Poodle vulnerability

Poodle Vulnerability 

Padding Oracle On Downgraded Legacy Encryption (POODLE)

The poodle vulnerability has been around as an exploit since 2014.It led to an attack which led to completely disabling SSL 3.0 on the client and server-side to prevent hackers from making use of this man-in-the-middle attack. 2014 also brought us Heartbleed bug, BERserk, and FREAK exploits. That might seem like ancient history in cybersecurity. But history has a freaky way of repeating itself.poodle anime

In 2016 the DROWN attack took advantage of support for SSLv2 protocol and exposed the weakness in more than 81,000 of the top 1 million most popular websites.  As we get closer to 2017, the odds are increasing that the number of exploits will continue to rise.

Krebs is usually a good source of the most up to date info. But it remains a race, and I’m not always sure we’re winning.  http://krebsonsecurity.com/

Poodle in the Park
Black standard poodle

In the meantime, here’s some pictures of poodles to lighten the mood! This is Cleaver Black – destroyer of dragons (blue stuffed ones).

Sleepy Poodle
Let Sleeping Poodles Lie
Poodle in the park
Happy poodle


Portrait of a young poodle
Portrait of a young poodle
Cleaver - Destroyer of (toy) dragons
Cleaver – Destroyer of (toy) dragons



Cyber-Resilience in the Information Age

The Global Resilience Collaborative held a curated seminar  at Parliament House in Queensland.  Alex Webling gave a speech on Cyber-Resilience to the assembled audience

The Speech posted on Youtube. The video is embedded below.

In summary, Alex introduces four ideas for cyber-resilience in the information age.

  1. Information is the lifeblood of the modern organisation.
  2. The value of data should determine how it should be protected
  3. Data value changes with time
  4. Considering data flows within an organisation allows an organisation to develop an adaptable and resilient approach to its security and longevity.

Subscribe to the Resilience Outcomes Channel at https://www.youtube.com/channel/UCh0XQODTB2r8nQzUBoTGSeA

Why the world needs the cyber equivalent of an international law of the sea

Islands of order in a sea of chaos

I’ve been thinking for the best part of the last decade about Internet governance and its impact on national security. In that time, little has changed to improve security for users.

The Internet as we know it today can be compared in many ways to the high seas during the swashbuckling so-called Golden age of Piracy between around 1650 and 1730 when pirates ruled the Caribbean.

Why is this comparison valid? Because in the Internet today, like on the high seas of yesteryear, there are islands of order surrounded by seas of chaos. The islands of order are the corporate networks like Facebook, Google, Amazon, Ebay etc and those run by competent governments for their citizens. However, between these orderly Internet islands are large areas where there are no rules and where pirates and vagabonds thrive. An additional similarity is that some of the most competent and successful historical pirates operated with the explicit support from countries seeking to further their national aims.

Even those who govern the orderly Internet islands are subject to bold attacks from chaos agents if they are not vigilant! Witness the compromise of Linkedin earlier this year and very few governments have not had some significant compromise affect their operations.

On the high seas, piracy has been reduced significantly since the 18th Century. With the exception of places like the coast of Somalia, there are now far fewer places where there is a significant piracy problem.  There are a number of reasons why this has been a success. Not least of these has been the development of law of the high seas.

In cyberspace, the world also needs to be moving on from the swashbuckling days. Internet criminals need to be hunted down in whichever corner of the Internet they lurk. Additionally, the concept that some countries could give free reign to local cyber-criminals, as long as they don’t terrorise their own countrymen/women, is an anathema in the 21st Century.

The long term solution has remained in my view a cyber version of the  UN Convention on the Law of the Sea. UCLOS is the international agreement, most recently updated in 1982 that governs behaviour by ships in international waters. Apart from other things the convention deals with acts of piracy committed in international waters.

In the same way, a similar international cybercrime convention could deal with acts where the victim was from for example the USA, the criminal from the Vatican and the offence committed on a server in South Korea.

It would seem that at the moment any move towards a UN convention has gone off the boil. A proposal was shot down in 2010 over disagreements around national sovereignty and human rights. As well, the European Union and USA  position was that a new treaty on cyber crime was not needed since the Council of Europe Convention on Cyber Crime had already been in place for 10 years and has been signed or ratified by 46 countries since  2001.

As I recently noted, wariness by both USA and China continues and means that any international agreement which includes Western countries and the BRICs will be a long time coming. China, Russia and other countries submitted a Document of International Code of Conduct for Information Security to the United Nations in 2011 which the USA seems to have dismissed out of hand.

A code of conduct is nice and the Council of Europe convention is a good start, but they need to be supported by some sort of international cyber ‘muscle’ in the long term.

However, all is not lost. In the meantime, working to coordinate the orderly organisations’ defences that I wrote about before, is a practical step that organisations and governments should be doing more of. This is the cyber equivalent of escorting ships through dangerous waters and passing them from one island of order to another.

There’s a good reason for this, and here’s the resilience message. The cyber-security of an organisation does not begin and end at their firewall or outer perimeter. Whilst in most cases an organisation cannot force other organisations to which it is connected to change, it can maintain vigilance over areas outside its direct sphere of control. This then allows the organisation more time to adapt to its changing environment and of course, a chain is only a strong as its weakest link.

The other step to be taken is to help emerging nations and organisations with poor online security to improve their cyber-defences. If the first step was like escorting ships between the orderly islands, this second step is the equivalent of helping nearby islands to improve their battlements so that the pirates don’t take over and then attack us! This work has been going on for some time. I chaired a number of seminars on cyber security and the need for computer emergency response teams for the APEC telecommunication and information working group which began this work in 2003 and this has been carried on by a number of countries around the world in fits and starts, but we need more.


In cyberspace, if you don’t share, you don’t survive

This might seem a brave call when talking about cyber-security threat information. But the truth is that the cyber world forces a new paradigm on security. The tools that are familiar in the offline world for providing elements of security, such as obscurity, tend to benefit the attackers rather than the defenders, because the very advantages of the online world, things like search and constant availability are also the online world’s greatest weaknesses. What matters most in the online world is not what you know, but how fast you know and make use of the information you have.

I’ve been reading the Cyber Security Task Force: Public-Private Information Sharing report, and I think its worth promoting what it says. It presents a call to action for government and companies in the US to improve information-sharing to prevent the increasing risks from cyber attacks on organisations, both public and private. The work was clearly done with a view to helping the passage of legislation being proposed in the USA, however..

 Most, if not all the findings made could be extrapolated to every advanced democracy around the world. 

 If you are familiar with this field, much of what has been written will not be new, as we have been calling for the sorts of measures that are proposed in the report since at least 2002. That does not mean that the authors haven’t made a valuable contribution, because they have made recommendations about how to solve the problem. Specifically they recommend removing legislative impediments to sharing whilst maintaining protections on personal information.

According to the authors: From October 2011 through February 2012, over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security (DHS), with 86 of those attacks taking place on critical infrastructure networks. As they rightly point out, the number reported represents a tiny fraction of the total occurrences.

As is the case in many areas of security, the lack of an evidence base is at the core of the problem, because it creates a cycle where there is resistance to change and adaptation to fix the problems efficiently and effectively.

 Of course, the other thing that happens is that organisations don’t support an even level of focus or resourcing on the problem, because, most of the time, like an iceberg, the bit of the problem that you can ‘see’ is comparatively small.

To make matters worse, new research is telling us that we are optimistically biased when making predictions about the future. That is, people generally underestimate the likelihood of negative events. So without ‘hard’ data, and given the choice of underestimating the size of a problem or overestimating it, humans that make decisions in organisations and governments are likely to underestimate the likelihood of bad things happening. You can find out more about the optimism bias in a talk by Tali Sharot on TED.com

The cost differential to organisations when they don’t build in cyber security, are unable to mitigate risks and then need to recover from cyber attacks is significant. This cost is felt most by the organisations affected, but its effects are passed across an economy.

So what can be done to break this cycle of complacency? Government and industry experts have long spoken about the need for better sharing of information about cyberthreats. I was talking in public fora about this ten years ago.

The devil is in the detail in the ‘what’ and the ‘how’. Inside the ‘what’ is also the ‘who’. I’ll explain below

What should be shared, who should do the sharing – and with whom?

Both government and industry, whilst they generally enthusiastically agree that there should be sharing, think that the other party should be doing more of it and then come up with any number of excuses as to why they can’t! For those who are fans of iconic 80’s TV, it reminds me of the Yes Minister episode where the PM wants to have a policy of promoting women and in cabinet each minister enthusiastically agrees that it should be done, whilst explaining why it wouldn’t be possible in his department. In government, the spooks will tell you that they have ‘concerns’ with sharing, ie they want to spy on other countries and don’t want to give up any potential tools. It’s no better in industry, companies don’t have an incentive to share specific data, because their competitors might get some kind of advantage.

The UK has developed perhaps the most mature approach to this. UK organisations have been subject to a number of significant cyber attacks and government officials attempt to ‘share what is shareable’. The ability to do this may be because of the close relationship between the UK government and industry, developed initially during the time of the Troubles in Ireland and has been maintained in one form or other through the terrorism crises of this Century. It remains to be seen whether the government will be able to maintain these relationships and UK industry will see value in them as the UK and Europe struggle with short-termism brought on by the fiscal situation.

Australia has also attempted to share what is shareable, however as the government computer emergency response team sits directly within a department of state this is very difficult. It seems that the CERT does not have a clear mission. Is it an arbiter of cyber-policy and information disseminator, or an operational organisation that facilitates information exchange on cyber issues between government and industry?

This quandary has not been solved completely by any G20 country. Indeed, it will never be solved, it is a journey without end. It is possible that New Zealand has come closest, but this seems to be because of the small size of the country and the ability to develop individual relationships between key people in industry and government. Another country that is doing reasonably well is South Korea – mainly because it has to, it has the greatest percentage of broadband users of any country and North Korea just a telephone line away. The Korean Internet security agency – KISA brings together industry development, Internet policy, personal information protection, government security, incident prevention and response under one umbrella.

For larger countries, I am of the view that a national CERT should be a quasi-government organisation that is controlled by a board comprised of:

  • companies that are subject to attack (including critical infrastructure);
  • network providers;
  • government security and
  • government policy agencies.

In this way, the CERT would strive to serve the country more fully. There would be more incentive from government to share information with industry and industry to share information with government. With this template, it is possible to create a national cyber-defence strategy that benefits all parts of the society and provides defence-in-depth to those parts of the community that we are most dependent on, ie the critical infrastructure and government.

Ensuring two-way information flow within the broader community and with industry has the potential to provide direct benefits for national cyber-security and for the community more broadly. Firstly, by helping business and the community to protect itself. Secondly, for government, telecommunications providers and the critical infrastructure in the development of sentinel systems in the community, which like the proverbial canary in the coalmine, signal danger if they are compromised. Thirdly, by improving the evidence base through increased quality and quantity of incident reporting – which is so often overlooked.

Governments can easily encourage two-way communication by ‘sharing first’. Industry often questions the value of information exchanges, because they turn up to these events at their own expense and some government bigwig opens and says ‘let there be sharing’ and then there is silence, because the operatives from the three letter security agencies don’t have the seniority to share anything and the senior ones don’t understand the technical issues. I am not the first person to say that in many cases (I think 90%), technical details that can assist organisations to protect their networks do not need to include the sensitive ‘sources and methods’ discussion. By that I mean, if a trust relationship exists or is developed between organisations in government and industry and one party passes a piece of information to the other and says “Do x and be protected from y damage”, then the likelihood of the receiving party to undertake the action depends on how much they trust the provider. Sources and methods information are useful to help determine trustworthiness, but they are not intrinsically essential (usually) to fixing the problem.

As the Public-Private Information Sharing report suggests, many of the complex discussions about information classification/ over-classification and national security clearances can be left behind. Don’t get me wrong; having developed the Australian Government’s current protective security policy framework, I think there is a vital place for security clearances and information classification. However, I think that it is vastly over-rated in a speed of light environment where the winner is not the side with the most information, but the side that can operationalise it most quickly and effectively. Security clearances and information classification get in the way of this and potentially deliver more benefit to the enemy by stopping the good guys from getting the right information in time. We come back to the question of balancing confidentiality, integrity and availability – the perishable nature of sensitive information is greater than ever.

How should cyber threat information be shared?

This brings me to the next area of concern. There is also a problem with how information is shared between industry and government, or more importantly the speed with which it is shared. In an era when cyber attacks are automated, the defence systems are still primarily manual and amazingly, in some cases rely on paper based systems to exchange threat signatures. There is an opportunity for national CERTs to significantly improve the current systems to share unclassified information about threats automatically. Ideally these systems would be designed so that threat information goes out to organisations from the national CERT and information about possible data breaches returns immediately to be analysed.

Of course, the other benefit of well-designed automated systems could be that they automatically strip customer private information out of any communications, as with the sources and methods info, peoples’ details are not important (spear phishing being an exception). In most cases, I’d rather have a machine automatically removing my private details than some representative of my ‘friendly’ telecommunications provider or other organisation.

These things are all technically possible, the impediments are only organisational. Isn’t it funny, people are inherrently optimistic, but don’t trust each other. Its surprising civilisation has got this far.

CERTs – Computer Emergency Response Teams


1How Dopamine Enhances an Optimism Bias in Humans. Sharot, T; Guitart-Masip, M; Korn, c; Chowdhury, R; Dolan, R. CURRENT BIOLOGY. July 2012. www.cell.com

2 Yes Minister Series 3, EP 1 – “Equal Opportunities” 1982

Useful trick to add a nick to your google+ account leads to the darkside

I’ve been updating the Resilience Outcomes Google+ site. A friend asked me what the site url is, but Google in its wisdom has not made this easy. The site reference is https://plus.google.com/103380459753062778553 !!! What a mouthful and not really a set of numbers I want to dedicate my diminishing neurons on. A partial answer is http://gplus.to/  . Using this site you can get a nickname or vanity url for your gplus site.

So now I can give the url http://gplus.to/resilienceoutcomes and you get to the Resilience Outcomes Google+ site!

My friend Karl H. is going to point out that this is not very resilient, because although Google has a reputation for fairly bulletproof infrastructure I know nothing about gplus.to . Karl you’re absolutely right – it demonstrates why thinking about resilience is so difficult… The Dark side has cookies! Literally in the case of gplus.to.

http://gplus.to/ is almost certainly more fragile than google.com or .Google or whatever it will call itself next month. If http://gplus.to/ goes down then all the efforts of google to support their systems are naught in my case. As such, I am faced on a small-scale the choice faced by all who wish to become more resilient and mainstream security. Do I increase accessibility to the site whilst reducing integrity and confidentiality or not? In this case, the question is not an either or, and rarely is it ever. The answer may be in my case that http://gplus.to/ is used when friends ask me what the site is verbally, but that I always write the full url in posts.