The whistle-blower: The threat from within
Like many folks we are recovering from the holidays, and the traditional family dinner. The highlight is watching the grandkids open the presents, and especially this year as our two year old grandson has discovered the wonders of ripping open everything, regardless of who the actual recipient might be.
And among all of the presents, the best of all was the whistle that came in a Christmas cracker. Everyone could have saved a ton of money if we’d only known the power of the whistle. The first few blows were a bit tentative but once he grasped the concept, the “whistle blower” was off and running. And as the evening wore on, I suddenly started to wonder about “whistle blowers”.
After all we live in a culture that puts the whistle blower on a pedestal. The media in general seem to thrive on the whistle blower, even when the very people who are exposing an individual would definitely fall into the category of the “pot calling the kettle black”.
Times have changed. There was a day when Britain elected a prime minister who had not only suffered from gonorrhea but during his time in office had a long standing affair with a married woman. Not only did his political career thrive, but on resigning as PM, he was elevated to the House of Lords. And the United States has also had its share of Presidents such as Thomas Jefferson, Andrew Jackson and Franklin D. Roosevelt who in today’s whistle blowing society would have been exposed for their extra marital dalliances.
In France, and partly as a result of strict privacy laws, there is a long-standing journalistic consensus that what goes on in the private lives of public figures remains private. So for example the French media knew that the late President Mitterand had a daughter from an extramarital affair, but it was not until shortly before Mitterand’s death that the French public learned about it.
RSA – Damned if you do and damned if you don’t
Whatever the truth regarding the NSA and the RSA, one thing that surprises me most of all is the shocked reaction of the security community. Ever since cryptographic algorithms originating from the US have been available in products, there is without fail in every meeting, with any company, the question regarding “backdoors” in the algorithms. In other words everyone has always assumed this to be true, for whatever reason, and now that it supposedly is true, everyone seems to be in shock.
We may never know the truth, but in any case no encryption algorithm survives forever. It is not so long ago that we were being told that MD5, invented by Ron Rivest – yes the very same from RSA – was no longer safe and that the flaw was considered to a fatal weakness. At that time we were told to use an alternative such as SHA-1 which has since been found to be vulnerable as well. SHA-1 was designed by the NSA, and published by NIST as a FIPS standard. SHA-1 was based on principles similar to those used by Ronald Rivest in the design of the MD5 algorithms.
Conspiracy theories abound! Could it be that the NSA and the RSA have been in cahoots all along? Did Adi Shamir and Len Adleman know about this? Hang on, Adi Shamir is Israeli and Len Adleman is the son of an American Jewish family. It’s all an American Israeli plot. Never mind hard evidence!
One can only conclude that the French were right all along. As I understand it, French law states that a company may not be able to sell or use that product in France unless it meets the French government’s requirements and an authorisation is obtained. Probably needs to have a “porte arrière”.
What next? – Antivirus companies in cahoots with the authorities? The likelihood is that we may never know the truth. After all could it be possible that the NSA, aware that they had a leakage problem, mixed some misinformation with the other stuff to get us all taking knee jerk reactions. The longer the Snowden affair drags on, and the more the guy is promoted as some latter day messiah, the more I start to ask myself the question, was Edward Snowden smarter than the best the US Government had to offer. Surely with all the disclosures, more heads would have rolled?
The insider remains the biggest threat
Regardless of the integrity, or lack of, in encryption algorithms, the insider remains the biggest single threat to organisations. “The best -placed person to damage a machine is the engineer who built it or maintains it, the manager who designed and runs a production process, or the IT administrator who adapted or installed a software solution. It therefore comes as no surprise that sabotage manuals tend to be written largely for insiders…” – “Cyber War Will Not Take Place by Thomas Rid”
Whether we’re talking about Stuxnet, or AMSC and Sinovel, the insider either deliberately or inadvertently is your biggest risk. In October 2011, a report by the Office of the National Counterintelligence Executive, concluded that “Cyber tools have enhanced the economic espionage threat, and the Intelligence Community judges the use of such tools is already a larger threat than more traditional espionage methods.”
“Shady RAT” serves as an example that crypto algorithms are not the biggest issue. Identified by McAfee, the attack has been extensively reported.
Essentially four steps were key in achieving success
- Select target organisations based on economic or political criteria
- Penetrate the target organisations by identifying employees and gain contact information such as email addresses using sources such as LinkedIn, and using spear phishing, send Trojans embedded in commonly used file formats and install the Trojans as the files were opened
- Once the Trojan was installed, they would connect back to seemingly innocuous websites to their command and control center
- The attackers gain control of the target machines by having the Trojan establish a remote session back to the C&C center, basically allowing the attacker to view and record all the activity
So who needs crypto backdoors when it’s just as easy to exploit our naivety by simply looking at our LinkedIn account, and realise that most organisations are not actively monitoring their systems for exploits, or are relying on AV applications that can only cure something after they know what it is.
And as for the “whistle blower”. Curiously the parents forgot to take the whistle with them, After all “whistle blowers” get really tiresome after a while.