Internet attack defense: License and registration please...
This past Tuesday (Jan. 26) I posted the story about China's view of the attack and break-in that occurred at Google. The attack was widespread, similar to Ghostnet. I had indicated this was the beginning of a new Arms race, which has been underway for several years. The events which occurred in China affected Google, Adobe and others, has created the final catalyst needed to build the next defensive hardware and applications required and be used on computers and smart devices connected to the internet.
The tools used to attack any target, whether it be an individual or organization, an activist or military institution are sophisticated, difficult to detect and clearly with several goals in mind. Some attacks will be focused, others will attempt to collect as much data as possible for real-time or long term digestion to prepare its agenda subscribers. With this in mind, the programmers and designers will have very unique sets of challenges to overcome and be an intense creative process in which several intelligence techniques need to be understood or its ability to be used as a defense is weakened. This is in a league where the goal is beyond just a science fiction writer's novel or blogger's commentary, it's going to affect every internet user with real consequences. Adobe's reputation is vulnerable and will recover - this time. What the future holds for the company will demand new thinking and approaches to how it designs its products.
Internet attacks are a nuisance. Everyone simply want ease of use connecting to the Internet at work, or home in their daily lives, it's practically an essential service for many. Internet security costs money to prepare against. It consumes valuable resources in a corporate and individual user world, which offer no return on investment, except to protect their intellectual property and employees. The cost to protect the devices we use to use to connect to the internet is rising. When combined with the complexity that is required to prevent attacks, users are now faced with multiple problems, trust, ease of use and very likely, future mandatory compliance of understanding and using protection services or appliances for their computers and mobile phones. The next wave of sophistication to be used and be applied in any attack of a computer system connected, will be the most complex ever since the invention of the micro processor. Some argue that it cannot be done, that there is no single defensive application, service or computer network architecture that can prevent future internet attacks.
Governments all over the world are challenged with cyberspace security. Could regulations and government oversight and management be the solution? Regulations rarely work well in their first round of attempts and it would be impossible to regulate anyway, it is an international network with no borders. Even if the country decided to just regulate the internet within its own borders, it would be impossible to enforce with so many people visiting the country with their own computers and smart devices. Even if an agency like the FCC or DHS recorded every MAC address of every device 'allowed' in the internet network or Identifier code like Intel tried with the Processor Serial Number (PSN) program in the late 1990's, the management costs let alone civil rights controversy would kill such a program and still wouldn't prevent attacks occurring, it may only find the source of the attack - after the fact. Yet the reality is, governments may have to reconsider such an requirement. It may not fly today, but don't be surprised if it becomes reality in the near future. Every device connected to the Internet will have a permament license plate and without it, the network won't allow you to log in.
The private sector has to step up to the plate and come up with defensive solutions to prevent further risks to not only the individuals but the network itself. Several companies that make logical sense to be front and center of these requirements are Cisco Systems, McAfee, Symantec, Checkpoint and many others. But firewalls and anti-virus software will only work with a users understanding of what these products will and will not do. Consumer and employee expectations for ease of use will have to ratchet up a notch or two if we are to see a reduction in sophisticated attacks on users of the internet. Education of its users is going to be a vital link. While some may think Internet security for Dummies is a great place to start, it will need a severe upgrade. Forget about 2.0, try jumping to Version 10.0 and doing it right now. The future security model will require user understanding, of a trust model when heading out into cyberspace and clearly we have a long way to go before that is understood.
Software companies, other than Microsoft are now feeling the pain Internet Explorer and every version of Windows has experienced and as they are finding out, it's not a pleasant experience, just ask Adobe. Operating systems such as Linux, and Apple will also be used (and have been in the past) in the next wave of exploitation. Another new problem before us, is hardware with embedded software that can contain exploitation tools and lay dormant until needed. Nobody has public proof of it occurring and nor is any intelligence agency going to comment on such capabilities (I did ask several press officers at the NSA for comment on this story) or implementation of this type of capability. When a device can have a 4 GB micro-SD chip in it the size of a dime, it's time to begin to be concerned. That's just the easy and over simplified scenario. In a discussion with several hackers, they not only implied it can be done, it's easy to do. Often referred to as Linux on a stick, Apple's OS X can also be booted from a stick. Google's Chrome Browser can be operated from a SD chip. Which Chrome extensions do you trust? Combined with the new Open Source Android software, it's a dream come true for some, a nightmare for others. Red Hat believes it has one of the most secured Linux distro's out there and it probably is, considering the competition, yet it too constantly requires patches for its products.
With this kind of ability and its continued growth, it may influence how Internet services are designed and secured for its users. This is where the philosophical issue of intellectual property versus open source collides head on. In an open source environment, critique, ideas, review and options on how to solve the problem and inspection of code can be audited, reviewed and endorsed by the widest possible audience. But it's also its weakest link, with potential for abuse because the program is so open and easy to embed features that an end user has no idea is there. Let's face some hard facts, Microsoft and others are not doing any better job solving security loop holes by doing it their way either. Steve Ballmer wants an open and free internet. Nobody disagrees with that idea. The question is, how much longer will it last.
Verisign's approach on how a user should safely use the Internet is based upon well thought out processes and policies, yet its implementation is rarely understood by the average web surfer. The simple reason why it isn't deployed everywhere is the expense and maintenence of this kind of approach. Other tools will be used such as encryption at the https, SSL and other application layers. Even with these capabilities, it will not stop the information security issues we all face.
China's probe and attack has side benefits for its nation, besides information desired and use by its Intelligence community (MSS) and thus, the attack likely served multiple purposes. It is faced with a future problem that it simply cannot afford; copyright and download monitoring. The Green Dam is but one tool it uses to keep out information from the internet world, while at the same time, it needs to find ways to track and find information that actually is illegal - copyright and intellectual material already inside the country. If you can break into Google or piggy back on Adobe, what else can they do. The grand experiment may have accomplished more than just tracking a few human rights activists.
In the end, there are no magical cyber shields to solve the problem. One thing is for sure, a lot of money is going to be spent trying and sooner or later, everyone may have to pay with an Internet cop instant messaging you - "license and registration please"
[poll id="37"]
Other resources:
Dana Blankenhorn's story - What China wants in Internet battle is wholly proprietary