vendredi 25 septembre 2015

Chinese talking cybersecurity means security is already lost

DataPlane

A longtime reader and good friend of mine sent me a link this week to a CNBC story about the loss of fingerprint records in the Office of Personnel Management hack I have written about before. It’s just one more nail in the coffin of a doltish bureaucracy that -- you know I’m speaking the truth here -- will probably result in those doltish bureaucrats getting even more power, even more data, and ultimately losing those data, too.

So the story says they lost the fingerprint records of 56 million people! Game over.

Remember how this story unfolded? There had been a hack and some records were compromised. Then there had been a hack and hundreds of thousands of records were compromised. Rinse-repeat almost ad infinitum until now we know that 56 million fingerprint records were lost.

I think it is safe to assume at this point that all records held by the Office of Personnel Management have been accessed and copied by the bad guys. It went undetected for months, they had high-bandwidth access, so whatever secrets there were in those records, background checks, security clearances, etc., are now probably for sale.

Or are they? It turns out there are far worse things that could be done with the records -- all the records, not just fingerprints -- than simply selling or even ransoming them. So I sat around with my buddies and we wondered aloud what this could all mean? We’re folks who have been in technology forever and we’re not stupid, but we aren’t running the NSA, either, so take what I am about to write here as pure speculation.

"The only way I can imagine it hurting someone is if false criminal records were created using them," said one friend.

Shit, I hadn’t thought of that! We get so caught-up in the ideas of stealing/revealing, stealing/selling, and stealing/ransoming that I, for one, hadn’t considered the more insidious idea that records could be tampered with or new ones created. Turn a few thousand good guys into bad guys in the records, create a few thousand more people who don’t actually exist, and that system will become useless.

"It’s pretty grim", said another friend. "Worst case it takes fingerprints out of the security toolbox. If you had 50+ million fingerprints on file how could that help you be a bad guy? Or what if the bad guys have ALREADY COMPROMISED THE FINGERPRINT DATABASE? What if they replaced all 50 million fingerprints with one? That was certainly within their capability to do and you know the Feds wouldn’t tell us if they had. If I was a bad guy I would steal the database, corrupt what was left behind, then hold the real fingerprint records for ransom. $100 each? In Bitcoins? That’s $5 billion".

That guy has real criminal potential, I’d say, but he’s right that we’ll never really know.

"It was my impression the way computers read and store fingerprint signatures is different than they way they’re optically used and searched", explained another friend. "In theory you couldn’t reproduce a fingerprint from its electronic signature. But the bad guys may have optical copies of people’s fingerprints, and one could probably do more with them. At least with the pay services they could control and secure in software where they read a fingerprint. I think there will be ways like this to keep the theft from messing up the electronic payment systems. I hope".

And all this was prelude to Thursday’s arrival of Chinese President Xi Jinping specifically for cyber security talks. Beltway pundits say we need to pressure China to stop the cyber attacks. We need to put more leverage and more pressure on China. Yeah, right. That will never work. Even if China went 100 percent clean there are probably 20 other countries doing the same thing.

My guess, with the Chinese President here and cybersecurity talks on the table, is that we’ve co-created a new, entirely Big Data edition of the old Cold War Mutually Assured Destruction (MAD). They have all of our data but we have all of theirs, too. Either everything is now useless on both sides or we find a way to live with it and the spies all get to keep their jobs, after all. This job keeping aspect is key -- cops need criminals.

If we find a way to live with records loss in this manner it also means both China and the USA are now madly stealing the records of every other country. It’s a data arms race.

Now here’s the scary part, at least for me. Who are the runners in this data arms race? Certainly the G8 powers can all compete if they choose to, but then so does impoverished North Korea (remember the SONY hack?). Since this comes down to a combination of brain power and computing power, it doesn’t really require being a state to play in the game. A big tech company could do it. Heck, a really clever individual with a high credit limit on his AWS account could do it, right?

They probably have already.

So what does this mean, readers, for the future of our society? Is it good news or bad? I simply don’t know.



Aucun commentaire:

Enregistrer un commentaire