Monday, October 3, 2016

World Full of Smart Gadgets

Internet Security: A World Full of Smart Gadgets
You’ve heard everyone talk about the “Internet of Things”, “smart cars”, “smart devices or gadgets”. This is just a description of the pervasiveness of computers in our everyday lives. These devices are now being connected to the Internet and this poses challenges to personal privacy and the security of the Internet.

Figure 1. Smart gadgets in a home (image by Steve Johnson, Jeff Durham BayArea News Group)
Figure 1 shows how pervasive these gadgets can become in our lives. Every room in a house will be impacted by this Internet of Things. 

What does this have to do with Virginia Tech? Well, today’s students show up on campus with at least 4-5 devices that need to be connected to the network. These include the University required computer, their smart phone, tablet, gaming consoles like Xbox, and usually a smart device like a smart TV or radio. Each of these devices is a specialized computer and unfortunately they’re not secured by the manufacturer. For example, printers, copiers and scanners have no passwords associated with them by default. Figure 1 shows how common household devices will be able to gather personal information (schedules, preferences, health) of the occupants. These devices can transmit that information to advertisers, manufacturers. 

Recently these types of devices have been taken over by hackers and used to attack other sites. Brian Krebs, a well known journalist, was the target of an internet DDOS attack that forced his www site offline for a number of days. This was in response to a series of articles he wrote about cyber criminals being captured. They retaliated by launching a massive denial of service attack against his www site. It's believed that many of the attacking hosts were “smart” gadgets. The new IoT botnet Mirai was used to launch a historically huge attack against Brian Kreb's site ( and is guaranteed to cause mayhem on the net.

Security experts have been warning the community about the lack of security in Internet of Things (IoT)/smart gadgets. Unfortunately, someone else heeded the warnings and took advantage of this knowledge.

Stay tuned for more.

Friday, September 30, 2016

The Internet of Cows

Glenn Fink, a security researcher at Pacific Northwest Labs, did a presentation called the “Internet of Cows” where he showed how dairy farming has become an automated, internet accessible business process. He took  the discussion one step further by saying that cows make great human surrogates in the privacy debates surrounding IoT. He showed how data from almost every single biological process of a cow (health, reproduction, location, sounds) is monitored by IoT.  Analysis of herd data allows farmers to predict the health of a cow, the optimum time for reproduction and milk production. He maintained that cows don’t object to this type of management and therefore, this is why they are well suited to study the effects of intrusive monitoring. 

It was one of those presentations that makes you go "hmmmmm". The use of "biological" Internet of Things has been well established in the animal husbandry world. As Glenn stated, we're already moving in this direction with regard to human health monitoring. The privacy implications of such monitoring should concern most  of us these days. I've always said that I don't mind external sites collecting data about me as long as a) the default is opt-out where no data is sent out b) you tell me what you're going to do with my data c) you protect my data from unauthorized access.  Obviously, this isn't the norm these days. 

Hopefully, as more "fitness" IoT devices enter the market, people will start to demand their health info be safeguarded as much as possible.  More on this later....

Monday, April 4, 2016

I'm Back

Yes, it's been a while since I've posted something here. It's been a busy, crazy year. Here are some of the things we've been doing here at VA Tech. I'll be posting some blog entries with more details on each of the items. Consider this entry to be a "headlines" blog.

1. Stacy Kaye from interviewed me about being a CISO. Her article can be found here
I will warn you that the picture in the article is my official VT photo and doesn't reflect my usual attire :-)

2. MT6D - Moving Target IPv6 Defense. A series of research projects based on Matt Dunlop and Stephen Groat's research involving dynamic address switching as a defense against DDOS attacks in IPv6. Their original research has spun off a number of secondary MT6D research. Pretty neat and exciting stuff they did. Think radio frequency hopping but instead of hopping frequencies, we hop IPv6 addresses

3. Continuous Monitoring Update - an update on our evergoing continuous monitoring project

So keep in touch for more blogs coming up here and at

Friday, June 26, 2015

Monitor First - The Origin

As you know, I've been a proponent of Continuous Monitoring (CM) not to be confused with the  Federal  Government's CDM (Continuous Diagnostic Mitigation) program.  We've always assumed intruders are in our network so we've been looking for these intruders by monitoring outbound traffic.

I'm reposting another blog by grecs which is posted at the NovaInfoSec blog. Grecs' blog on the origins of "Monitor first" is a great article on how this concept took hold. So, here's the full blog article by Grec posted on 6/25/2015.

"Monitor First - The Origins" by grecs posted 6/25/2015

Late last year @taosecurity wrote an article that questioned spending resources on a “pen test and fix” cycle rather than monitoring for intruders that may already be in your networks. The last sentence of the post not only emphasized his theme well but also alluded to an article written by Bruce Schneier that originally stressed “monitoring first.”
I still believe that the two best words ever uttered by Bruce Schneier were “monitor first,” and I worry that organizations like those in this article are patching holes while intruders maneuver around them within the compromised network.
I searched around a bit for this statement and found a copy in an old edition of Cryptogram from way back in 2001. You can find the original article here but the first few paragraphs alone make the case of monitoring first.
You have a safe in a dilapidated building, and you need to secure it. What’s the first thing you do? Inventory the safe? Assess the security of the building? Install better locks on the doors and bars on the windows? Probably not. The first thing you do, as quickly as possible, is alarm the safe. Once the safe is being monitored, you can then afford the time and attention needed to inventory the stock, analyze the environment, and improve the security. Without monitoring, you’re vulnerable until your security is perfect. If you monitor first, you’re immediately more secure.
Network security has this backwards. Companies see monitoring as something to do after they have their security products in place. First they develop a security policy. Then they do a vulnerability analysis. Then they install a firewall, and maybe an intrusion detection system. And finally they think about monitoring. Rationally, this makes no sense.
Monitoring should be the first step in any network security plan. It’s something that a network administrator can do today to provide immediate value. Policy analysis and vulnerability assessments take time, and don’t actually improve a network’s security until they’re acted upon. Installing security products improves security, but only if they are installed correctly and in the right places. How does a CIO know what products to install, and whether they are actually working — in the actual corporate environment, not as they worked in the lab? The only way he can know is to monitor. Monitoring ensures that security products are working properly.
Monitoring first is just common sense. This practice not only allows organizations to find the threats lurking in their networks sooner but it also permits them to establish baseline metrics from which they can measure improvements in their security posture as further investments are made. And per Schneier “monitoring” does not even necessarily mean going out a buying anything initially. Start simple with logs and other data you already have (e.g., from DNS, servers, proxies, and network devices) and grow out from there.

I encourage you to read both @taosecurity and Bruce Schneier's articles list in the above post.

Tuesday, August 5, 2014

Deja Vu All Over Again - Redux - 1999-2014

Yep, it's time to use this title again. This time we're talking about DDOS amplification attacks. One of the lists I monitor posted the following:

Christian Rossow has done some great work on DDOS.  The two interesting papers are:

 "Exit from Hell? Reducing the Impact of Amplification DDoS Attacks"

The authors also look at DNS, NTP,  SNMP, SSDP, CharGen, QOTD and NetBIOS. The last sentence of this paper, "We measured almost 46 million amplifiers for all scanned UDP-based protocols."

 "Hell of a Handshake: Abusing TCP for Reflective Amplification
   DDoS Attacks,"

  The quote from the Kuhrer paper:

"The basic idea is to send relatively small requests with spoofed source address to public hosts (e.g., NTP servers), which reflect significantly larger responses to the victim of the attack."

is depressing to read.

Why? In 2000, I was part of a Fed/SANS Institute Task Force that wrote a Consensus Roadmap to defeating DDOS attack doc ( In there, we stressed the importance of setting your (the collective your) network ingress/egress filters correctly in order to prevent spoofed packets from leaving your network. The above quote says to me that we've (the collective we) has forgotten this basic defense technique. So, my question to the list is "have you set your ingress/egress filters on ALL of your network devices to prevent spoofed packets from leaving your nets. If so, you've taken a giant step in reducing the impact of an amplification attack.

The weird sense of humor in me says that the admins who were around in 2000 and set their filters ave moved on or retired and their replacements looked at those ACLs and said "WTF? Let's take these out."

It's been 14 years now and spoofed packets are still an issue.

I'm just saying......:-)

Friday, December 27, 2013

Lemons for Security - Information Asymmetry

My wife handed me an article from the Annals of Internal Medicine (Vol 157, No. 2, p.139-140) entitled "Lemons for Obesity" by Michael Lauer, MD. At first, I thought she's trying to hint that I need to lose weight but she said there's a section in the article that might apply to cybersecurity. So, my curiousity got the better of me. Dr. Lauer's article described his thought about the obesity drug Qnexa and issues with aftereffects.

What does this have to do with cybersecurity?

Lauer mentions a Nobel prize winning paper by George Akerlof on the market for bad cars aka "lemons".  He summarizes Akerlof's "lemon" scenario as follows.

"Used car buyers believe 75%  of cars are good (peaches) and 25% have problems (lemons). Buyer know lemon owners want to sell because of these car problems.  Suppose a lemon costs $5K and peaches cost $20K. The buyer has trouble distinguishing lemons from peaches based on this limited information and owners have no way to effectively communicate their inside knowledge. Suppose the buyer seeking a deal offers $16,250. Peach owner will refuse such a low-ball offer but lemon owners will jump at the offer. If on the other hand, a peach owner accepts the low offer, the buyer wonders what's wrong with the car, i.e., it must be a lemon. So, the buyer offers a lower price of say, $12,500 which the peach owner is less likely to accept. So, over time, the only cars that sell are lemons. Information Asymmetry allows bad products to drive out good products."

Twisting one of Dr. Lauer's sentences, if we think about the history of application software security, we've seen plenty of lemons. 

Thursday, April 11, 2013

Identity Verification in the MOOC World. Not!

According to some, Massively Open Online Courses (MOOC) are the latest saviors in the financially strapped EDU world. The idea of having hundreds of thousands of students taking a university course at the same time is an exciting new frontier for higher education.  Just think of the financial gains an institution can achieve. Public universities have seen a dramatic decrease in their financial support from their respective state governments. Virginia Universities receive an average of 3-5% of their total budgets from the state. The money has to come from somewhere to support a growing student body. An income stream from hundreds of thousands of online students is enticing to cash strapped universities. State legislators see MOOCs as a way to continue financial support without raising taxes. After all, the money would come from tuition. There would be a saving cost in personnel, infrastructure and other high costs associated with universities. So, what’s the worry?

First of all, EDUs have been in the online class world for at least 15 years. Interactive Video Conference (IVC) methods have been around for a long time. For example, I started teaching an IVC course in 1999. It was in a special classroom equipped with TV cameras, microphones for the students and 2 way communications. If a student had a question, they pressed a button, their microphone would go live, the TV camera in their classroom would zoom in on them and 2 way conversations would happen.  This format is expensive and today’s generations of students don’t feel comfortable using this medium.  Social media  and a generational change have made MOOCs more popular. EDU faculty have experience in online learning. Learning Technologies (LT) is an growing and exciting field and well poised to address MOOC development.

JoAnn Paul from VA Tech states “Today's students often perceive electronic forms of interaction as LESS impersonal than face to face, traditional classroom settings, regardless of class size.  And why not? Students already work in distributed environments, and increasingly need to learn how best to communicate that way -- to get their point across -- and they know it.”

We need to collect data on MOOC popularity when the students have to a) pay for the courses b) take them for college credit. I suspect then enrollment numbers will be significantly lower. For introductory level courses, MOOCs make sense because they provide a vehicle for accessing large numbers of people.  More advanced courses don’t scale well. Where does an online student go to do Chemistry or Physics lab experiments? How does one replicate the lab facilities and equipment. But that's another issue.....

Apart from having curriculum designed by external entities, the biggest problem with MOOCs is a very basic yet critical issue: cheating.  
Laura Pappano’s NY Times article, “The Year of the MOOC” states  “Cheating is a reality. “We found groups of 20 people in a course submitting identical homework,” says David Patterson, a professor at the University of California, Berkeley, who teaches software engineering, in a tone of disbelief at such blatant copying; Udacity and edX now offer proctored exams.” Frankly, I’m surprised he was surprised about online cheating.

There are some fundamental questions that need to be answered before even attempting to incorporate MOOC style courses as credit for a degree.  
1. How do you verify the identity of the student who registers for the class?
2. How do you verify the identity of the person who submits assignments and takes exams?
3. How do you verify the person in #1 is the same person as the one in #2?

These questions need to be addressed before MOOCs can become a vehicle for furthering one's pursuit of a degree.