(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

Spaf has a working document on two specific, concrete initiatives for radically improving our national approach to cybersecurity research and education:

Two Proposals on Cyber Security Research (revision 3 at http://transfer.spaf.us/is-prop.pdf)

Specifically, these proposals are:

1. create a significant amount of funding for initializing and maintaining cybersecurity infrastructure for both research and teaching labs
2. create an award (similar to MacArthur “genius grants”) of significant size and prestige for supporting blue sky research by promising faculty in cybersecurity

Also of interest is his blog post on “Having an Impact on Cybersecurity Education“, which says in part:

Of course, it is also a little frustrating, because we could have done more, and more needs to be done. However, the approaches we have used (and are interested in trying next) never fit into any agency BAA. Thus, we have (almost) never been able to get grant support for our educational efforts. And, in many cases, the effort, overhead and delays in the application processes aren’t worth the funding that is available. (The same is true of many of our research and outreach activities, but that is a topic for another time.)

We make similar observations and recommendations in our upcoming CACM Viewpoints essay on producing a cybersecurity workforce out of thin air. Funding for teaching activities is largely looked down on in the research community because you can’t possibly be doing anything innovative in terms of relaying material or creating exercises or infrastructure – right? (End sarcasm.)

[Thanks to T. Candon who spotted Spaf's blog post -Ed.]

The problem of user “click-through” of SSL certificate warnings when connecting to websites using SSL/TLS is an old, well-recognized one. Users have little information with which to make a meaningful trust decision.

I recently visited a Web site where I had to submit reviews, and the connection was HTTPS. Firefox’s new in-browser dialog warning about the risks of an unverified or otherwise broken SSL cert appeared, complaining that the certificate was invalid for a few different reasons, namely that it was not valid for the URL (“3 of 4″ rather than “trust2010.org”), that it was self-signed (not in itself an uncommon situation for these types of paper reviewing sites and other ad-hoc, self-hosted sites), and that it had expired (it was only valid for one month in late 2009). A screenshot of this warning follows:

Firefox Complaining About the Validity of a Certificate

I typically tend to add these exceptions after a cursory glance at the certificate information. After all, many sites have some desire to run their own PKI, distribute self-signed certs, be their own CA, or otherwise present certificates that are not signed by one of the existing built-in root certificates in your browser.

The only thing that stopped me from approving the exception was the certificate information, which was so obviously bogus and homemade that I did not want to risk connecting to the site and giving away my log-in credentials. Screenshot of this certificate follows:

The Invalid Certificate Information

Note that had this information been more realistic, I would have had no way to feel suspicion about the certificate. Even if it were revoked or outdated, for the purposes of uploading a few reviews, I might have easily just added the exception and gone on. The moral of the story here is that even experienced users, when presented with credible information, have no way to ascertain the trustworthiness of the information contained in a certificate. So: do certificates need to be active entities and go about proving their provenance to a user in an active manner, such as playing a game, completing a formal proof, or otherwise attesting to some properties known only to the user and the endpoint he is trying to communicate with?

Is cyberwar a foregone addition to any future kinetic conflicts (a fancy phrase meaning traditional warfare with troops, bullets, tanks, and bombs)? According to one analysis from James Andrew Lewis at the Center for Strategic and International Studies, cyber war just doesn’t make sense, since the risks of retaliation and retribution are simply too great:

http://csis.org/files/publication/100311_TheCyberWarHasNotBegun.pdf

Lewis says, in part, “Even in a conflict – with China over Taiwan or Russia over Georgia – our opponents would be constrained in launching some kinds of cyber attack.”

I don’t find this statement well justified. If the nation is already engaged in “kinetic” war with the U.S., why hold back? Lewis says for fear of retribution:

“Moving from deployed forces in theater to civilian targets in the homeland risks unmanageable escalation. These risks and uncertainties create implicit thresholds in cyber conflict that nations have so far observed. Just as with missiles and aircraft, our nation-state opponents have the ability to strike the United States using cyber attacks, but they have chosen not to do so because of the risk of retaliation.”

but were I in charge of a nation at war with a superpower, I would hit as hard and as often as possible — and that includes both military and civilian cyber-infrastructure and critical information infrastructure, particularly since the US has a heavy economic and “quality of life” dependence on this technology.

I suppose it depends on the goal of the opponent in launching a conflict. But in any serious kinetic war with a reasonably powerful
adversary (i.e., one that has a chance at winning some aspect of the conflict), why would the engagement stay limited?

The Lewis article does make a good point about the need for agreed-on norms and more clearly defined penalties and sanctions for cyber activity (such as economic espionage or other cybercrime). Understanding the needs and creating relationships with potential opponents is probably a useful activity.

As Larry Wortzel pointed out in 2006 (“Risks and Opportunities of a Rising China“), nations like China and the US require a shared agreement on cyber-security activities, but bridging the cultural and political gaps here may prove quite difficult.

On March 24, DarkReading had this article:

Legislators Propose International Cybercrime Cooperation Laws — With Teeth

which begins: “Two U.S. senators today proposed new legislation that would require the U.S. government to monitor the cybercrime posture of other countries and deliver assistance — or sanctions — to those countries based on the findings.”

[Ed. Updated 24 March with link to DarkReading article]

The Panopticlick project is an interesting data collection exercise and experiment aimed at understanding just how unique a browser (yours, not to put too fine a point on it) is.

In essence, the EFF researchers show how to fingerprint a browser (1) without storing any state in the browser and (2) simply by executing code that reads public properties and configuration that your browser makes available (this information includes the “UserAgent” string, but goes far beyond it to detect other properties like installed fonts and plug-ins, screen size, screen resolution, and time zone, among others).

I first heard about this project from Bruce Schneier’s February Cryptogram (covering his January 29 blog post – most of the comments, including one from the EFF researcher, Peter Eckersley, are enlightening), but then a paper about the system crossed my email Inbox. Going to the site, I found that my browser (as of 15 March) has about 19.5 bits of entropy and is unique out of 741,612 browsers that have visited the page. Like most other people have experienced, the most distinct parts of my fingerprint are my system fonts and my plug-in details. My user-agent (Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6), time zone (EDT), and screen details (1440x900x24) also give away some bits of identifying information, but much less than the fonts and plug-ins.

Schneier’s blog links to this Arstechnica news story.

Other related work is the browserrecon project.

PKI is typically the object of much scorn: something this inherently dependent on human-level trust surely cannot provide digital trust, especially between (for example) countries that have no diplomatic ties. See, for example, the classic point/counterpoint:

Ten Risks of PKI: What You’re Not Being Told

7 and a Half Non-risks of PKI

For these kinds of reasons and what has become a certain amount of institutional prejudice in the security community, PKI typically takes more constrained forms: SSH host and user keys; SSL server certificates signed by a slew of vendors pre-installed in major browsers, etc.

The experience of Dartmouth and its partners in academia and government provides a model for extending PKI into the real world across organizational boundaries.

After some investigation and casting about, I started to write a small C library for measuring entropy.

The libdisorder Web page has more.