GCHQ's National Cyber Security Centre opens for business following delays

Discussion in 'Current Affairs, News and Analysis' started by Murphy_Slaw, Feb 14, 2017.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Wordsmith

    Wordsmith LE Book Reviewer

    Software companies vary enormously. Microsoft (for example) continue to support obsolete protocols like SSLv2. Why don't they put an end of life date on it (like they do with older version of their software)? I've lost count of the number of reports that I've seen where the company being assessed hasn't disabled support for it.

    Oracle are secure by default these days. (I'm an ex-inmate of that asylum). But they make it possible to significantly relax the security requirements. And guess what - companies that can't afford an Oracle DBA relax the requirements to make the systems easier to maintain.

    Another small IT company I worked for quite a few years ago developed their own reversible proprietary encryption method and for a number of builds thoughtfully shipped a small tool to reverse the password hashes because the support staff at our customers asked for it. (EM may have got involved on that one...)

    There are clearly IT companies that make secure software - it's the nature of the computer security industry that you learn more about the software houses that ship insecure software.

    Wordsmith
     
    • Informative Informative x 4
  2. Sarastro

    Sarastro LE Reviewer Book Reviewer

    I'm afraid that is the kind of terrible suggestion that comes from soldiers or civil servants or politicians or security specialists: people with a terrible track record of thinking about the wider consequences of such decisions. The obvious reason why is that the car industry, and the road system, are nothing like the software / hardware / network world, and are never going to be. The immediate result would almost certainly be a sustained worldwide recession in the tech, and quite probably therefore global, economy.

    Legal liability alone would immediately prompt huge class action lawsuits against software companies, because as you know ALL software has multiple flaws. Criminals would probably benefit as new front in cyber-blackmail would open up, where instead of building toolkits to target the wider ecosystem, black hats and their sponsors would simply blackmail software companies to keep vulnerabilities secret, also undermining the current security ecosystem which relies on vulnerabilities being shared with manufacturers. Open source software would disappear as all the groups that made it were sued or shut up shop at the risk. Production of new software would slow to a crawl. Since the basic problem is that there is a global shortage of developer talent, there simply isn't the manpower to fix this without huge changes in education system, so any advances would take a lot of time.

    The problem doesn't exist because centralised, proprietary style organisations do things badly, although often they do. Equally, treating this as a 20th century style problem where you can just sue the organisation will not fix it.

    The problem exists because the infrastructure, networks, and nature of the hardware are all designed to be insecure and highly interoperable. This is not the case with, for example, the car industry and road networks, which are designed with safety in mind first. You cannot just sue the software companies, because fundamentally they make products to someone else's standards. The PC / Android approach to hardware builds makes coherent security standards largely impossible, despite some effort, because it is impossible to understand or specify the impact of combinations used. Networks and network protocols were designed to be open, with security added as an afterthought. Even new standards aren't vastly more secure, blame ICANN for that, not Microsoft. But don't blame ICANN, because there are good reasons to keep things open, which mean by default they will be less secure. So even if you hit companies with punitive legal responsibilities for things they actually can't reasonably fix, and swallowed the resulting recession, you would simply alter the class of security flaws that criminals would exploit.

    There is a reason this hasn't been done.

    Again, sorry but you use two examples that actually wouldn't change anything, because they are the wrong or pointless advice.

    Risk registers don't do anything except make accountability easier when things do go wrong. The argument that they create an incentive for managers to be more cautious depends on some kind of consequence, which as you said to start, doesn't really exist in the software world. Without a legal or regulatory system to back them up, risk registers don't do anything (arguably they don't do much regardless, are just seen as negated paperwork, and are highly inaccurate or gamed).

    The password rules you cite are already outdated. It's at least 12 and the combination of other ASCII characters has a negligable effect on the time taken to guess the string, compared to simply another digit in length. In other words, make it 13 and that's it. The advice is also different for automated strings and human-useable strings, e.g. your Windows product key or your Windows login.

    But more importantly, that is the problem with hard-coding. One, it's no such thing as "hard", to change it attackers just have to aim for the firmware code or low-level language rather than just firmware access or the high level language. Two, it dates really rapidly. Very soon you will have a set of equipment which is out-of-date. So you have to update it, let's assume by a remote push update from the manufacturer (in this new IOT world with multibillions of devices). Congratulations! You have just created the access vector that your attackers from point One will use to compromise it. You have changed only the method of attack.

    All of this stuff does require: more incentives to do things right; better understanding among "specialists"; a holistic approach. But the answers are not as simple as supposed security specialists like to claim, because a lot of them are frankly not very competent, and are simply regurgitating partially understood advice somebody told them on a course once.

    Moreover, this is an open ecosystem. Changing that now would, quite literally, break the Internet and software ecosystem. Any solutions have to treat it as such, and quite probably make use of that characteristic. Simply telling big firms to do better will not work, because the core problems are beyond their control to fix.
     
    • Informative Informative x 4
    • Like Like x 2
  3. The US appears to be upping it attention to cyber-warfare.
    DoD Announces Elevation of U.S. Cyber Command to a Unified Combatant Command > U.S. DEPARTMENT OF DEFENSE > News Release View

    Raising the organizational status of U.S. Cyber Command an indication of the DoD's long-term commitment to cyberspace as a warfighting domain.

    The changing nature of warfare is being addressed and this move is intended to strengthen their cyberspace operations by streamlining command and control of time-sensitive cyberspace operations by the consolidation under a single commander with authority appropriate to the importance of such operations.

    Contractors Praise Elevation of Cyber to Combatant Command | DoD Buzz
     
    • Informative Informative x 1
  4. Interesting, in not a great way that Huawei a Chinese company deeply involved with computers has been declared by the Australian intelligence community as operating as an arm of the Chinese spy services. United Kingdom and United States Intelligence agencies have also issued similar warnings.

    A report by a research unit of the US Office of the Director of National Intelligence in 2011 stated that Huawei Technologies relied on a series of formal and informal contacts with both the Chinese People’s Liberation Army and Ministry of State Security.

    Founded to import Western office telephone systems to China, it has become a leading Chinese exporter of a huge variety of communications hardware equipment, including routers, cell towers and undersea cables. Recently Australia expressed concern about a plan by the Chinese company to provide high-speed Internet to the Solomon Islands, a small Pacific island nation who Australia shares Internet resources with.

    Australia's concern is that by constructing the Solomon Islands undersea cable, Huawei could be tapping into Australia’s telecommunications infrastructure backbone, which presents a large security issue.
    Investigation: undersea cable red-flagged by Australia's spy agencies dogged by donation allegations

    A United States government agency declared a link between Huawei and the country’s intelligence services in a report by the US Open Source Center, which acts as the open-source intelligence (OSINT) arm of the Office of the Director of National Intelligence. Huawei had already been criticised for its links with Iran and the Afghan Taliban communications equipment.
     
  5. Nothing to see here thou
    gh, it's not as if Huawei provides technology for our landline and mobile phone networks :oops:


    The yanks don't seem to like them mind, so why we ignore the warnings I don't know ?
     
  6. One section in the US that is seriously concerned.
    "Cybersecurity remains a hot topic for the U.S. government and its commercial partners. U.S. Transportation Command is no different. The command is committed to advancing cyber-domain capabilities to ensure its ability to operate freely in an increasingly contested cyber domain."

    United States Transportation Command