Tag Archives: hacking

Why data security regulation is bad

The first government knee-jerk reaction in the face of a data breach is to create more government privacy compliance regulation.  This is analogous to shooting yourself in the foot while you hold the loaded weapon in one hand and apply band-aids with the other.

Democracies like Israel, the US and the UK have “a tendency to extremism tempered by having to compromise” (courtesy of D.M. Thomas in his NY Times book review of Philip Roth’s “Operation Shylock“.)

In my previous post “Insecurity by compliance“, I considered the connection between being a free market democracy like the US, Israel or the UK and having  a serious privacy and credit card data security breach problem and my essay “The Israeli credit card breach” delved into the root causes why Israel’s organizations have poor data security.

Following hacking attacks yesterday on Israeli web sites of sites of El Al Israel Airlines Ltd and the Tel Aviv Stock Exchange, Israel Discount Bank and First International Bank of Israel announced that they have blocked access to their websites from outside Israel.

I am not surprised that IDB and FIBI are resorting to primitive methods like blocking IP addresses. If you’ve ever dealt with one, you know that the security management strategy of banking institutions is often highly influenced by internal politics and relies on outsourcing information security operations to security consultants, who naturally want to reduce their personal exposure  as opposed to the banking institution total value at risk.

Shutting down access to a Web site based on geographic source of an IP address is a ludicrous security countermeasure for a hacker – since it is simple to mount the attack from a server or network of Windows PCs in Israel with Israeli IP addresses.

From the government end, there are cries for more Web site security compliance regulation.

I will give the Israeli Ministry of Justice credit for having done nothing for over 20 years on updating the Israeli privacy law.  There is really nothing basically wrong with the law, it just needs to be enforced.  For that, you need police officers who know how to read English – see my post on that problem here.

Even now, I suspect that the Ministry of Justice is just treading water and reacting to the recent spate of credit card and Web site breaches by the so called Saudi hacker.

Security by compliance does not improve data security, especially since attackers can reverse-engineer the minimum security requirements dictated by a standard to look for holes in a company’s defense.

Tell your friends and colleagues about us. Thanks!
Share this
mindless IT research

Counter cyber terrorism with social networks

The topic of offensive strategies against hackers comes up frequently and I am surprised and dismayed by the US strategies on combating cyber terror. The Americans are still thinking in a conventional warfare paradigm – in defending a new domain, William Lyn writes:

It must also recognize that traditional Cold War deterrence models of assured retaliation do not apply to cyberspace, where it is difficult and time consuming to identify an attack’s perpetrator.

Dismantling terrorist infrastructures and social fabrics is neither retaliation nor vigilantist and I am dismayed by the DoD strategy of combating terror with defenses instead of using anti-terror techniques

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.To stay ahead of its pursuers, the United States must constantly adjust and improve its defenses.

At a network level, you would and should black list the source of the malware – it might be an IP address that gets blocked at the firewall level or at a blacklist level or as a modified signature in a content filtering/IPS system.

However – this is a defensive strategy that we know is not very effective strategy in the long term, since it doesn’t address the root cause of the threat.  A more interesting approach,  used several years ago against Code Red – redirects requests back to source IP addresses – if large numbers of attacked web servers would do that – it could create a DDOS attack – punishing the attackers in a turn about is fair play strategy.

Attacking social networks of hackers

Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet,  even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker.  Let’s learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.

Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.

Since malware is a form of terrorism – I believe that this strategy could be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.

While an interesting idea – the key barrier to this strategy is deploying it where hackers operate and obtaining the cooperation of local law enforcement.

As Mr. Lynn writes in his article in Foreign Policy – the Americans are keen on cooperation:

Cyber Command’s third mission is to work with a variety of partners inside and outside the U.S. government. Representatives from the FBI, the Department of Homeland Security, the Justice Department, and the Defense Information Systems Agency work on-site at Cyber Command’s Fort Meade headquarters, as do liaison officers from the intelligence community and from allied governments. In partnership with the Department of Homeland Security, Cyber Command also works closely with private industry to share information about threats and to address shared vulnerabilities. Information networks connect a variety of institutions, so the effort to defend the United States will only succeed if it is coordinated across the government, with allies, and with partners in the commercial sector.

While it’s not clear that the Chinese or Estonian governments would play ball- if the Americans are really intent on combating cyber terror through international cooperation, perhaps they should trade in their defense-oriented strategy for an anti-terror and demand-side strategy.

Tell your friends and colleagues about us. Thanks!
Share this