Platt Perspective on Business and Technology

Rethinking online security in an age of the internet of things: the more things change, the more they stay the same

Posted in business and convergent technologies by Timothy Platt on March 23, 2017

I have written on a number of occasions in this blog about computer systems and online security, and add that they have been areas of attention in my consulting business, and in pro bono work that I have done concerning critical national infrastructure and related areas of interest. I have not addressed this complex of issues, and certainly not systematically, for a while now in this blog. But I find myself returning to this general topic area here, in response to a growing and increasingly important disruptive change in what constitutes prevalent and emerging system vulnerabilities: risk vectors that are becoming increasingly important for both individual businesses and organizations and when considering the security of overall national infrastructures. And I begin this return to this topic area by noting what in this context might best be considered an unfortunate truth: the more things change, the more they stay the same.

The Open Web Application Security Project (OWASP) is a global leader in developing and openly sharing free and open source software security management and improvement resources. It is a world-wide not-for-profit enterprise that seeks to create and offer a meaningful part of the overall solution for combating and blocking malicious hacking as is carried out on and through the web sites and other legitimate online presence of businesses and organizations everywhere. And theirs must at times seem to be a losing battle, and even as they keep updating the tools and resources that they develop and offer, and even as they actively reach out to educate and inform.

One of OWASP’s key resources is their Top 10 List of most pressingly important, commonly encountered vulnerabilities that are exploited in attacks, which they recurringly update to reflect at least close to current primary risks and vulnerabilities faced. And if you look at their newest completed version of this list, available online as of this writing, side by side with their 2010 list (with both available as a free: PDF download here) you see essentially everything on the newer list is still there from the older. Six of the ten entries listed are unchanged and others in the more updated version are more reorganized from the old than anything else. To clarify that last point, looking at one of their reorganizational changes in what is now included, and of particular note here in this posting, was the creation of a new more broadly identified top 10 risk category of “using known vulnerable components” as one of the changes and updates actually made.

That is perhaps as good a general label for most all of their list as any, and particularly when such hauntingly familiar villains such as SQL injection vulnerabilities to data-driven applications (such as online forms) have both remained on their list and at its top for a long, long time now, as a separate risk vector entry in and of itself. The more things change, the more they stay the same, and many of the most recent Top 10 entries that we see there now in fact trace back in their basic forms to the first version of this list that was originally released.

And that brings me to the new and to change, and from there right back to the “stays the same” of all of this. The excitingly, disruptively new that I would cite here is our much fan-faired growing new internet of things. The underlying dream and goal of this is to leverage an increasingly open ended range of objects, tools, devises and items with smart technologies and with online connectivity so their capabilities can be expanded and both individually and synergistically. This can mean smart online connected thermostats that a home or business owner can set and reset from anywhere at any time, or an appliance that can tell you if it is developing a problem that might need repair or maintenance. It, on a vast numerical scale that definitely offers synergistic value, can mean smart tagged packages in transit that can in effect track their own current positions themselves, and with all of that data feeding into smart, artificial intelligence enabled big data systems – that can be used both to monitor individual deliveries, and monitor and optimize entire delivery systems for trucking and other transport resource use. These systems and the raw data and processed knowledge that can come from it, can enable development of more effective storage facilities used in transit and for better evolving shipping and transport systems overall, to meet changing customer and systems needs.

I have not even scratched the surface here, of the potential positive side to developing and implementing a wide-ranging and even pervasive internet of things. Public health and safety, and an increasing range of other basic areas of involvement here could also be cited. Of course this means the overall scale of the internet for the number of nodes connected and connectable into it, growing from the few billions that it has become, pre-internet of things, into the trillions. In that, a goal would be the creation of an intelligently connected and intercommunicating world, and that could be considered a major benchmark accomplishment of the 21st century and certainly as it is currently developing. That is the change and the new and the positive side of that. Now what about the “more of the same”, and in this case the realizable negative more of the same in that?

Let me begin addressing that question by offering a brief and highly selective historical note as a starting point. There are, of course a number of potential villains in this narrative that I could cite here, but I select one out of that larger and more diverse cohort for consideration because a clear record of involvement and activity was developed from early on in this story concerning them. I begin with the fall of the old Soviet Union and the break-up and reorganization of its old state security apparatus, and of the old Komitet gosudarstvennoy bezopasnosti (KGB) in particular.

When the Soviet Union formally and officially ended on December 26, 1991, their old KGB began a reorganization under a new name, becoming the new Federal’naya sluzhba bezopasnosti Rossiyskoy Federatsii (FSB): their Federal Security Service of the Russian Federation. True, a significant number of now former KGB employees were pensioned off or otherwise let go, and life after the fall of communism there was not always easy for them. But a real effort was made to retain the skilled and experienced people who had worked for the old service as many had capabilities that would, or at least might be needed again.

The old Warsaw Pact collapsed two years earlier in 1989, and Russia’s Eastern European nation buffer block, protectively separating them from the West of Europe, broke away. The peoples of these nations overthrew and ended their Russian-led communist governments in efforts at democratic reform. And perhaps most importantly to this narrative, matters did not go as smoothly as they would in Russia itself, for the now former employees of those nations’ counterparts to the Russian KGB. The new nations that were now being founded out of the rubble of their communist pasts were all at least relatively impoverished, and “their” old national security agencies, long viewed as Russian weapons aimed at their own people, were not for the most part reorganized and certainly not as Russia attempted with theirs – at least in part after witnessing the consequences of this in the now former Warsaw Pact buffer states. There were mass lay-offs from their now defunct KGB’s, and many of these professionals with their more specialized covert experience and training could not simply start looking for more open civilian work – and even when it might be available.

One of the sister agencies of particular note here in this regard is the old and I have to add much despised Romanian Departamentul Securității Statului (Department of State Security) or Securitate: the old Romanian KGB as it was sometimes referred to in the West. East Germany, Poland and all of the other Eastern European vassal state members of the Warsaw Pact had their own counterparts to this organization and like it they were led to a very significant degree by Russian KGB “advisors.” The Romanian KGB: the Securitate as it was most commonly called in Romania played a very special role in this overall system.

The Securitate was used for carrying out tasks and assignments that the Russian KGB itself would not want to be associated with. They were used as a tool of plausible deniability in the face of news reporting and of possible foreign government disclosures, and for both carrying out acts of extreme violence and extreme coercion. And many of those people were simply let go when the old communist government of Nicolae Ceausescu was overthrown, forcing him to leave their capital, Bucharest on December 22, 1989. The fall of the old communist regime there, was by far the bloodiest and most violent in the downfall of any of the old communist Eastern Bloc countries. And many if not most Romanians came to see that as coming from now suddenly former members of the old Securitate, shooting civilians as snipers, among other last-stand efforts to retain some measure of control. Soldiers of the Romanian Army finally had to move in to stop them. Former Romanian KGB: former members of the Securitate were for the most part tossed out in the streets, and with little if any future in any emerging private sector business world or economy that might emerge; they were pariahs. This definitely included people who were skilled in what are euphemistically referred to as social engineering skills and related and a fairly significant fraction of those people moved into crime as their one available next career path possibility.

When the internet opened up and particularly with the advent of the World Wide Web, these now experienced criminals began exploiting their skills in this new arena too – and they created what became an entire Russian and Eastern European industry, with a great deal of that home based in Romania itself.

The first botnet that has been definitely identified and dated was created by a student at Cornell named Robert Morris (see How the First Botnet Changed the Internet Forever.) Morris did not build or launch this computer worm with malicious intent. He has always contended that he was only trying to find a way to gauge the size of the internet and that he did not expect it to do anything that could in any way disrupt the information traffic flow there. But it did and one of the early groups to pick up on the potential of this were those now very former (by job title) old Romanian Securitate agents. And they began assembling their own botnets by conning people (using their social engineering skills) into loading malware into larger and progressively larger numbers of home and business computers, that were not adequately safeguarded with anti-malware protection (virus, worm, and related blocker capabilities – and even for what was then all but freely available protective software.) They used their seeming myriad copies of those unwittingly installed malware programs to surreptitiously use the individually contributions of all of the computers they had hijacked through them, together. And they used them to launch targeted denial of service attacks (DoS attacks) against specific individual businesses and organizations. Then they asked for and received ransom to stop, as well as payment from third parties that wanted to disrupt their competition and their enemies. This took on political aspects too, as those third party payers and sometimes the hackers themselves chose to use these weapons for more than just simple commercial purposes.

I do not know when the first genuinely criminal DoS attack took place and I suspect that no one actually does. One of the reasons why the same old vulnerabilities keep showing up and keep being exploited and all too often in the same way, as exemplified by their persistence on the OWASP Top 10 List, is that victims of cyber attacks have historically, all too often remained silent about what happened. They have not even wanted to admit that anything did happen if they could prevent that from getting out. The why of this is very simple. A loss of trust on the part of their customers and of others in their communities (e.g. their suppliers and others) was and still often is seen as holding greater potential for loss than any such attack itself, and with that cost simply added onto the costs and losses already faced from an attack itself. But it is certain that the people I write of here, began carrying out their own DoS attacks using botnets they had assembled – or that they rented at least in part from colleagues, and early on in their new post- Securitate careers.

The DoS attack as a means of exploiting computer systems and network vulnerabilities, is at least as old as essentially any of the Top 10 entries on the OWASP list. And computer systems: server farms and their supportive networking systems, have become more and more robust in being able to block and where necessary out-bandwidth at least most such attacks, or at least recover from them relatively quickly. This is of course an arms race, driven in large part by the fact that so many regular desktop and laptop and tablet computers do not have anything like adequate up to date malware blocking software on them and even now – and with smart phones entering that picture too. But it has been a race. And this, finally, brings me directly to the exploding in scale, internet of things – where virtually all of these new nodes and types of nodes that are now going online seem to be vulnerable to exploitation from their unwitting inclusion in botnets. That certainly is the fear that many in internet security face in all of this.

I have, of course, only cited one group of black hat hacker participants in this narrative, and with both wider private sector criminal and even direct government agency involvement coming to participate in this too – and certainly at the proof of principle and systems capability level for governments, as a source of offensive capability in their cyber-defense systems if nothing else. Expand this story as offered here in your thinking in multiple directions and globally and you have an idea of what this new variation on “the more things change, the more they stay the same” actually means.

I end this posting by taking the here and now of it out of the abstract, with three references to news pieces on real-world DoS attack capabilities that have already appeared in the wild – outside of any software security research lab, that specifically target the internet of things and its ever-increasing range of potential botnet nodes:

Double-dip Internet-of-Things Botnet Attack Felt Across the Internet,
Internet of Things Believed to Be Targeted in Massive DDoS Attacks and
DDoS Attack Shows Dangers of IoT ‘Running Rampant’.

We are currently just witnessing the dawn of this cycle of change, with its variations of new and stays the same. And I offer this posting as a cautionary note as to the importance of leveraging what we have learned from our more familiar computer and smart (human used) device internet, to better and more proactively safeguard our emerging internet of things too – and with the development and wider-spread dissemination and use of new safeguard tools and approaches too, as need for them arise in this emerging cyber security context.

I am certain to return to this topic in future postings. Meanwhile, you can find it and related postings and series at Ubiquitous Computing and Communications – everywhere all the time and its Page 2 continuation.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: