networked virtual reality. As this divide becomes smaller and smaller, and in some instances has begun to intersect and overlap, we are able to exchange more information faster, not just with our machines, but also with other people; this is a bio-digital, integration evolution. We are becoming part of the IoT and Islamic extremists around the world are recognizing these paradigm shifts, adjusting their narratives accordingly and taking advantage of new opportunities. However an interesting additional point is that potential recruits and people curious about Islamism do not have to search for new content and information about these groups.

In a number of cases, individuals joining the jihad and taking up arms were indoctrinated via legacy data; meaning much value is still being extracted by potential extremists from old content that could be extremely difficult, if not impossible to deleted from the Internet. For instance, videos of Anwar al-Awlaki, who was killed by a United States unmanned aerial system (drone) strike in 2011, are extremely common amongst the new generations of recruits to both IS and al-Qa‘ida. With a blog, a Facebook page, the al-Qa‘ida magazine Inspire and many YouTube videos, Anwar al-Awlaki was described by Saudi news station Al Arabiya as the “bin Laden of the Internet.” Now we see one of the great issues: once digital content is created on the Internet, it is nearly impossible to delete.

The Internet never forgets. At first, some tried manipulating the Web results on their own, by doing things like manually deleting photos from Flickr, revising Facebook pages and asking bloggers to remove offending posts. But like a metastasized cancer, the incriminating data had embedded itself in to the nether reaches of cyberspace, etching into archives, algorithms and a web of hyperlinks.

“Technology gives us power, but it does not and cannot tell us how to use that power. Thanks to technology, we can instantly communicate across the world, but it still doesn’t help us know what to say.”

 ~ Jonathan Sacks

As technology continues to advance at an exponential rate and becomes more and more part of our physical lives, terrorists will seek to exploit this interconnectedness to spread their extremist ideologies, recruit, raise money, perform illegal activities, etc. We are seeing only the very beginnings of this phenomenon globally as many nation states are under attack by individuals that are identifying with sub-national groups, empowering the nodes and calling the principles of Westphalia sovereignty into question.

Below is a map highlighting the worldwide attacks inspired or directed by IS:

GlobalAttackMap

Obviously, the Westphalia definition of sovereignty is of little concern to an Islamic extremist ideology whose goal is world domination. And as technology continues to accelerate and become ubiquitous, even sub-national group networked affiliation will not be required. The individuals will be inspired on their own, through their own access and use of the Internet. This trend is now evidenced by increased lone wolf attacks.

Crowdsourcing Jihad: IS and al-Qa‘ida’s Use of the Internet and Social Media – Part I

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”

~ Bruce Schneier

 

On December 2, 2015, 14 people were killed and 24 injured during a Christmas party at the Inland Regional Center in San Bernardino, California. The perpetrators were an American born, United States citizen of Pakistani-descent, Syed Rizwan Farook and his Pakistani wife Tashfeen Malik, a married couple living in the city of Redlands. Since there are currently no known links to any terrorist cell, this attack appears to have been an Islamic extremist (i.e. Islamist) inspired, lone wolf terrorist attack, which was crowdsourced through the Internet. This was the third deadliest terrorist attack on United States soil since September 11, 2001.

Two weeks later, the San Bernardino attack influenced the shut down of the entire Los Angeles school district when they received a bomb threat that had been emailed to the two largest school districts in the US: New York and Los Angeles. New York chose not to respond mostly because of the lack of proximity of the San Bernardino event. It is important to note however that this threat could have been a physical world penetration test, meant to gauge the emergency action protocols for both districts in order to help plan for future terrorist plots.

Since the Internet gained almost global usage in the 1990s, Islamists have exploited its networks. Islamist propaganda and recruitment attempts are pervasive on the Internet, both via indexed and non-indexed sources. This allows Islamists to easily and effectively spread their violent extremist ideology worldwide, to potentially every node/person on the global network. With the ability to access the Internet, Islamic extremists are able to utilize all of the social media tools that allow people to create, share or exchange information, ideas and pictures/videos in virtual communities and networks. However the Internet is not just used for publicizing their extremist narratives or indoctrinating new jihadists. Islamic terrorists from all areas of the world use the Internet as a median to gather intelligence, coordinate logistics, conduct reconnaissance (“footprinting” when gathering information about computer systems), mapping targeted locations, flight training, improvised explosive devise (IED) assembly training and the list goes on and on. The Internet is also used to train, fundraise and recruit.

The so-called Islamic State (IS) and al-Qa‘ida are increasingly using the Internet and social media as a platform to broaden their audience and to indoctrinate/convert more people to their extremist ideologies.

Passwords in Theory

Passwords. The latchkeys of our digital lives. They are seemingly inescapable, yet also surprisingly ineffective at providing the security that forms the basis of our economic and personal activities.

Humans have used passwords for thousands of years. We first see them as watchwords, a secret code one gives to the watchguards in a military situation in order to  authenticate yourself as a friendly. These were used in classical times, and even during World War 2. During the D-Day operation disparate airborne forces, some many miles from their intended zones, had to authenticate themselves to other groups of Allied forces on the ground. Hence they developed a password based authentication system, as seen below:

Guard’s Challenge: “Flash!”

Friendly’s Password: “Thunder!”

Guard’s Countersign: “Welcome!”

If any of these parts were missed, either side would know they were not dealing with a friendly, and possibly open fire.

Passwords also served a historic role in secret societies, authenticating yourself to people who you may have never met, such as in the Freemason signal of distress, “O Lord, My God, Is there no help for the Widow’s Son?” given by a Master Mason when his life is in danger to signal to all other Freemasons nearby that he is a Master Mason and demands their aid. However, even in contemporary times, these types of passwords failed for a number of reasons. When the membership of the group is not strictly controlled group passwords can be released and become public, making the authentication that the password is designed to accomplish fail completely. For instance, the secret codes and handshakes of Freemasonry were widely published in the 1800’s.

In the military context, there is the story of the 414 B.C.E. siege of the Syracusan city of Epipole by the Athenians. The Athenians were routed in part due to reliance on their watchword, which was quickly learned and used by their enemies. Thucydides records the rout as follows:

“the Athenians were seeking for one another, taking all in front of them for enemies, even although they might be some of their now flying friends; and by constantly asking for the watchword, which was their only means of recognition, not only caused great confusion among themselves by asking all at once, but also made it known to the enemy, whose own they did not so readily discover, as the Syracusans were victorious and not scattered, and thus less easily mistaken. The result was that if the Athenians fell in with a party of the enemy that was weaker than they, it escaped them through knowing their watchword; while if they themselves failed to answer they were put to the sword.”

 

These cases demonstrate some of the foibles of authentication using passwords. Of course, these problems are also present in our modern authentication systems. If a site like Rockyou is hacked, and the results are published online (in that case 32.6 million unencrypted email addresses and passwords) all the accounts are compromised. Moreover, due to the disastrously bad habit of password reuse across multiple sites, the impact spirals outwards onto many other sites. The Rockyou hack was especially broadly damaging because it provided attackers with a ready made dictionary of popular passwords for future use in dictionary attacks on other sites. Another hack with a similarly massive impact was the attack on Adobe, wherein 153 million 3DES encrypted passwords alongside unencrypted password hints were released. The inimitable comic xkcd does an excellent job of explaining the impact:

Encryptic

Above was shown the risk posed by publication of passwords. But what about modern Syracusan eavesdroppers? Keyloggers have become an almost ubiquitous tool in the surreptitious theft of login credentials and can take any number of forms, starting with cheap hardware sitting between the input device and the computing device, looking something like this:

More advanced versions of this idea are seen in the NSA’s ANT (Advanced Network Technology) catalog, with a keylogger that can be remotely illuminated by a radar system to receive back the keystrokes as they happen. There are also similar devices that act as a wireless bridge, built into the hardware of peripheral devices (keyboards/mice etc)  to allow access even to systems which have been isolated from the internet for security reasons. There are also many types of software keyloggers, operating at different levels and possibly residing in various data storage locations in the computer, making removal very difficult.

One of the more ubiquitous (and tragically weak) password architectures is used by ATM systems. Journalist Brian Krebs has made a lot of progress tracking the physical keylogging and magnetic strip skimming devices used in this field of cybercrime, which vary widely between fake keypads, skimmers and hidden video cameras, capturing the card data and the insecure 4 digit numerical passwords used by these systems.

There is another common vulnerability in the password based authentication systems used today- the “Forgot your Password?” link next to every login box on the internet. These systems, and the ability to call in and have a password reset just by guessing a few personal details, have made the spread of breaches much easier (your email account being comprised lets an attacker also reset many of your other passwords). This is in response to most people not being able to remember long and complicated passwords, especially when those passwords are used rarely or saved in browsers, letting them pass from memory entirely.

Another related issue is the use of password keeping services. These have become a popular method of creating and storing long and complicated passwords for all of a user’s online accounts. One of the online services for this is LastPass. LastPass recently revealed that they have been hacked, and that the attackers gained an encrypted list of all master passwords used by users to access their password vaults. The breach also revealed unencrypted password hints and email addresses. While not as troubling as the Adobe or Rockyou breaches due to better use of cryptography and individual salts, this breach demonstrates the danger of trusting a single point of failure in a user’s password scheme.

The combination of these issues shows fundamental problems in how passwords are employed, and the tenuous grasp most users have on their security. One response to this problem is to use biometric identifiers in place of password systems. This approach is based on the idea that the biometric signs collected and verified by the system are unique to the user. The most prevalent biometric in use today is the fingerprint.  Fingerprint biometric systems have been employed on the recent lines of the Iphone (5s and the 6 series) and on a number of other Apple products under a system which they call Touch ID. Biometric Identifiers have also been added to many national passports.

There are a few problems here, and for certain individuals the risk posed by reliance on biometrics is much greater than that posed by properly implemented password systems. Fingerprints are especially problematic in this regard. In 2008 a hacking collective called the Chaos Computer Club published the fingerprints of then German Interior Minister Wolfgang Schauble. The fingerprint was printed on a piece of plastic and distributed with the group’s magazine. The group apparently acquired his fingerprint from a glass of water he had used at a conference. In 2014 the group also published the fingerprint of the Defense Minister, Dr. von der Leyen. They acquired her fingerprint using photos they had taken of her thumb from 9 feet away using a standard camera. Previous to this, Starbug (the researcher who cloned the defense minister’s fingerprint), demonstrated a hack of Apple’s Touch ID less than 48 hours after the release of the Iphone 5s, the first product to carry it. Other systems of biometric identification such as voice detection and retinal scans can be similarly collected and faked, but at greater cost and effort and to start with are much more prone to false negatives. It is also worth noting here that while she was Secretary of State, Secretary Clinton sent a memo (later released by Wikileaks) asking State Department employees to gather biometric data on other world leaders and international diplomats.

Another method towards more secure authentication is the use of Two Factor Authentication (2FA). This is absolutely commendable and should be pursued. A more in-depth analysis of 2FA is somewhat outside of the scope of this essay, but should be engaged in, as there have been a number of cases in recent memory where poor implementation has defeated what is theoretically a superior system to the use of a password alone.

The conclusion that I have reached is that the best authentication solution lies in strong passwords, held in the only electronically inviolate space, memory. This is obviously not an easy task, but avoids many of the pitfalls of other systems. The problem then falls on the two component parts- what is a strong password, and how do we hold it in memory?

Strong Passwords

To address what a strong password is, it is absolutely necessary to begin from an attacker’s perspective. How are passwords attacked? In general there are three common methods (outside of direct theft through eavesdropping as covered earlier). These are: Brute Force attacks, Dictionary (and targeted dictionary) attacks, and Rainbow Table attacks. A brute force attack tries all possible characters for a given keyspace. This attack will always work. However, at longer password lengths it quickly becomes uneconomical or downright infeasible. At less than eight characters it is still entirely possible, as a password that is exactly eight characters long, including upper and lowercase a-z, numbers, and special characters/punctuation will only have 94^8 possibilities, or a total of around 6 quadrillion. Sure, this seems insane, but a brute force attack against even a number that astronomical is well within the capabilities of  a dedicated and well resourced attacker. A four character password would only have 94^4 possibilities, or around 78 million. That is very much within the computation abilities of a smartphone or home computer to brute force within a reasonable timeframe. So to defeat the brute force attack, the key is to increase the length of the password. In this case, the attacker cannot usually assume a set password length, and so will try all 4 character passwords, then all five, all six and so on, which does add to the length of time necessary, but once the correct password is found the attack does not need to continue.

Dictionary attacks prey on an inherent weakness of users- the desire for simplicity. If choosing a six character password, an (english speaking) human is much more likely to pick kitten than they are to pick 1h4^B*.  If we go by the Oxford dictionary, there are only around 170,000 words in current use. Even when accounting in the dictionary for permutations like k1tt3n or K!tt3N, etc, a dictionary attack will take much less time to find most human generated passwords than a brute force attack. To defeat the dictionary attack: do not use single words, or single words with permutations as a password. However, let’s assume the attacker somehow knows we are only using all lowercase words and no numbers or special characters in our password and can design their attack accordingly. At one word long, the attacker needs to try 170,000 possibilities. At two (randomly chosen) words, they will need to deal with 170k^2 or about 29 billion possibilities. At three words in the phrase they are looking at 4.9 quadrillion. At four words they are already dealing with 835 quintillion, a keyspace that is essentially outside of the capabilities of even governments for the time being. An even more math heavy discussion of keyspace can be found here.

A targeted dictionary attacks preys on known information about the target. A custom dictionary is built and populated with common passwords and words which may be related to the target. To defeat this, passwords should have nothing to do with the user choosing them. No children, spouse, or pet names, no streets, no favorite bands or sports teams, no bible verses or names, etc.

To understand the rainbow table attack it is necessary to backtrack somewhat and explain how passwords are actually used and attacked in our systems. When a user types in their password, unless the system has been designed in a very insecure way (cough cough, Rockyou), that password is not used directly for authentication. The password is put through a one way fuction, called a hash function. This hash function runs on the user password, and only the output of the function is passed to the authentication service. The service then compares this received hash to the one listed in the database for that user, and decides to allow access or deny it. So (kitten) goes into the (hashFunction) yielding (1ad7e0fc), which is then checked against the database. The process with look something like this, of course dependent on the actual hash function used:

Notice here that small changes in the input result in very different output values. The important thing with hash functions is that the value created from the hash function and the hash function itself cannot be reversed to easily find the original input password. Even if the database or traffic of hashes is compromised by an attacker, all they have is the hashes, not the passwords used to generate them. They still cannot log in and gain the access of a normal user or impersonate them (one caveat is pass the hash attacks). To gain access they have to run the hash function themselves, brute forcing or dictionary attacking to find either the plaintext password that creates the hash, or another plaintext password which creates the same hash (called a collision). The Rainbow Table is a way to do the brute force attack beforehand, and simply have a rapidly searchable database of all of the possible hashes and the plaintext password that creates them. When combined with faster data storage methods such as solid state drives, the necessary plaintext password can be found very quickly indeed just by looking up the hash value. Mitigating the Rainbow table requires the system architect to use a system called cryptographic salting. In this system a different random string of characters is added to each password in the hashing process. The salt does not change on individual passwords, but each entry in the database has a different one. This means that to do a Rainbow Table attack, a full brute force table would need to be generated for every possible salt as well. This very quickly becomes impractical for just about all attackers.

The take away from this section is that passwords should be long, not consist of just one or two words even with permutations, and not be related to the user in any meaningful way. If words or a phrase are used, the words should ideally be uncommon, and numbers and special characters should also be used. Additionally, system architects need to use salts with hash functions to prevent Rainbow Table attacks. Password reuse across multiple sites should also be avoided if at all possible.

Memorable Passwords

As seen above, some of the optimal attributes for computer passwords are things like a high degree of randomness and a large character set. This, however, will result in passwords that are difficult for human users to remember; leading to practices such as keeping passwords written down at one’s desk or reliance on a password keeper in the cloud or otherwise. To balance these competing interests users need to develop personal systems for creating passwords that are both strong and memorable.

The “Arts of Memory” as they are commonly understood were first put forward by ancient Greeks. One of the first methods in those arts, the “Method of Loci”, was invented by the poet Simonedes of Ceos,  apocryphally after he stepped out of a dining hall moments before the hall collapsed and killed those inside. During the excavation Simonedes was called upon to name the guests that were inside. He was able to complete the task by imagining where each guest was seated. This method works by associating each piece of data (someone’s name) with a location in imaginary space, leveraging natural capabilities for spatial memory. In antiquity and in modernity this method has been used to accomplish incredible feats of memory, such as monks in the Middle Ages memorizing entire books, or Simon Reinhard setting a world record in 2010 by memorizing the order of a shuffled deck of cards in 21.9 seconds.

If using method of loci for passwords, a few methods could be used. One could be imagining your house, and moving through it. Standing at the front door is a jackalope in a coma, holding an “@” sign. On the coffee table there are six big ribbons. Walking to the fridge there are two carrots hanging from it (^^). At the door to your bedroom are 12 pebbles you know are formed from Gneiss.  Combined, this imaginary walk through your house would help you remember that your password is jackalope,@6RIBBONS^^Gneiss12. At 29 characters long, this password is a bit unwieldy to type in. However, even if the attacker is only looking for 29 character passwords (unlikely) they would be dealing with 1.6×10^57 or 1.6 octodecillion possibilities, which should be basically unguessable. A computer capable of computing 10 quadrillion hashes per second (or capable of making 10 quadrillion login attempts per second) would need almost 5.27 decillion years to fully complete a brute force attack. In practice, due to probability, a brute force attack only needs to complete half of the possibilities before it is more likely than not that the correct password has been found, reducing expected time to solve to 2.635 decillion years, or about 191 sextillion times as long as our universe has existed. Also in practice this 10 quadrillion hash per second computer attacking your password can be upgraded to be twice as fast every 18 months according to the projection known as Moore’s law, though Moore’s law is not expected to continue to hold up for very long into the future due to physical limitations of computer chips, barring major leaps forward in quantum computing or nanotechnology. Suffice it to say your 29 character password using 94 possible characters should be safe from brute force attacks at least until long after your great-great-grandchildren are dead.

This said, method of loci is hardly even necessary to memorize a complex password, though it could certainly be useful and with dedicated practice even allow one to remember a completely random password accurately. A single complex image in memory can be used. Images that work best in this setting are those that are particularly humorous, macabre, profane or bizarre, as those tend to stick in the mind more than images which are mundane. For instance two komodo dragons fighting over a rubber ducky covered in hollandaise sauce and standing on a giant pound scale is an image that could help you to reliably remember the password 2komodoON#HOLLANDAISEducky, which at 26 characters is quite secure.

Another method of generating long memorable passwords is to create acronyms from memorized songs or phrases. For instance, in this case “row, row row, your boat gently down the stream, merrily, merrily, merrily, merrily, life is such a dream” could create the password 3R,ybgdts,4M,lisad if you remember to put in the commas and add numbers and capitalization for repeated words. This password is only 18 characters long, so not as secure by several orders of magnitude in comparison to some of our others, but is sufficient. Also, general knowledge of this method means that acronyms made from popular songs will be added to dictionary lists for dictionary attacks, including permutations, so well known songs or phrases from Shakespeare, the Bible or famous oratory are generally inadvisable. However if you memorized a song from someone’s b-track, or a random passage from Derrida or Joyce’s Ulysses, this method could prove workable and generally safe, especially if other characters are added in within your capabilities to remember them.

Conclusions

One of the safest systems of authentication we currently have is the use of a secret password. However, there are issues, including eavesdroppers and leak of passwords files, which can be very compromising. The best security strategy is one where a user has long and complex passwords for every login that she or he uses. The best way to maintain these passwords is by keeping them in the only safe space, the inside of your head. To aid in the task of maintaining a long list of passwords in memory, it is very helpful to use memory techniques and methods for creating complex passwords that are memorable.

 

 

 

Encryption as a Human Right- the Growth of “the Right to be Let Alone”

“The intensity and complexity of life, attendant upon advancing civilization, have rendered necessary some retreat from the world, and man, under the refining influence of culture, has become more sensitive to publicity, so that solitude and privacy have become more essential to the individual; but modern enterprise and invention have, through invasions upon his privacy, subjected him to mental pain and distress, far greater than could be inflicted by mere bodily injury.” – The Right to Privacy, Warren and Brandeis, 1890

The UN Human Rights Council Special Rapporteur on freedom of opinion and expression, David Kaye, has released a report declaring use of encryption and anonymization to be a Human Right. This development comes amid increasing movement by governments worldwide to restrict the use of these technologies.

Before addressing the content of the report it may prove instructive to delve into the foundations of privacy law in the West. One of the outstanding texts from the development period of privacy law is Warren and Brandeis’ “The Right to Privacy“, published in 1890. That essay concentrates primarily on establishing the idea of a right to privacy by examining common law in the US and the United Kingdom, and while it has little to say on the issue of government regulation of encryption per se, there is clear precedent for protection of a person’s papers and effects under the fourth amendment. The essay also establishes privacy as a right “to be let alone”. Warren and Brandeis focus specifically on the injury that may be caused by publication of material without the consent of those involved. One can see the Apple ICloud celebrity leak as a modern example of this type of damage.

So the picture that emerges here are two very different classes of privacy encroachment. The first is the publication of private details, be they of celebrities or not. This issue has dramatically changed in the age of self publishing, where there are essentially no barriers to entry for publishing, especially online. Many of the celebrity leaks have proven impossible to “un-publish” from the internet, and there is effectively no legal remedy for those who have been harmed.  The second encroachment relates to the role of government, a debate which has reached a fever pitch due to disclosure of numerous secret programs and secret laws by whistleblowers such as Edward Snowden.

The report by the Human Rights Council lays out other international foundations for privacy law, among them Article 12 of the Universal Declaration on Human Rights, which demands: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Further along, Article 19 states that “Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”

So here are two moral justifications for privacy of individuals, that they are entitled to be “Let Alone” and that they have a right to free expression and opinion without interference. In practice, of course, limitations on these rights have been made in the public interest. A mafia kingpin may have his phone tapped or his mail opened by appropriate authorities under a legal framework, and this encroachment is seen generally as positive for the community, in that it serves the needs of justice. However, a program that taps all the phones in a country without any due process for individuals would violate the rights of opinion and security in property (including intangible goods). The balance here is difficult to strike, but considering that the effort here has been underway for quite a long time, it is entirely possible to reach a balance of the concerns of justice and of civil liberty, and most societies, through the use of warrants and court processes, have reached such a balance.

However, as it is apt to do, technology often throws a wrench in our attempts to balance competing concerns. This is the story of encryption. Encryption is hardly a new technology. Taking it from the greek roots, cryptography is the study of secret (crypto-) writing (-graphy). The classical Greeks themselves employed it within their military and government systems to ensure security. However, in the modern era the ubiquitous accessibility and necessity of secure communication (especially with the rise of the internet) has changed the landscape dramatically. The situation then arises where, even if it is in the public interest and under agreed upon legal frameworks to do so, enforcement bodies may never be able to decipher communications of their targets, legitimate or otherwise. “Strong” encryption is the backbone of much of the system of global commerce and communications that allows the internet to function economically.

The proponents of weakening encryption to make messages available to law enforcement often trot out a menagerie of bugbears, among them terrorists, financial criminals and child pornographers, all of whom are able to use encryption and anonymization technologies to evade the law and continue their activities against the public interest. In recent speeches James Comey, the director of the FBI, has lamented “Going Dark“, or the loss of surveillance capabilities against these targets leading to increased risk to the public. However, these government groups still recognize the importance of encryption in maintaining the “Right to be Let Alone” in the face of unauthorized actors; be they hackers, foreign governments, or what-have-you. In an attempt to balance these concerns governments have proposed a number of methods to preserve  individual security while at the same time allowing the government unfettered access to communications.  These include key escrow, where a copy or portions thereof of every user’s cryptographic key is held in a government repository, limiting the strength of cryptography to what can be easily broken by a government’s computing power but not the computing power of an ordinary ne’er-do-well,  and cryptographic backdoors which due to eccentricities of cryptosystems will allow individuals with secret knowledge of the system to break the encryption but no one else.

All of these proposals are problematic, mostly on the grounds of efficacy and human rights. Key escrow was proposed in the United States under the “clipper chip” system during the infamous “crypto wars” of the early 1990’s. While the most appealing of the proposed alternatives from an individual security perspective, the idea was seen as too Orwellian to be implemented in a nation that is generally distrustful of government. Even if the access to this key repository was controlled through a process of warrants, the existence of such a repository presents an outsize security risk in the event of a data breach. Also, under the routinely opaque processes of bureaucratic governance there is no surety that even the established protocols for obtaining the crypto keys of individuals would  always be followed.

Key shortening and other limitations on the strength of cryptographic technology also presents an outsize threat to the individual, as the processing power of governments, corporations, and hackers has grown. Where before only the NSA had the computing power to break certain algorithms, now that power has been democratized. A miscreant with a botnet or buying time on cloud servers could crack open the communications of one of their targets just as quickly as most foreign governments could. So then key shortening is shown to not be security at all anymore.

Finally, backdoors are the most troubling solution.   If a cryptosystem is presented as secure, but in reality has a weakness that allows it to be quickly broken open at limited computational cost by anyone who knows the secret, the personal security of every user of that system is now dependent on the security of that secret. If that secret escapes, then all is compromised. This sort of “Master Key” system is born of a particular type of hubris, that no one else is quite as clever as we are, and that therefore our secret is safe and will remain so. Unfortunately this method has been attempted covertly at least once, and exposed for the massive risk it is.

So in the face of absolutely justified concerns for the public safety with regards to encryption and anonymization, what can be done to balance these concerns with our tradition of human rights and free expression? While law enforcement bodies are justified in their fears of “Going Dark”, as of yet no proposals give appropriate concern to the established “Right to be Let Alone” or the traditions of international human rights. This act of balancing concerns continues, but the Special Rapporteur is absolutely correct in prioritizing fundamental human rights over law enforcement concerns.

 

 

 

Resources Regarding Nepal Earthquake

85.jpeg

Above: Image of affected people walking through debris in Bhaktapur. Image from US News.

Nepal continues to recover from the devastating April 25th earthquake that took the lives of thousands of people and destroyed countless houses and villages. In response to this horrific tragedy, a number of groups have set up online services and resources regarding the earthquake.


— WWHGD Working Group Support Team

The FBI, Sony and the Attribution Problem, Part 1- Why?

The recent attack on Sony has publicly paraded one of the predominant problems in incident response. While the immediate issue in incident response is of course the remediation of compromised systems and bringing these systems and IT services back online, it is entirely human to look for somewhere to cast blame. Let’s begin by fleshing out the “why” of attribution before engaging with the “how”.

Why Attribution?

For an affected entity, and for the security professionals working within it, attribution of the attacker(s) is only an ancillary concern. Certainly steps taken (or not taken) during the direct remediation of the breach are important and even essential to the later attribution effort, but priority of work must be on restoration of service. After service is restored, and the breach points corrected, the attribution process begins. Here are some reasons to perform attribution:

1. Attacker Centered Defense– If the attacker can be identified or at least have their tactics, techniques and procedures characterized, it may be possible to take steps to make their next intrusion more difficult and time consuming.

2. Legal/Governmental Retribution– Bringing criminal charges or taking other action against the attacker may deter future attackers, or may have deterrence against the current attackers if they are in a jurisdiction where criminal charges cannot be brought, but are vulnerable to intergovernmental or other pressures.

3. “Hacking Back”– This is an operation pregnant with a host of legal and ethical concerns. It may appear advantageous in the midst of an attack to attack back, but the technical reasons for doing so need to be looked at carefully. There are two scenarios where hacking back could reduce the impact of an ongoing hacking attack. One of these is a DDOS attack, where hacking back into the command and control systems of the attributed botnet may be a viable method to stem the attack. In the second scenario, stolen data belonging to the attacked entity has been definitively located (through attribution efforts) on a server, and then the entity performs a hacking operation to delete that data before it can be copied or moved. Both of these operations are patently illegal in the U.S.  due to the Computer Fraud and Abuse Act. Both also carry a low probability of success or advantage for the attacked entity. If a DDOS operation is disrupted, other botnets can be easily employed by the attacker at short notice, or they may regain control of the compromised botnet. The command and control servers may also be innocent bystanders who are unknowingly playing host to malware. Taking down the servers of a hospital or local government  or foreign military could have extremely serious human and geopolitical downsides.  In the second scenario, the attacked entity would have to be extremely proactive to get the toothpaste back into the tube. In fact, it is so difficult it may as well be regarded as functionally impossible, and there is little chance of getting all the data before it is further disseminated.

Looking at the limited reasons for attribution  and given especially the weakness of the third reason, it may be entirely reasonable for an attacked entity to decide not to pursue attribution. In the end, even having your attacker arrested will not undo the damage caused in the attack. The process of attribution is also not cost free. Additionally, any major actions taken on the basis of the attribution performed may only result in more reputation damage for the entity as the original breach and security failure is further publicized.

Why Attribute the Sony Hack? 

Obviously an attack as devastating as Sony’s–which will probably involve hundreds of millions of dollars in damage to Sony Pictures Entertainment, in addition to a substantial erosion of their reputation and personal damage to many of their prominent employees–should be answered. To decide to not attribute the attackers would make their actions seem tacitly permitted, and probably contribute to further devastating attacks against other entities. This Public Order justification is the purview of the FBI, who has taken a lead role in the investigation of the attack. Sony, of course, probably wishes nothing more than for this incident to go away and may be leaning more towards active disinterest in attribution. It isn’t as if any future lawsuit will recover their lost capital, and their threats of legal action against those who published the more tabloid-friendly portions of their internal emails are at serious risk of the Streisand Effect.

Of course, SPE is not the only actor involved. There are cyber security companies and the U.S. Government at work here as well. Attribution is in the interests of cyber security companies for reputation and prestige reasons, as a proof of their aptitude and ability. On the government side attribution can be a marker of aptitude as well, however, retribution is also a significant influence. In the global and domestic political arenas strong attribution can aid in the pursuit of other interests. Attribution has been used by the U.S. Government previously to pressure the Chinese Government in regards to their cyber espionage campaigns, and charges have been filed in the U.S. against a number of their operators.  So it comes to this. The primary reasons for attribution are political, as support for past and future actions and as an instrument of geopolitical pressure. The actions supported by attribution may include legislative efforts, international sanctions, and even electronic and physical attacks.

In Part Two of this work, having established the interests of the actors involved in attribution, we will look at the “How” of the SPE hack attribution as far as it is known publicly.

 

 

 

 

 

Infrastructure Hackers, Script Kiddies and “Watchdogs”: A Round-up of Monsters Under the Bed from CIS/MS-ISAC

A recent report from the MS-ISAC (Multi-State Information Sharing Analysis Center) and written by CIS (Center for Internet Security, a private nonprofit) publicized by security journalist Brian Krebs addresses a series of concerns regarding an infrastructure hacker who calls himself “Sun Hacker” and has made a name for himself by changing the displays of road information signs remotely.

Sun Hacker encourages people who see his real world defacements to “TWITT WTH ME”, and maintains an active twitter account where he recounts his website and sign defacements. His hacks have not been overly complex, apparently targeting insecure applications of the SNMP protocol and in at least one case breaking in through the telnet port 23 protocol—a protocol entirely disabled years ago in most any security implementation, and typically blocked by most firewalls for its notoriously bad security. Using telnet to provide access to systems for road sign information is a very short-sighted security choice, akin not only to assigning the fox to guard the hen-house, but then also advertising the hen-sitting party on craigslist.

The CIS report notes that Sun Hacker is operating from Saudi Arabia and is not known to be associated with any other major “hacktivist” groups. He has conducted SQL injection attacks on a number of websites, and documents hacking other web connected devices such as LED light bulbs and car radios.

Then the CIS report goes (deeper?) into the rabbit hole, beyond simply characterizing Sun Hacker as a “Hacktivist” (a term now so diluted as to include playful defacements in addition to political statements) and as a “Malicious Actor”.

This activity likely coincides with the May 27, 2014, release of the video game “Watch Dogs,” in which game play revolves around “hacking,” with a focus on hacking critical infrastructure-based electronic devices in particular. Watch Dogs allows players to hack electronic road signs, closed circuit television cameras (CCTVs), street lights, cell phones, and other systems. On May 27, 2014, the malicious actor posted an image of the game on his Twitter feed, demonstrating his interest in the game, and the compromise of road signs occurs during game play. CIS believes it is likely that a small percentage of Watch Dog players will experiment with compromising computers and electronic systems outside of game play, and this activity will likely affect SLTT government systems and Department of Transportation (DOT) systems in particular.

This is where the peril of puffing up minor actors and conflating minor events begins to show as a major analysis flaw. Especially in cyber security where there are real actors who can present real dangers,  a sense of balance is necessary. Inflating fears about things that are on their face innocuous leads to misallocation of resources, especially on a national level. It could even lead to a nationwide alert insinuating that a major video game is training the youth of America to become infrastructure hackers. The “Hacking” showcased in the game is just a series of in-game events, with limited to no applicability outside of a fictional game universe.

Certainly there are risks involved with the hacking of road signs, but a distinction should be made when those hacks are minor and only possible due to a choice by the service provider (in this case state Departments of Transportation) to abandon even the most basic conceptions of security. Most of the other incidents of road sign hacking are so simplistic as to be entirely ignored, as seen in the “Zombies Ahead” hacking of towable roadside signs. These “hacks” are possible because of the use of default passwords on the towable signs in addition to poor physical security measures. That said, pranks on this level being treated as some sort of infrastructure security threat that requires national attention shows a serious flaw in the perspectives of our national cyber security organs and analysts. The know-how necessary for “hacking” towable road signs has been widely distributed on the internet for some time, especially in forums devoted to pranksterism.

The lesson of this type of “infrastructure attack” should be taken from “The Field of Dreams.” On Security, “If you break it, they will come.”  Weak security on this class of devices is the real issue here, not the existence of Sun Hacker or the release of a video game.

-Dan Gifford

MCySec Media Manager