Saturday, May 22, 2010

Building Skynet - The Beginning (part 1)

Robert Brewster: Oh Katie, I am sorry. I opened Pandora's Box. (Terminator 3: Rise of the Machines, 2003)

I was talking with my good friend and fellow SANS instructor, Ed Skoudis, while he was here at VA Tech teaching a SANS class. I was showing him some of the cool things that we've been working on here in the ITSO. One of our projects involved merging physical and cybersecurity tools to form a (new buzzword) "converged security architecture". Some of the things we're doing include merging IDS and GIS information, tracking bluetooth devices, IPv6 tracking. This initiative is one of many in response to the 2007 shootings here. It's pretty cool stuff and incorporates all of the neat things and new technologies that one would expect from such a project. There's a whole new sub-industry that is marketing converged security solutions that incorporate a wide variety of surveillance technologies.

Then Ed asked "Do you ever wonder if what we [security professionals] are building is the future surveillance society and what we are doing is evil?" He then asked "When you talk to your grandchildren, will you be able to tell them what you built?"

It was a set of questions that make you go "hmmmm......".

Ah, the old full vs. non disclosure argument with regard to exploits and exploit tools returns in a different form. Any veteran security person has staked out their position on this issue. I maintain you have to know how to use and create attack tools in order to defend against them. The other camp maintains that building these tools and publishing them on the net in the first place causes the problem. Our response to that is "someone else is doing it so we have to". Hmmm, where have I heard that before?

So, my first answer to Ed's questions was "you don't think I'm the only one doing this, do you?" He smiled and said that was the traditional answer most security types give. We laughed because both of us have given that answer to the question.

Cybersecurity professionals used to work in 2 dimensions- that of the IDS log and the timestamp. The IP addresses and time were not personal items. They were abstractions. Surveillance technologies are"personal". Combining the 2 technologies is inevitable and has happened already. Security professionals are now starting to work in the 3 dimensions of logs, time and personal behavior.

Are we worried that the technology we create can be used for good and evil? Is it any different than being an arms manufacturer? Are we IT arms manufacturers? Nation states have done this because they have the motivation, the finances and the resources. Movies like the "Enemy of the State", "Terminator 1,2,3", "Colossus: The Forbin Project", "Wargames" are great entertainment for the general public but the security geeks nod knowingly that those things are possible and indeed likely to be in effect to some degree. Are our local IDS/IPS the equivalent of firearms? Of course, they are. They can be used for good (protecting our internal infrastructure) or evil (tracking someone). We knew that when we started designing these things.

I've been saying in past presentations that we have become a surveillance society. Our personal history is available on the net. You might think you're safe because Google doesn't return anything on you. However, data mining services like Seisint, Choicepoint have your life history in a database. I gave an assignment to my senior level Computer & Network Security class telling them to walk to a local restaurant that is 6 blocks away using any route they wanted and count the number of surveillance technologies (cameras, door entry systems, credit card swipe machines, etc.). The answers I got back gave numbers ranging from 50-105 devices. This is stunning considering I live in a small college town. Yet most people told us they didn't mind being "surveilled" because they're doing nothing wrong.

Daniel Solove wrote a wonderful paper titled " “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy" that debunks this argument. Cities are linking their disparate surveillance technologies together. There was an interesting article in Rolling Stone magazine in 2008 called “China’s All Seeing Eye”, Rolling Stone Magazine, Issue # 1053, May 29, 2008, http://www.rollingstone.com/politics/story/20797485/chinas_allseeing_eye. Click on the photo gallery to see pics from the surveillance cameras. If the link is dead, you should be able to google the article. Image analysis techniques now can spot aberrant behavior of people in public places. For example, this technique can examine a video feed of people walking down a hallway and spot the person who stops in the middle of the hallway to leave a parcel at a door. With the tremendous amount of data being collected, automated processes that do the analysis are being built and used today. Data mining has become a multibillion dollar industry.

The same thing is happening in the IDS world. We now have SIEM/SIM/SEM products that analyze the tremendous amount of data collected and spot the aberrant behavior of a computer. Wait, didn't I just say the same thing in the last paragraph? IPS was the first generation detect and react (D&R)system. Armed drones controlled by humans now and soon by computers are another example of (D&R) systems.

We assume the attackers of these systems are human. But it's only a matter of time before the attackers are the computers (and their software) themselves. The IPS technique of detect an attack (traditional IDS, spot intruders at a fence) and react (block a port/machine in the cyberworld, launch an armed drone against the attacker in the real world) is being automated to respond to physical world attacks.

The Blaster attack of 2003 overwhelmed our ability to respond quickly to an automated attack. I suspect automated defense mechanisms such as IPS devices were developed as a response to that type of attack. The recent stock market plunged was supposedly caused by an automated response that happened faster than the humans could contain it.

This brought out one of the ugly secrets of cyber security.

Ugly Secret 1: Security types know we're becoming a surveillance society. We are helping to build it. We believe we can control those who use it (controllers) because we built it (builders).

Ugly Secret 2: Controllers trump builders. Controllers aren't always who we think they are. They are humans and software.

In the next couple of blog entries, I'm planning on exploring more issues on this topic.
(to be continued...)

2 comments:

  1. Excellent thread Randy. This is what I've been talking about for a decade when I've been telling people we are making reality imitate fiction -- ala Qilliam Gibson. It's time we start the heart-to-heart on this arms race.

    ReplyDelete
  2. Free and available Wi-Fi is always a nice bonus of visiting public places. In today’s world, almost every cafe, airport, restaurant, bar or club has the opportunity to use free Internet access using a smartphone or laptop. best cybersecurity company in United kingdom Sounds appealing, doesn’t it? In fact, with this connection, the files and information stored on your device become available; unless you have read our tips and taken precautions in advance.

    ReplyDelete