Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Chinese Hacking Is Only Part of the U.S. Security Problem

Posted by Soulskill on from the two-to-tango dept.

An anonymous reader writes "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration,' argues a U.S. Air Force cyber security researcher. 'It is technological vulnerabilities that create the ability for actors to exploit the information system and gain illicit access to sensitive national security secrets, as the previous examples highlight. Yet software and hardware developers are not regulated in the same way as, say, the auto or pharmaceutical industries.' 'The truth is that we should no longer accept a patch/configuration management culture that promotes a laissez-faire approach to cyber security."

17 of 101 comments (clear)

  1. So start demanding changes. by khasim · · Score: 5, Interesting

    First off, demand that every software vendor provide a list of files that their product installs, where those files are installed by default and different checksums/hashes/etc for them.

    It should be possible to boot a machine with a live CD (or PXE) and inventory every single file on that machine and identify the origin of each of them.

    At least you'd know whether a machine was cracked or not.

    Right now, with existing anti-virus, all you can say is that a machine does not have anything that matches the signatures that you have right now.

    1. Re:So start demanding changes. by Zapotek · · Score: 2

      Nowadays, folks try to do as much as possible in RAM -- by that I mean no patching files or writing to the FS at all. So, keeping track of modifications to any sort of executable file (even indirectly executable, hell, even if it's not executable) will certainly be a handy tool but not as much as you'd think. Also, debsums already does this and I'm sure other package managers support similar functionality. Now, if there's no such utility for your system (even commercial 3rd-party) then you may have chosen/setup the wrong system.

      Also, AppArmor-like systems are quite handy too as they allow very fine-grained control for what operations a certain process/executable can perform, thereby allowing you to avoid modifications to the FS via an exploited vulnerability in the first place (and also limit what the exploit's payload will be able to execute once in RAM, no execution privs means no way to execute a shell which makes things much harder).

      But even so, privs can be escalated and jails can be broken and vulns can be chained, better get some security education and minimize the chances of writing vulnerable code in the first place, and then carefully fix the inevitable vulnerabilities which you'll surely introduce as soon as you learn about them.

  2. Your kidding of course by StillNeedMoreCoffee · · Score: 2

    Start with designing operating systems that are secure and language enviromnments that are secure rather that feature rich marketing shows. Don't put the blame on the programmers that have to work with shoddy designed infrastructure. Change the infrastructure.

    1. Re:Your kidding of course by pspahn · · Score: 5, Insightful

      You may be over-estimating the will of developers who actually intend to build something secure out of the box. Sure, you've got the chunk of folks that require fine-grained security in their day-to-day, but the rest of them that take security for granted (we're not big enough yet to make things secure, we'll wait until revenue hits $xxx and then "do it right") are just going to worry about making their stuff function according to the spec.

      I have left some code lying around before that I am not particularly proud of, not that anyone important would notice, as it tends to be things only another developer would recognize. It's difficult to think of other occupations that are not affected by this type of thinking either, otherwise we wouldn't have to send the Dept. of Health around to restaurants to make sure the kitchens are clean, or the pedagogists around to the elementary school to make sure learning is happening, or aviation officials to enforce maintenance standards...

      Of course there needs to be accountability for code that does important things. That is clearly obvious. There are too many people interacting with code in occupations that previously wouldn't have done so. At some point it's going to be a good idea to have a nice audit trail.

      --
      Someone flopped a steamer in the gene pool.
  3. s/technological/human by Midnight_Falcon · · Score: 3, Insightful

    I find the summary to be quite myopic in terms of security -- it thinks that there's a technological solution for every security problem. In reality, as long as humans have access to data -- they can be deceived, tricked or otherwise made to inadvertently disclose said information to a third party. I doubt there will ever be a technological solution to address this 100% -- you can make walls and try to idiot-proof your network, but then you will discover that someone has invented a better idiot.

  4. Patch Code is like Chinese Food.... by Bob_Who · · Score: 2

    .....In an hour, you'll be hungry again.

  5. Just plain silly by Gorshkov · · Score: 4, Insightful

    The whole idea that China should be 'held responsible' for the hacking is just plain silly on it's face. Governments and private corporations have been spying on each other ever since the first cave man tried to keep a secret.

    Can you imagine during the cold war of the US President went to Stalin and said "please stop spying on us"? Because that's exactly what's been suggested here.

  6. more certifications? oversight? by kcmastrpc · · Score: 2

    sounds like an excuse to spend more money, on more stuff that they already have/don't need.

    take a look at the IT/data security invested in the automotive/pharm industry, and then ask yourself, "well, why are they so secure?"

  7. Oh, I'm Sorry by doctor+woot · · Score: 4, Insightful

    Do you expect medical professionals to be able to cure every disease and infection ever? Do you expect automotive engineers to be able to build mechanically perfect vehicles? No. Of course the attitude the majority of people take towards online security is a joke, but no more so than saying "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration."

    Cyber espionage, crime, and warfare exist through the same mechanisms that allow viruses to become resistant to treatment: adaptation. Systems can be designed to be harder to break, systems can't be made to be impenetrable. The language used in this article is just the same old IT-focused yellow journalism we've all come to expect on the subject.

    1. Re:Oh, I'm Sorry by causality · · Score: 2

      You should read my comment again, because your reply is essentially repeating what my post said to begin with. Do people treat security poorly in the IT industry, yes. Can security be strengthened by more rigid standards and harsher penalties for failure, yes.

      What I responded to, and I'll quote it again, was "Cyber espionage, crime, and warfare are possible only because of poor application or system design, implementation, and/or configuration." The implication here is that these things are NOT possible if systems are not poorly designed, implemented and configured. That's a load of bullshit. even with the best security advancements available you are simply not immune. To suggest otherwise is to display ignorance on the subject.

      Would you concede that (say, by using managed languages) eliminating all buffer overflows would be a huge step in the right direction? We have the capability of doing that. There is still the impossibility of ever conclusively proving that a given piece of software is completely free of all possible bugs, but that's a lofty and unrealistic goal. There are many feasible steps we could take that are realistic. We generally don't take those steps because the trade-offs involved don't fit our priorities. They usually mean more effort and therefore more expense, but government is the one institution that does not need to make a profit.

      Referring to your original post, there is a huge difference between "this doctor is incompetent and is guilty of malpractice" versus "cure all diseases all the time". I am essentially agreeing with you, except I think that with the latter case, you're going to an absurd extreme that no one is realistically suggesting. That was my point.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    2. Re:Oh, I'm Sorry by doctor+woot · · Score: 3, Insightful

      I think that with the latter case, you're going to an absurd extreme that no one is realistically suggesting. That was my point.

      Except it was suggested. The premise given was that should "poor application or system design, implementation, and/or configuration" be eliminated, so too would "Cyber espionage, crime, and warfare". My argument was tasking engineers with eradicating all of those problems would be like tasking doctors with curing every disease. I'M not the one going to an absurd extreme, it's a direct quote taken from TFA. I'm merely pointing it out.

  8. is there anyone who takes the opposite position? by Trepidity · · Score: 3, Interesting

    That is: someone who actually argues that Chinese hacking is the entirety of the U.S. security problem?

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  9. Outsourcing plays a role. by TwineLogic · · Score: 3, Insightful

    In one example I saw, the, um, mistake in security implementation was committed by a belarussian contractor who had a strong feeling against the U.S. oil interests in Georgia (Eastern Europe) and was working at a U.S. mega-corporation...

    Hiring certain political persuasions to do mission-critical work for mega-corporations is something I would look out for. I specifically mean hiring anti-U.S. personalities to perform work for U.S. infrastructure has its weaknesses.

    When mega-corporations implement critical infrastructure (e.g. login credentials) they would be using sympathetic professional contractors, probably from the U.S., the U.K., France, Germany, Japan, Australia, New Zealand, Canda of course. Not BRIC. That's my 2c /.

    1. Re:Outsourcing plays a role. by Anonymous Coward · · Score: 2, Insightful

      In one example I saw, the, um, mistake in security implementation was committed by a belarussian contractor who had a strong feeling against the U.S. oil interests in Georgia (Eastern Europe) and was working at a U.S. mega-corporation... Hiring certain political persuasions to do mission-critical work for mega-corporations is something I would look out for. I specifically mean hiring anti-U.S. personalities to perform work for U.S. infrastructure has its weaknesses. When mega-corporations implement critical infrastructure (e.g. login credentials) they would be using sympathetic professional contractors, probably from the U.S., the U.K., France, Germany, Japan, Australia, New Zealand, Canda of course. Not BRIC. That's my 2c /.

      This is common sense. But it has one major political problem: as soon as you try to implement it, the large numbers of people who prefer emotion over thinking are going to scream RACISM. It is how the small-minded feel righteous and noble (instead of, you know, getting off their asses and doing something they believe in).

      God help you if any of the work was going to be outsourced to people with some melanin in their skin. It won't matter how critical the project is or how hostile to the US the outsourced workers are, no politician wants to open himself up to accusations of racism. It shuts down all critical rational thought like it is designed to do. It's how losers with indefensible ideologies end debates they cannot win. It is our modern-day "Communism" - it's based on hysteria and there's one under every rock and behind every corner, you know.

  10. Re:Because... by colinrichardday · · Score: 2

    Yes and the Chinese hackers know it. Seems the US has some chinks in its cyber-armor.

    Was that the best way of stating this?

  11. Secure Software Engineering is rarely taught by gweihir · · Score: 2

    Server software that is very, very secure is possible. Look at, e.g. postfix, openssh, apache w/o modules, etc. It costs more, but the real issue is it has to be designed and implemented by people with strong secure software engineering skills. Today, secure software engineering is still rarely taught, and almost never as mandatory subject. As long as that continues, most software will suck security-wise, as secure software engineering requires a quite different mind-set from ordinary software engineering. It is however quite clear how to do it today. Techniques like privilege-separation, marking and tagging, secure containers, full input validation, etc. are well understood and cause massive increases in the difficulty to hack a system and can make it impossible. The problem is just that they are not used because so few people understand them.

    My proposal: Make secure software engineering courses mandatory for any SW-Engineering and CompSci qualification. Then add high liability risks for all those that do not use these techniques to force management into abandonning shoddy practices.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  12. Our buildings are vulnerable to Chinese missiles t by raymorris · · Score: 2

    True, almost all software produced has quite a few security holes. I just fixed some security holes in online classes that - cybersecurity. These are courses put out by a well known government agency that specializes in safety and security, but that agency doesn't come close to securing it's own systems.

    HOWEVER our buildings are also quite vulnerable to Chinese missiles. We haven't secured our shopping centers, our sports stadiums, or our power plants. China could very easily wipe out any of them. Does that mean we'd accept it if they did? If China shot down a US airliner would we say "eh, it's our own fault for not securing our airspace"? Of course not. We'd hold China accountable, very quickly. Probably within a matter of hours. That's the biggest failing - we've chosen to sit down and allow China to attack us for the last several years, with no real response from us.

    Anyone can easily kick in the front door of your house. If they do so, we don't blame the victim for not having a six inch thick steel door. We throw the assailant in the slammer.

    Probably, our software will never be secure for the same reasons our houses won't be secure - because security is HARD. It's much easier to break something than to build something. Building something that can't be broken is almost impossible. To be competent at software security takes about six years of training for a typical corporate programmer, one who doesn't really understand software engineering as a science. An otherwise skilled programmer could learn to make his good software into fairly secure software in three years. That's about, what an extra $40k - $60k per year for a programmer with several years worth of extra education / training. How many organizations are willing to pay that cost for secure systems?

      I have fifteen YEARS of experience in software security, but no one is offering me a job that pays a reasonable salary, not when they can instead hire an idiot for $40K to create a heaping pile of garbage that mostly "works", for a year or two until he's in a different position.