When the "black hats" - being the orderlies of the wild forest of cyberspace - are especially successful in their dirty work, the yellow media squeal with delight. As a result, the world is starting to take cybersecurity more seriously. But unfortunately not right away. Therefore, despite the ever-increasing number of catastrophic cyber incidents, the world is not yet ripe for active proactive measures. However, it is expected that in the near future, thanks to the "black hats", the world will still begin to take cybersecurity seriously. [7]
Just as serious as fires... Cities were once very vulnerable to catastrophic fires. However, despite the potential danger, preventive protective measures were not taken - even after the gigantic fire in Chicago, in 1871, which claimed hundreds of lives and made hundreds of thousands of people homeless. Preemptive protective measures were taken only after a similar disaster occurred again, three years later. The same with cybersecurity - the world will not solve this problem unless there are catastrophic incidents. But even if such incidents happen, the world will not solve this problem immediately. [7] Therefore, even the saying: “Until a bug breaks out, a man will not repatch,” does not quite work. So in 2018 we celebrated 30 years of rampant insecurity.
Lyrical digression
The beginning of this article, which I originally wrote for System Administrator magazine, turned out to be somewhat prophetic. Issue of the magazine with this article literally to the day with the tragic fire in the Kemerovo shopping and entertainment center "Winter Cherry" (2018, March 20th).
Put the Internet in 30 minutes
Back in 1988, the legendary hacker galaxy L0pht, speaking in full force before a meeting of the most influential Western officials, declared: “Your computerized equipment is vulnerable to cyber attacks from the Internet. And software, and hardware, and telecommunications. Their vendors do not care at all about this state of affairs. Because modern legislation does not provide for any liability for a negligent approach to ensuring the cybersecurity of the produced software and hardware. Responsibility for potential failures (even if spontaneous, even if caused by the intervention of cybercriminals) lies solely with the user of the equipment. As for the federal government, it has neither the skills nor the desire to solve this problem. So if you are looking for cyber security, then the Internet is not the place to find it. Completely break the Internet, and, accordingly, seize full control over the equipment tied to it - each of the seven people sitting in front of you can. By oneself. 30 minutes of choreographed keystrokes and it's done." [7]
The officials nodded meaningfully, indicating that they understood the seriousness of the situation, but did nothing. Today, exactly 30 years after L0pht's legendary performance, "runaway insecurity" still reigns in the world. Hacking into computerized, Internet-connected equipment is so easy that the Internet - originally a realm of idealistic scientists and enthusiasts - has gradually been invaded by the most pragmatic of professionals: swindlers, swindlers, spies, terrorists. All of them exploit the vulnerabilities of computerized equipment - for financial or some other benefit. [7]
Vendors neglect cybersecurity
Vendors sometimes, of course, try to fix some of the identified vulnerabilities, but they do it very reluctantly. Because it’s not the protection against hackers that brings them profit, but the new functionality that they provide to consumers. Being focused exclusively on short-term profit, vendors invest only in solving real problems, not hypothetical ones. Cybersecurity, in the eyes of many of them, is a hypothetical thing. [7]
Cybersecurity is an invisible, intangible thing. It becomes tangible only when problems arise with it. If it was well taken care of (a lot of money was spent on its provision), and there are no problems with it, the end consumer will not want to overpay for it. In addition, in addition to increasing financial costs, the implementation of protective measures requires additional development time, requires limiting the capabilities of equipment, and leads to a decrease in its productivity. [8]
It is difficult to convince even our own marketers of the expediency of the listed costs, let alone end consumers. And since modern vendors are only interested in short-term profit from sales, they are completely unwilling to take responsibility for ensuring the cybersecurity of their creations. [1] On the other hand, more caring vendors who do take care of the cybersecurity of their equipment are faced with the fact that corporate consumers prefer cheaper and easier-to-use alternatives. That. it is clear that corporate consumers also care little about cybersecurity. [8]
In light of the above, it's not surprising that vendors tend to neglect cybersecurity and adopt the following philosophy: “Keep building, keep selling, and patch as needed. System crashed? Lost information? Has your credit card database been stolen? Are there unrecoverable vulnerabilities in the equipment? No problem!" Consumers, in turn, have to follow the principle: "Patch and pray." [7]
How it happens: examples from the wild
A vivid example of the neglect of cybersecurity in development is the corporate motivational program of Microsoft: “You missed the deadline - you will be fined. Did not have time to submit the release of his innovation on time - it will not be implemented. If it is not implemented, you will not receive shares in the company (a piece of the pie from Microsoft's profits)." Beginning in 1993, Microsoft began actively linking its products to the Internet. Since this initiative was operating in line with the same motivational program, functionality expanded faster than defense could keep up with them. To the delight of pragmatic vulnerability hunters… [7]
Another example is the situation with computers and laptops: they do not come with a pre-installed antivirus; and the preset of strong passwords is also not provided for in them. It is assumed that the end user will install the antivirus and set the security configuration parameters. [1]
Another, more extreme example: the situation with the cybersecurity of retail equipment (cash registers, PoS terminals for shopping centers, etc.). It so happened that vendors of commercial equipment sell only what is sold, and not what is safe. [2] If there is one thing vendors care about in terms of cybersecurity, it is that in the event of a controversial incident, the responsibility falls on others. [3]
An illustrative example of such a development is the popularization of the EMV standard for bank cards, which, thanks to the competent work of bank marketers, looks in the eyes of an inexperienced public with technical knowledge, as a safer alternative to "obsolete" magnetic cards. At the same time, the main motivation of the banking industry, which was responsible for the development of the EMV standard, was to shift the responsibility for fraudulent incidents (which occur through the fault of carders) from stores to customers. Whereas earlier (when payments were made by magnetic cards) for discrepancies in debit / credit, the financial responsibility lay with the stores. [3] Thus. banks processing payments shift the responsibility either to merchants (who use their remote banking systems) or to banks issuing payment cards; the last two, in turn, shift the responsibility to the cardholder. [2]
Vendors hinder cybersecurity
As the surface of digital attacks grows inexorably—thanks to the explosion of Internet-connected devices—it's getting harder to keep track of what's connected to the corporate network. At the same time, vendors shift the concerns about the safety of all equipment connected to the Internet to the end user [1]: “Saving the drowning is the work of the drowning themselves.”
Not only do vendors not care about the cybersecurity of their creations, but in some cases they also prevent it from being ensured. For example, when the Conficker network worm leaked into the Beth Israel medical center in 2009 and infected part of the medical equipment there, the technical director of this medical center, in order to prevent similar incidents in the future, decided to disable the work support function on the equipment affected by the worm. with a network. However, he encountered that "hardware cannot be upgraded due to regulatory restrictions." It took him considerable effort to coordinate with the vendor to disable network functions. [4]
The fundamental cyber-non-security of the Internet
David Clarke, the legendary MIT professor who earned the nickname “Albus Dumbledore” for his brilliant insight, clearly remembers the day when the dark side of the Internet was revealed to the world. Clark was chairing a November 1988 telecoms conference when the news broke that the first computer worm had slithered through the network wires. Clark remembered this moment because the speaker present at his conference (an employee of one of the leading telecommunications companies) was held responsible for the spread of this worm. This speaker, in the heat of emotion, inadvertently said: “Here are those on! I kind of closed this vulnerability, ”he paid for these words of his. [5]
However, later it turned out that the vulnerability through which the mentioned worm spread was not the merit of any individual person. And this, strictly speaking, was not even a vulnerability, but a fundamental feature of the Internet: the founders of the Internet, when developing their offspring, focused exclusively on data transfer speed and fault tolerance. They did not set themselves the task of ensuring cybersecurity. [5]
Today, decades after the founding of the Internet—hundreds of billions of dollars have already been spent on futile attempts to secure cybersecurity—the Internet is no less vulnerable. The problems with its cybersecurity are only getting worse every year. However, do we have the right to condemn the founders of the Internet for this? After all, for example, no one will condemn the builders of freeways for the fact that accidents happen on “their roads”; and no one will condemn city planners for the fact that robberies occur in “their cities”. [5]
How the hacker subculture was born
The hacker subculture originated in the early 1960s at the MIT Railroad Engineering Modeling Club. Club enthusiasts designed and assembled a model railroad so huge that it filled the whole room. Club members spontaneously divided into two groups: peacekeepers and system workers. [6]
The first worked with the above-ground part of the model, the second - with the underground. The first collected and painted models of trains and cities: they modeled the whole world in miniature. The latter worked on the technical support of all this peacekeeping: the intricacies of wires, relays and crossbar switches located in the underground part of the model - everything that controlled the “above-ground” part and supplied it with energy. [6]
When there was a traffic problem and someone came up with a clever new solution to fix it, that solution was called a "hack". For members of the club, the search for new hacks has become a valuable meaning of life. That is why they began to call themselves "hackers". [6]
The first generation of hackers used the skills acquired at the Modeling Railroad Club to write computer programs on punched cards. Then, when the ARPANET (the forerunner of the Internet) arrived on campus by 1969, it was hackers who became its most active and skilled users. [6]
Now, decades later, the modern Internet resembles that very “underground” part of the railroad model. Because its founders were the same hackers, pupils of the “Railway Modeling Club”. Only hackers are now operating real cities instead of simulated miniatures. [6]
How BGP Routing Came to Be
By the end of the 80s, as a result of the explosion in the number of devices connected to the Internet, the Internet approached a hard mathematical limit built into one of the basic Internet protocols. Therefore, any conversation of the then engineers, in the end, turned into a discussion of this problem. Two friends were no exception: Jacob Rechter (engineer from IBM) and Kirk Lockheed (founder of Cisco). Having met by chance at the dinner table, they began to discuss measures to keep the Internet working. Emerging ideas friends wrote down on what came to hand - a napkin stained with ketchup. Then the second. Then the third. The “Three Napkin Protocol,” as its inventors jokingly called it—known in official circles as BGP (Border Gateway Protocol)—soon revolutionized the Internet. [8]
For Rechter and Lockheed, BGP was just a laid-back hack, developed in the spirit of the "Railway Simulation Club" mentioned above, a temporary solution that should soon be replaced. The buddies developed BGP in 1989. However, today, 30 years later, the vast majority of Internet traffic is still routed by the “three napkin protocol” despite more and more alarming bells about critical problems with its cybersecurity. The temporary hack has become one of the basic Internet protocols, and its developers have learned from their own experience that "there is nothing more permanent than temporary solutions." [8]
Networks around the world have migrated to BGP. Influential vendors, wealthy clients and telecommunications companies have quickly fallen in love with BGP and got used to it. Therefore, despite more and more alarming bells about the insecurity of this protocol, the IT community is still not enthusiastic about switching to new, more secure equipment. [8]
Cyber-non-secure BGP routing
Why is BGP routing so good and why is the IT community in no hurry to abandon it? BGP helps routers make decisions about where to direct the gigantic data streams that travel over a huge network of intersecting links. BGP helps routers choose the appropriate paths even though the network is constantly changing and popular routes are often jammed with traffic. The problem is that the Internet does not have a global routing map. Routers using BGP make decisions about which path to take based on information received from cyberspace neighbors, who in turn collect information from their neighbors, and so on. However, this information is easily falsified, which means that BGP routing is highly vulnerable to MiTM attacks. [8]
Therefore, questions such as the following regularly arise: “Why did the traffic between two computers in Denver take a giant detour through Iceland?”, “Why was Pentagon secret data once transmitted through Beijing?”. Questions like this have technical answers, but they all boil down to the fact that BGP is based on trust: on trust in recommendations received from neighboring routers. Due to the trusting nature of the BGP protocol, mysterious traffic lords can, if they wish, lure other people's data flows into their domain. [8]
A living example is China's BGP attack on the US Pentagon. In April 2010, state-owned telecommunications giant China Telecom sent tens of thousands of routers around the world, including 16 in the US, a BGP message about the best routes. In the absence of a system that could validate China Telecom's BGP message, routers around the world began sending data in transit through Beijing. Including traffic from the Pentagon and other sites of the US Department of Defense. The ease with which traffic was redirected, and the lack of effective protection against such attacks, is another wake-up call to the insecurity of BGP routing. [8]
The BGP protocol is theoretically vulnerable to even more dangerous cyber attacks. In the event that international conflicts unfold in full force in cyberspace, China Telecom, or some other telecommunications giant, could try to claim parts of the Internet that it does not actually own. Such a move would confuse routers, which would have to rush between competing bids for the same blocks of Internet addresses. Without being able to distinguish a valid claim from a fake one, the routers would start acting erratically. As a result, we would be faced with the Internet equivalent of nuclear war - an open large-scale manifestation of hostility. Such a development in times of relative peace seems unrealistic, but technically it is quite feasible. [8]
A futile attempt to move from BGP to BGPSEC
When designing BGP, cybersecurity was not taken into account, because at that time hacks were rare, and the damage from them was negligible. The developers of the BGP protocol, since they worked in telecommunications companies and were interested in selling their network equipment, had a more pressing task: to avoid spontaneous breakdowns of the Internet. Because interruptions in the work of the Internet could alienate users, and thereby reduce sales of network equipment. [8]
After the incident with the transmission of US military traffic through Beijing in April 2010, the pace of work on ensuring the cybersecurity of BGP routing has certainly accelerated. However, telecommunications vendors are not very enthusiastic about the costs associated with the transition to the new secure routing protocol BGPSEC, proposed as a replacement for insecure BGP. BGP is still considered acceptable by vendors, despite countless hijacking incidents. [8]
Radia Perlman, dubbed the “mother of the Internet” for inventing another important networking protocol in 1988 (the year before BGP was born), earned a prophetic doctoral thesis at MIT. Pearlman predicted that a routing protocol that depends on the honesty of neighbors in cyberspace is fundamentally insecure. Pearlman advocated the use of cryptography, which would help limit the possibilities of falsification. However, the implementation of BGP was already in full swing, the influential IT community was used to it, and did not want to change anything. Therefore, after reasoned warnings from Perlman, Clark and some other prominent world experts, the relative share of cryptographically secure BGP routing has not increased at all, and is still 0%. [8]
BGP routing is far from the only "hack"
And after all, BGP routing is not the only hack that confirms the idea that "there is nothing more permanent than temporary solutions." Sometimes the Internet, immersing us in fantasy worlds, seems as elegant as a racing car. However, in reality, because of the hacks piled on top of each other, the Internet is more like a Frankenstein than a Ferrari. Because these hacks (which are more officially called patches) are never replaced by reliable technologies. The consequences of this approach are deplorable: daily and hourly, cybercriminals break into vulnerable systems, expanding the scale of cybercrime to previously unimaginable proportions. [8]
Many flaws exploited by cybercriminals have been known for a long time, and have survived solely due to the propensity of the IT community to solve emerging problems - temporary hacks / patches. Sometimes, because of this, outdated technologies are piled on top of each other for a long time, making life difficult for people and endangering them. What would you think if you knew that your bank is building its vault on a foundation of straw and dirt? Would you trust him to keep your savings? [8]
The carefree attitude of Linus Torvalds
Whole years passed before the Internet reached its first hundred computers. Today, 100 new computers and other devices connect to it every second. As internet-connected devices explode, so does cybersecurity. However, the person who could have the most influence in solving these problems is the one who treats cybersecurity with disdain. This person is called a genius, a bully, a spiritual leader and a benevolent dictator. Linus Torvalds. The vast majority of devices connected to the Internet are running its operating system, Linux. Fast, flexible, free, Linux has become more and more popular over time. At the same time, it behaves very stable. And it can work without reboot for many years. That is why Linux has the honor of being the dominant operating system. Virtually all computerized equipment available to us today runs Linux: servers, medical equipment, on-board computers, tiny drones, military aircraft, and more. [9]
Linux succeeds largely because Torvalds emphasizes performance and fault tolerance. However, he does this emphasis - to the detriment of cybersecurity. Even when cyberspace and the real physical world have become intertwined, and cybersecurity has become a planetary issue, Torvalds continues to resist the introduction of secure innovations in his operating system. [9]
Therefore, even among the many fans of Linux, there is growing concern about the vulnerabilities of this operating system. Especially the most intimate part of Linux, its kernel, which Torvalds personally works on. Linux fans can see that Torvalds doesn't take cybersecurity issues seriously. Moreover, Torvalds has surrounded himself with developers who share his carelessness. If someone from the inner circle of Torvalds starts a conversation about the introduction of safe innovations, he is immediately anathematized. Torvalds dismissed one group of such innovators, calling them "masturbating monkeys." Saying goodbye to another group of security-conscious developers, Torvalds told them: “Will you deign to kill yourself. The world would be a better place for it." Whenever it came to adding security features, Torvalds was always against it. [9] In connection with this, Torvalds even has a whole philosophy, which is not without a grain of common sense:
“Absolute security is unattainable. Therefore, it should always be considered only in relation to other priorities: speed, flexibility and ease of use. People who devote themselves entirely to providing protection are insane. Their thinking is limited, black and white. Security by itself is useless. The essence is always somewhere else. Therefore, you cannot provide absolute security, even if you really want to. Of course, there are people who pay more attention to safety than Torvalds. However, these guys just work on what they are interested in, and provide security within the narrow relative limits that outline these interests of theirs. No more. So they do nothing to increase absolute security.” [9]
Sidebar: With OpenSource as on a powder keg [10]
OpenSource code has saved billions in software development costs by eliminating the need for duplicated efforts: with OpenSource, programmers have the opportunity to use the latest innovations without restrictions and fees. OpenSource is used everywhere. Even if you hired a software developer to solve your specialized task from scratch, this developer will most likely use some kind of OpenSource library. And certainly not one. Thus, elements of OpenSource are present almost everywhere. At the same time, it should be understood that no software is static, its code is constantly changing. Therefore, the principle of "placed and forgot" - for the code never works. Including for OpenSource-code: sooner or later its updated version will be required.
In 2016, we saw the consequences of this state of affairs: a 28-year-old developer briefly “broke” the Internet by deleting his OpenSource code, which he had previously made public. This story indicates that our cyber infrastructure is very fragile. Some people - who keep OpenSource projects - are so important to its maintenance that if, God forbid, they are hit by a bus, the Internet will break.
Hard-to-maintain code is exactly where the most serious cybersecurity vulnerabilities lurk. Some companies don't even realize how vulnerable they are due to hard-to-maintain code. The vulnerabilities associated with such code can mature into a real problem very slowly: systems slowly rot without showing visible failures in the process of this rot. And when they do fail, the consequences are fatal.
Finally, since OpenSource projects are usually developed by a community of enthusiasts like Linus Torvalds or like the hackers from the Modeling Railroad Club mentioned at the beginning of the article, the problems of hard-to-maintain code cannot be solved in traditional ways (using commercial and government levers). Because the members of such communities are capricious and value their independence above all else.
Sidebar: Maybe we will be protected by special services and antivirus developers?
In 2013, it became known that Kaspersky Lab had a special unit that carried out custom investigations of information security incidents. Until recently, this department was headed by a former police major, Ruslan Stoyanov, who had previously worked in the Moscow Office "K" (USTM GUVD of Moscow). All employees of this special division of Kaspersky Lab come from law enforcement agencies, including the Investigative Committee and the K Department. [eleven]
At the end of 2016, the FSB arrested Ruslan Stoyanov and presented him with an announcement of high treason. In the same case, Sergei Mikhailov, a high-ranking representative of the Central Information Security Bureau of the FSB (information security center), was arrested, on which the entire cybersecurity of the country was tied before the arrest. [eleven]
Sidebar: Enforced Cybersecurity
Soon, Russian entrepreneurs will be forced to pay serious attention to cybersecurity. In January 2017, a representative of the Center for Information Protection and Special Communications, Nikolai Murashov, stated that in Russia CII objects alone (critical information infrastructure) were attacked more than 2016 million times in 70. CII objects include information systems of government agencies, enterprises of the defense industry, transport, credit and finance, energy, fuel and nuclear industries. To protect them, on July 26, President of Russia Vladimir Putin signed a package of laws “On the security of KII”. By January 1, 2018, when the law comes into force, the owners of CII objects must implement a set of measures to protect their infrastructure from hacker attacks, in particular, connect to the State SOPKA. [12]
Bibliography
- Jonathan Millet. // one.
- Ross Anderson. How smartcard payment systems fail // Black Hat. 2014.
- SJ Murdoch. Chip and PIN is Broken // Proceedings of the IEEE Symposium on Security and Privacy. 2010.pp. 433-446.
- David Talbot. // MIT Technology Review (Digital). 2012.
- Craig Timberg. // The Washington Post. 2015.
- Michael Lista. // Toronto Life. 2018.
- Craig Timberg. // The Washington Post. 2015.
- Craig Timberg. // The Washington Post. 2015.
- Craig Timberg. // The Washington Post. 2015.
- Joshua Gans. // Harvard Business Review (Digital). 2017.
- // Cnews. 2017. URL.
- Maria Kolomychenko. // RBC. 2017.
Source: habr.com