The three laws of thermodynamics – “you can’t win, you can’t even break even, and you can’t even get out of the game” – can be applied to hackers who only have to succeed once and get access to one piece of data for you to have lost, said consultant Dan Klein at AusCERT 2014 event.
Klein, who describes himself as a curmudgeon, has worked for some of the largest companies in the world and is currently at Google.
He started his plenary talk at the event with the customary disclaimer given by many senior executives that their presentations represents their own plans for global domination and not those of their employers past or present.
Klein told the audience that in 1989 he wrote a paper on password security that found how insecure passwords really were and how easily they could be cracked. In the intervening 25 years he said that he is still seeing the same issues.
“We have distributed cracking systems and there are still articles on how to choose good passwords. Why is this?” he asked.
All of this is against a backdrop on massive systems breaches such as Mount Gox, an over-the-air exploit of the Samsung Galaxy smartphone and numerous other publicised breaches. DDoS attacks were up 50 per cent in 2013 and there was the recent Internet Explorer fault that affected everything from version 6 to the current release.
Data mobility has made data losses inevitable and almost impossible to stop. With microSD cards the size of a fingernail and capable of holding dozens go gigabytes of data, it’s almost impossible to even physically scan people for data they might be carrying. Klein referenced Edward Snowden, who exfiltrated data on portable USB devices from secured locations.
One of the key issues, Klein pointed out, is there are “tonnes of bugs” out there.
"The problem we are talking about is why are all these bugs there? Why aren’t they checked for?’” he asked.
“There’s an aphorism in the security business,” said Klein. “Many eyes make all bugs shallow.”
But that’s not always been the case. The recent Goto Fail bug in Apple’s SSL libraries, Heartbleed and the 25-year old readdir() bug in BSD were bugs in pieces of code that have been around for a long time and viewed by hundreds, if not thousands, of developers.
“I taught a secure programming class in one of my tours of Australia about 10 years ago’” Klein told the audience. “While I was teaching this class in Hobart I said ‘Wait a minute, there’s a bug’. All of the students who had looked at this code [over the many years it was used in courses] had looked at this code and not seen the bug.”
This was in a secure programming course, he said.
The problem is that there has been a failure in the way code is written and tested, he said, and there’s a need to carry static and dynamic analyses. Code needs to be audited and developers need to use safer programming languages. He also pushed the point that it’s important to simplify code.
Part of the problem is that important pieces of code are changed rapidly, by many developers over a short period of time, particularly in the open source world.
“When you look at the Heartbleed bug, and you look at the SSL code, it’s incomprehensible, uncommented and untested. There are no unit tests. Why aren’t the tests there before the code is released?”
While testing adds time to the development and release process, Klein said that it makes software good, secure and safe. While it won’t eliminate every bug or problem, it will reduce the number and severity.
For this to happen, Klein suggested that developers will need to make significant changes to the way they do things. Or, in Darwinian terms, they need to adapt of die.
There are some positives in the recent issues faced by the info sec industry, with both Heartbleed and Snowden’s leaks serving as important warnings, he said. He expects things are going to get worse as we deal with the balancing act between security and openness.
Klein’s view is that enormous volumes of data are being generated and collected. That data needs to be made open and accessible. The challenges won’t be around restricting access but in ensuring the integrity of data and ensuring that personally identifiable data is protected. This will usher in an era where the discussion will be around trustworthiness where the goal is knowledge.