I was fortunate enough to present as the keynote speaker for HouSecCon 4. The first part of my presentation focused on the parallels between information security today and the dawn of the space age in the late 1950s. The second section dove into internet-wide measurement and details about Project Sonar. Since it may be a while before the video of the presentation is online, I wanted to share the content for those who may be interested and could not attend the event. A summary of the first section is below and the full presentation is attached to the end of this post .
In 1957 the soviet union launched Sputnik, the first artificial satellite. The US public, used to being first in most things scientific, panicked at being beaten to space. This lead to unprecedented levels of funding for science, math, and technology programs, the creation of NASA, and the first iteration of DARPA, known then as ARPA. Sputnik also set the precedent for the “freedom of space”.
Although Sputnik was the first salvo in the space race, it was quickly left in the dust by increasingly powerful spy satellites The cold war accelerated technology by providing both funding and a focus for new development. Limited visibility meant that both sides were required to overestimate the capabilities of the other, driving both reconnaissance and weapon technology to new heights.
The space age changed how we looked at the world. The internet was born from ARPA's attack-resistant computer network. Military technology was downleveled for civil use. GPS and public satellite imagery shrank the physical world. Public visibility led to accountability for despots and companies around the world. Global imagery shone a light on some of the darkest corners of the planet.
Technology developed in the paranoid shadows of the cold war radically changed how we live our lives today. The proverbial swords turned into plowshares faster than we could imagine.
The differences between military and consumer capabilities are shrinking every year. Crypto export control is useless in the face of strong implementations in the public domain. Alternatives to GPS are launching soon and location awareness has gone well beyond satellite triangulation. High-resolution thermal imaging systems are available off-the-shelf from international suppliers.
So what does all of this have to do with information security? There are direct parallels between the start of the space age and the last decade of information security. Public fear over being out-gunned and out-innovated triggered a demand for improved security. Consumers and businesses are becoming aware of the real-world impact that a security failure can have. The more we move online, the more is at risk. Technology is been pushing forward at a phenomenal pace. Network neutrality draws similarities with the concept of “freedom in space”. Out of this environment, predators have emerged, first opportunistic criminals, and now organized crime, law enforcement, and intelligence agencies.
The Snowden leaks have painted a detailed picture of how the US and its allies monitor and infiltrate computer networks around the globe. Although most of the security community assumed this kind of intelligence gathering went on, having it confirmed and brought into the limelight has been something else. Even the tin foil hat crowd didn't appear to be paranoid enough.
Indeed, claims against China and Russia look weak in comparison to what we now know about US intelligence activities. To me, the most surprising thing is the lack of “cutting edge” techniques that have been exposed. Most of the methods and tools that have been leaked are not much different from what the security community is actively discussing at conferences like this.
In fact, many of the tools and processes used by both intelligence and military groups are based on work by the security community. Snort, Nmap, Metasploit, and dozens of other open source security tools are mainstays of government-funded security operations, both defensive and offensive. Governments of every major power are pouring money into “cyber”, but the overlap between “secret” and “this talk I saw at defcon” is larger than ever. The biggest difference is where and how the techniques or tools are being used. Operationalized offense and defense processes are the dividing line between the defense industrial base and everyone else.
It doesn't take a lot of skill or resources to break into most internet-facing systems. If the specific target is well-secured, the attacker can shift focus to another system nearby or even a system upstream. The number of vulnerable embedded devices on the internet is simply mind boggling. The Snowden leaks also confirmed that routers and switches are often preferred targets for intelligence operatives for this reason. My research efforts over the last few years have uncovered tens of millions of easily compromised devices on the internet. The number doesn't get any smaller. More and more vulnerable equipment continues to pile up.
IBM, Symantec, SANS, and SecureWorks all provide internet “Threat Levels”. Dozens of commercial firms offer “threat intelligence” services. What actionable data are you getting from these firms? How do you know whether what they are providing is even accurate?
Case in point. During 2012, an unknown researcher compromised 1.2 million nodes, using telnet and one of three passwords. 420,000 nodes were then used to conduct a scan of over 700 TCP and UDP ports across the entire internet. The same nodes were also used to send icmp probes and traceroutes to every addressable IPv4 address. Not a single “threat intelligence” vendor noticed the telnet exposure, its mass-compromise, or detected the scanning activity. In fact, nobody noticed the activity, and the internet became aware only after the researcher published a 9Tb data dump and extensive documentation and statistics from the project. The graphic you are seeing now is a 24 hour cycle of active public internet IPS (via ICMP), from this project.
We can't improve things unless we can measure them. We cant defend our networks without knowing all of the weak links. We are starved for real information about internet threats. Not the activities of mindless bots and political activists, but the vulnerabilities that will be used against us in the future. Without this, we can't make good decisions, and we cant place pressure on negligent organizations. So, lets measure it. It is time for better visibility. It is time for accelerated improvement. It is time for a security space age.