Monday, April 25, 2016

Big Brother in the Brave Real World

Roughly a year ago I decided it was time to start reading two classic science fiction literature. One of them was Brave New World, by Aldous Huxley (1932) and, you probable guessed it right, the other one is 1984 by George Orwell (1949). As I read through the books I was fascinated by the ability of both writers to envision a future that is in a creepy way comparable to our present world.

They both are stories of course and I personally do not envision such aerie and desolate dystopian future as laid out in the books. I see patterns of similarity though, but different than what we say in the mainstream (information security) media. At least, that is what I think. In this post I will enlighten you on my point of view concerning these two stories and how they relate to the real world. And since it is almost May the 5th, the Day of Freedom in The Netherlands, it is a nice moment to publish this post.

As this is not really a book review, I will not tell you about the story itself, but rather the context in which the story exists. In both books, the real main character is the world and society itself, rather than people in the story.


Oppression by the government

Both stories talk about a government oppressing people, but in a rather fundamental different way. The story by Huxley is about a government called World State that ‘accepts’ exceptions, but you can hardly participate in society when you are an exception. There are even reservations in which people can live differently, although very poor and with lack of proper healthcare. Both government and citizens are rather dismissive towards people who do not follow the normal (predetermined) steps of their society and deviate from the normal course of… well, just being. Everyone is literally grown and raised into specific roles in society and due to a drug called Soma, everyone is kept chemical happy.

The story by Orwell is about a government that does not tolerate any deviations that threaten the existence of the so called Party; not even in the slightest way. Everyone is being monitored by the so called Big Brother, and due to fear people often betray each other. No action, no feeling and no thoughts are allowed, because when you do, you will become a liability. There is even a new language in the works called Newspeak, which it is stripped of any emotion and sensitivity. In this world, most people are miserable and the general population is poor and underfed.

No parenthood versus no intimacy

In the society of Brave New World parenthood is strange to people and having a baby through the means of giving birth is nasty, gross, and downward silly to do. Instead, babies are home-grown in baby-factories where they are even conditioned towards their predestined roles in society. During the initial phases of growth some babies might get forced oxygen shortage or alcohol submitted. The reason for this is that not everyone can be smart and the same. People also still need to work to cause no trouble due to being bored, so babies are grown into a certain class for certain purposes.

In the world of 1984 parenthood exists, but children are conceived and given birth to in the most mundane situation imaginable. Intimacy is not allowed between any human. Children and adults alike are confronted with daily propaganda distributed by so called telescreens that can be found anywhere in the society, even within one’s home. It is not uncommon that children betray their parents due to behavior that is disallowed by the Party. So, keeping your head down, even towards your children, is a matter of survival.

Thought Police versus Citizens

As I mentioned earlier, in the story by Huxley it is not even the World State itself that monitors people, but the citizens itself due to rather intensive social control. When you deviate from your path to much and too often, people will eventually report you. It is not because of fear, but by a true believe in that the World State knows best. Therefore, there is no Thought Police like in 1984. Of course there is a police-force, but it plays a different role than in 1984.

The situation in Orwell’s story is different. Citizens also do report each other, but it is more based on fear of getting ‘caught’ themselves, than it is about truly believing in the Party. Whereas an exceptional deviation in the world of the World State is allowed, no exception is allowed in the world of the Party. But because people cannot be trusted, the Party instated also a Thought Police. This police-force has the ‘honorable’ duty to look for dissidents and to get them out of the public asap.

Sexual liberty versus Banished sexuality

The World State encourages sexual liberty in every way imaginable. If people want to make love with each other, they just do it. Whether it is between two people, four or entire groups, anything is allowed and anything is acceptable. Homosexuals are no outcasts and people are free to do anything they like, for as long as it is consensual.

The Party totally thinks different on this topic. Intercourse is only meant for procreation and surely not for pleasure (by punishment of death). And rest assured, a telescreen is monitoring the activities. Homosexuality is strictly forbidden as it also applies to any other form of sexual activity, including love itself, between people.

1984 versus the real world

The story in 1984 is about oppression, surveillance, persecution, sexual oppression, and fear. People are not allowed to enjoy anything in any way and the general population is poor and mostly underfed. When you take this parallel to the real world, can you recognize this in the Western world? Are Western nations generally poor and relatively unhappy? Is sexual oppression of non-heterosexuals still the norm? And is the government actively oppressing its citizens?

When you look at the analogy with the real world, states in Eurasia resemble on some parts more to the world as described by George Orwell. Often not as extreme as 1984, but the general view is rather the same. I personally cannot recognize the Western world in the view of Orwell, besides the fact of surveillance by the government. And even that is relative, as it is more surveillance by corporations. It is also more like a Some Brother type of thing, than a full blown Big Brother type of thing. Besides that, I still like to believe that for the most part intelligence agencies are really trying to improve security of the general public, in contrast to the Thought Police who does its job mainly to protect the Party.

Brave new world versus the real world

When you look at the story of Huxley though, I found it more similar with the Western societies. The focus is on being happy (without drugs for now), sexual freedom that fits the individual person, doing and saying whatever anyone wants to do or say and not to mention one's desire to predetermine characteristics (like prevention of down syndrome) of fetus. The believe in this system is so strong that is often considered by other (mostly non-Western) nations as imperialistic. There are also many groups within society that propagate democracy, (almost) unlimited freedom for everyone, freedom of speech and a common thrive for general happiness. Anything is or should be allowed for you to feel happy, no matter the cost.

In the Western world there are citizens who defend such believes in ways that it may almost be considered fundamentalistic, just as the citizens do under the rule of the World State. You can count on a strong backfire whenever you hold an opinion that is not aligned with that of the general mass or consensus. If you think that homosexuals are not okay or they should at least be unable to marry, then you are in for a treat. And do not even start by saying that abortion is murder. And when you think freedom of speech should not always be applicable, then you are considered an extremist of the right (or left) wing of politics or perhaps even an aspirant-terrorist.

Of course there are many more variations in opinions allowed in the real world, far more than in Brave New World and yes, I am on purposely overstating the previous paragraph. But somehow and somewhere there is a fine line between taking part of society and being treated as an outcast just for thinking differently. This behavior is what I believe to be like that of the citizens in Brave New World.

And I explicitly state that the paragraphs above are not necessarily my opinion or believes, they are not relevant in this post. They are merely the patterns that I see around me, whether it is on the news or in my daily life.

Recap

Whenever we compare the Western world (where I live in) to 1984, I think we somehow miss the point that Orwell was stating in his book. He states that a totalitarian government is about keeping power instead of prospering its citizens. Whenever I look around I see way too many idealists in our midst who devote their lives to better the lives of others. I see governments that really try to improve life of the people here and abroad, although it may be sometimes or often ill-executed. And I see also people fighting for the rights of others and people fighting to prevent or correct a (semi-)corrupt government. Do we have issues like mass-surveillance we need to address? Yes, we do! And do we have issues concerning non-conventional thinkers and believers? Yes, we do.

I feel that the Western world is more like Brave New World, than it is as in 1984. Let us prevent the movement to create outcasts of non-conventional thinkers and let us continue the debate what real freedom and freedom of speech is. I believe it is imperative to let everyone's voice heard, in order to prevent people becoming outcasts, and outcasts becoming radicals. And remember, diversity is what created our beautiful freedom in the first place.

Freedom of speech is not about me having the right to write this blog. It is the right I give to you to whole heartily disagree with what I wrote. Whether what you think or feel, if you want to share it, you can use the comment section below. I will not treat you as an outcast for thinking differently.

Books

1984
  • Author: George Orwell
  • First released: 1949
  • Pages: 336
  • ISBN: 978-0-451-52493-5
  • Linkwww.penguin.com

Brave New World
  • Genre: Thriller, Science Fiction
  • Author: Aldous Huxley
  • First released: 1932
  • Pages: 229
  • ISBN: 978-0-099-47746-4
  • Linkwww.vintage-books.co.uk

Wednesday, April 20, 2016

Need Security Awareness? You're doomed!

Let me start with a blunt message: "If you need user awareness to be secure, then you are doomed in the first place!". And let me elaborate on that one. Often you see, read and hear about how crucial security awareness among people is towards the fact of being secure. But recently I had a thought that I want to share with you. My thought was that if we need awareness in order to let security work, then the security controls are not organic enough in order to function properly. And very likely, they are also not ubiquitous.


Image source: F.U.D. - Fear, Uncertainty and Doubt (funny blog!)

And then I have read a couple of days later this post on the Google Security Blog: Android Security 2015 Annual Report (the full report can be found here). Among many things, one got my attention specifically, and that was the fact about the use of fingerprints.

Starting with version 6.0, Android supports fingerprint scanners. This allows applications to use biometrics for authentication, reducing the number of times a user needs to enter their password or unlock pattern, thus decreasing friction around lockscreen use. Lockscreen use is higher on devices with a fingerprint scanner. For example, 55.8% of Nexus 5 and 6 devices (which have no fingerprint scanner) have a lockscreen, compared to 91.5% on fingerprint-enabled Nexus 5X and 6P devices. We are seeing an increase in lockscreen usage for other Android devices that provide fingerprint scanner support.

Somehow, when there is an improvement on how the security works, the use of it increases. And this supported my thoughts on this matter. Because fingerprint is easier to use, relatively speaking just as safe as a pin, devices are more often secured from unauthorized access.

Let's take a look at an analogy of the physical world. There are many threats towards the physical world. There is the threat of terrorism, but also non-friendly states invading your own country. When you would give the same advice in the physical world as in the cyber world, then the following would happen.

You would give advice to install metal-detectors at one's home, anti-aircraft machinery, a couple of drones to strike down enemy combatants, and of course a radar to check for incoming aircraft. Besides the fact that it is expensive stuff, you do not want to give such responsibilities to civilians. This because of the threat and the impact of such threat and its countermeasures are too big to handle on an individually basis.

When the threat is small though, security measures are sensible. Think about a lock to lock your door and an alarm for burglary, smoke and fire detection. But the reason why these systems work, is because they are friction-less. There is no friction in the use of such security features and therefore they are used. Everyone is on auto-pilot locking and unlocking their home. And one does not even have to think about the alarm, it just works and at 'worst', a pin needs to be remembered to disable the alarm.

Back to the Cyber World. When you say to your employees that it is also their responsibility to prevent state-actors, or actors with such capabilities, for penetrating the defenses through phishing, malware, hacking and more, you will definitely lose your audience. And rightfully so. The threat, or the impact of such threat, is to big to be managed on an individual scale. The countermeasures we give them are hardly effective, because most often people do not really understand the gravity of these cyber-attacks.

Are you still saying "Do not click on that link in that e-mail!"? You thought yes? Seriously? I find it harder and harder to recognize phishing mail myself (if I see one to be frank). While every service provider can become way more spam-resilient by using techniques such as TLS, DMARC, Reverse DNS, SPF, DKIM, DNS-based blacklists, and Spam URI Real-time Block Lists (SURBL), we ask users not to click on links... These controls cut down spam (and phishing) emails significantly, and improves security (and privacy) also.

And the bright side of it all is that the user of the system has to do absolutely nothing to benefit from it. Why do I not receive spam and phishing on my personal email account, while I read organizations constantly struggling with them? Is it that people are more aware of phishing on their personal accounts, or is it because a billion-dollar company just configured it better? And phishing is most often number one step for Evil Jimmy to hack into the corporate network, so it might be smart to better protect your mail-servers instead of telling people not to click on links.

If we can make our systems smarter and more secure by really implementing security features, and if we can prevent users (or processes within users-space) for disabling such features, we dramatically improve the overall security. Just tell users never ever to share their password, and let them easily travel and room over the network. And whenever they need higher security clearance for more sensitive data, incorporate 2-factor authentication instead of yet another account. And that should be the end of the security awareness session. It can be done in 5 minutes.

Do not get me wrong, there is also a thing called privacy. And privacy awareness is a whole different ball-game compared to security awareness. Privacy awareness is way more important, and far more easily trained then security awareness. Because the issues and solutions on that front are close to the actual users themselves. They can recognize it, and they can truly make a difference there. It is about not leaving printed documents on your desk, it is about not sharing credentials and sensitive data by any means. People can relate to that, because no one wants their medical files on public display. Users can have a tremendous positive impact on these topics. Just don't bother them with (semi-)technical stuff that well-functioning IT-departments instead should do for them.

When all systems are well configured, hardened and compartmentalized, there is far less threat from the user from a security perspective, and we need to train them far less than we need to now. Think about that for a brief moment, before asking an user to remember Yet-Another-Weak-Security-Control.

Feel free to comment below, I would for sure appreciate it!

Sunday, April 3, 2016

Peeling the onion of data-leakage

I recently tweeted a formula about data-leakage. In this post I will further explain with what this means. This formula was a thought-experiment by my friend and co-security-professional Rick Veenstra and myself.


In this thought-experiment we wanted to explain what the concept of a data-leakage is, of what components it exists of and how we can use that knowledge to hopefully prevent them. We started with the basics and moved down the ladder from there.

Data-leakage = actor + vulnerability

On the highest level, a data-leak can only emerge when a certain actor exploits a certain vulnerability. There are probably multiple vulnerabilities needed in order to succeed, but you need to exploit at least one. The actor in this case can range from the black-hat hacker, to the cyber-criminal, to the disgruntled employee of your organization.

Vulnerability = asset + access platform

But when you look at the vulnerability you will notice that it consists of multiple components. These are the assets which often are called the crown-jewels of the organization, and the platform which can access them. This platform can be the Internet (likely the first stage), but also an internal platform that is being exploited.

Asset = unencrypted data | credentials | other access platform

In this case, the asset is either the actual data itself, or the credentials needed to access the data, or another platform which will enable access and thus moving closer to the target data. The data needs to be unencrypted in order to have value for the one stealing it. Therefore, we explicitly mentioned that it needs to be unencrypted. Credentials are the usernames and passwords from within the organization. And the other access platform can function as a stepping stone to another system.

Access platform = resources + privileges

The resources in this case is anything that can be a landing zone for the intruder. This can be the operating system of a server, a workplace of an employee, an application or an active network-component. Obviously there are many more examples thinkable here. Privileges are needed to actually access and use the before mentioned resource.

The formula

The summary of this thought-experiment is as follows.

Data-leakage = actor + vulnerability

Data-leakage = actor + ((unencrypted data | credentials | access platform) + (resources + privileges))

A data-leak exists of an actor in combination with access to unencrypted data, or the access to the credentials of the data, or access to the platform which has access to it. In order to actual utilize the resources to get to the data, privileges are needed in combination with the access platform. From there, when everything is in place, a non-authorized person just might succeed in his or her mission.

And what's next?

When executing a risk-analyses on this topic you need to factor all variables mentioned above into the equation. You need to, as far as it is possible, give some level of attention to the actor. You might want to consider encrypting important data, and keep credentials secure in password-managers. Privileges should follow the "least-privilege" principle and resources should be hardened and isolated within in zones in your IT-infrastructure.

Obviously it is easier said than done due to complexity and budgets. But it might help bringing focus to what is important and help deciding which security issue needs to be addressed first.

If you have any comments, feel free to post them. Thank you for reading this post!