Profile

Cover photo
Mike Maschino
Worked at Cyber blogger on Google+. Host of weekly "Cyber Security video podcast" [ http://tinyurl.com/cyberPodcast ] on YouTube, iTunes, RSS. Mini-bio: retired Cyber/IA architect, systems engineer, business development manager, photographer, programmer, video podcaster, hard SciFi reader, hiker, gym-rat.
Attended Northwestern University
5,261 followers|38,912 views
AboutPostsPhotosVideos

Stream

Mike Maschino

Shared publicly  - 
 
Okay ... this is a 401-level paper on CyberSecurity and Gaming theory. It broaches and challenges one canon that security experts constantly diss (including myself): security by obscurity. The paper looks at some other aspects of application of gaming theory to security. Good read if you are deeply into the cyber security domain.

Of course, there is no real formal sanctioned universally accepted definition of "security by obscurity", though the paper does cite the phrase's origins by Auguste Kerckhoffs in 1883. The paper looks at "security by obscurity" as well as "security by secrecy". In its conclusion, the paper posits the claim that security by obscuring one defensive measures presents an advantage to the defender. The paper does not say to abandon security by secrecy (e.g. private keys, passwords, tokens) but complement that with obscuring defensive measures.

And I certainly agree with that. When myself and others discuss "security by obscurity", we generally refer to when programmers and designers OMIT security or utilize trivially poor security, and hope no one will find out. These type of people think they are smarter than the rest of the 7 billion people on the planet, and no one will figure out what they (poorly) did. It is an "arrogant-style" lack-of-security using obscurity.

I would phrase the "security by obscurity" concept promoted in this paper as "obscured security" or "obscuring security". One is still using CyberSecurity techniques (protect, detect, react, remediate) and still relying upon security by secrecy. However, one can use numerous obscuring techniques so that the "enemy" is not sure which protective techniques are in-play. The older concept of defense in depth was a static view of this ... have multiple layer of defense that are different in technique, such that the attacker has to have a large set of attack skills. The problem with classic defense in depth is that it is static ... once an attacker has "mastered the maze" of a set of defense in depth emplacements, every other attacker can be informed about how to get past the old crusty unmutable defenses.

Using better dynamic techniques, the set of available and active defenses can be made to be different attack by attack. This obscures the cyber attack surface, making an attack series that worked once not work a second time. We are beginning to see this already in early forms ... Microsoft's kernel space randomization, "VM hopping", frequency hopping.

Its a lesson learned from attack-ware itself. Most of the really REALLY good attack-ware has many attack vectors built-in. It "explores" to find vulnerabilities, attacking one site differently than another site. It uses different entry vectors for different types of platforms, OS, middleware. Thus the attack-ware is going more "offense using obscurity" or better "offense using diversity".

Defense-ware needs the same sophistication. It should present different defenses (in combination) each time its attacked, even from the same attack-ware. It may reserve some defenses from low level threats, obscuring that it has more advanced defenses for more advanced threats. It may "randomize" the gateway's through the network boundaries (why DO we use a universal port# for individual protocols, especially in closed networks?). Thus it becomes "security through dynamic diversity".

Good stuff for alot more research, and I know that research is going on :) One just hopes it can move alot more quickly from research to reality. Another advantage the attackers have ... they don't worry about formal research, funding, testing, deployment. They just try and do ... over and over ... quickly and easily. The pace of "evolution" of attack-ware is certainly 10x over the "evolution" pace of defense-ware.
7
2
Mike Maschino's profile photoScott Michaud's profile photoJason McCampbell's profile photoEd Daniel's profile photo
3 comments
 
The first case where it breaks down is where the entity doing the security through obscurity is not the entity being attacked: If I get attacked through a Windows or Mac exploit I know less about what the attacker is doing than if I had access to the source-code such as through Linux or BSD.

That wasn't really what you were talking about, however -- but in practice is common to say the least and "Bad Times".

But still: one-on-one security you really shouldn't assume that obscurity is gaining you any ground. I admit that I too cannot really think of any one-on-one situations where obscurity will lose information about the attacker but I also cannot visualize how that is definitely not the case as well. Maybe it is more my fear of security complacency that unsettles me but it unnerves me to say the least.

I mean it treats security as a probabilistic situation which is good but could easily fall into the trap of being considered a solution rather than a tweaking of probability -- and as I postulated earlier -- maybe not even in your favour all-things-considered.
Add a comment...

Mike Maschino

Shared publicly  - 
 
Episode #4 Rev 2 "Fuzzing Yourself"
2
Mike Maschino's profile photoFlorian Huber's profile photoJohn Draper's profile photo
3 comments
 
If you are looking for an interesting person to interview, I would be game. Contact me at jdcunchman at gmail if you want to schedule me in. I was on TWIT TV a few weeks ago, and doing some really interesting things my fans are going to want to know about. BTW, Thanx for adding me to one or more of your circles…. I've added you to my Ecoviso G+ Circle because I think you should know some things you might not be aware of. I hope you find our discussions useful in the years to come. It's all about sustainability in 5 major areas. Financial, Energy, Transportation, Food, and Water, where we discuss small manageable steps we all can do to achieve sustainability. Our site is currently under construction at the moment, but you will know as soon as the site is up, so you can take part in the important discussions we intend to have. So welcome to Ecoviso.
Add a comment...

Mike Maschino

Shared publicly  - 
 
And for the cyber-elite, here is a 301 level discussion of ISO Layer 1 packet injection.

And you better remember and know the classic naming conventions for Alice, Bob, and Mallory :) The Wikipedia page for the naming convention has a nice summary with some examples too: http://en.wikipedia.org/wiki/Alice_and_Bob

Where this is relevant is again at WiFi hot spots, or with any digital radio that lacks encryption. I suspect if you ask radio manufacturers, they'll give the usually arrogant security by obscurity answer that no one can figure this out, and if they did (and indeed Travis did), well they are sure no one could exploit it.

Anyone who makes that statement should have to pony $100,000 out of their pocket into escrow, defaulting on it when they've been proven wrong that no one can figure out how to exploit something.
Remotely Exploiting the PHY Layer. or, Bobby Tables from 1938 to 2011 by Travis Goodspeed <travis at radiantmachines.com> concerning research performed in collaboration with Sergey Bratus, Ricky...
2
Add a comment...

Mike Maschino

Shared publicly  - 
 
Very interesting presentation at TED. There are copies of this up in YouTube, and some others have posted that version. I thought I'd give the link (and credit where it is due) to the TED site where it originated.

(And http://ted.com is a GREAT SITE ... if you consider yourself more than just a mindless game-playing game-watching social-updating drone, there is some very VERY excellent presentations by some real thought leaders)

This is not really a cyber-security issue. But it does give one pause to think about what the cyber experience is evolving to. And the sad pathetic but unfortunately successful people that are shaping that experience for all.
7
5
Robert CODRON's profile photoTim Cuthbertson's profile photoMarc Baker's profile photoMark Strickenburg's profile photo
4 comments
 
I watch that so long ago.. but it serve as a reminder..
Add a comment...

Mike Maschino

Shared publicly  - 
 
ah ... this article will stir the hackles of the hacker and cyber-libertarian alike. Very nice visual graphics too. Applies only to the U.S. Looks like Verizon overall is the worst offender. None of this is unexpected of course... but there sure is a lot of variation. I don't expect these retention periods to ever get shorter ... given laws in many countries, they could well get much longer if you take a global perspective.
3
2
Mike Maschino's profile photobreanna osmond's profile photoRobert CODRON's profile photoBrian Goddard's profile photo
3 comments
 
what are ou doing my friend
Add a comment...

Mike Maschino

Shared publicly  - 
 
Although I think it is laudable that Google is attempting to give even stronger warnings about weaponized sites and apparently infected computers, it also unfortunately encourages the huge mass of non-cyber literate users to again think they should click on these online web-browser shown "you've been infected" warnings ... 99% of which are of course malicious.

There is no good answer here. Google is doing the good and proper thing. But too many will either think it is a malicious warning and ignore it. Or be encouraged to click on the next "warning" that will not be from Google at all.

What would be neat is to have an "official notices" channel ... really an app ... that everyone could trust. Of course, the limited content pushed through the app would be digitally signed, and ideally individualized to the recipient in cases of notices like these from Google. And the digital signing cert path would NOT be to the nearly broken pre-installed OS/Browser " trusted root CA" mess, but with publicly published and audited certs from the companies/ organizations in the first place.

In trusted operating systems, this is called a "trusted path" ... a means of official communication to the end-user from the OS that no application or middleware or malware can mimic or spoof ... the OS actively blocks attempts to mimic or utilize the trusted path.

Sigh, I know exactly how such an app would be constructed and could be shared by any organization. But it would require out-of-band verification ... much like CAs are supposed to do when issuing certifications. The issue in realizing this capability is not technical, but rather procedural and legal. Anyone want to help stand up an international not-for-profit, gather pro-bono lawyers, market to 100 top sites and governments, all for no salary and no revenue but at considerable expense? :_)
Guess I need to stick to my videocast.
3
Giedrius Majauskas's profile photoJohn Rosenlof's profile photo
2 comments
 
While I think that it's laudable that Google is trying to do this, I think that more harm can be done. As you point out, this will encourage many people to blindly click on another link which will probably be malicious. Why is it my search engine's job to tell me that my computer is infected? I think that this may only serve to confuse people.
Add a comment...
Have him in circles
5,261 people
Andreas Lundgren's profile photo
Ian Schmidt's profile photo
Heng Chon Tan's profile photo
Dario Santarelli's profile photo
柳原鉄太郎's profile photo
caesar “xarzy” castro's profile photo
marco antonio villa's profile photo
Jim Arnold's profile photo
pranit verma's profile photo

Mike Maschino

Shared publicly  - 
 
The next trend is already here ... poise to explode. "After years of test runs that largely affected mobile phone users overseas, cybercriminals are now rolling up their sleeves and readying their wares to resemble what malware victims are used to seeing on their desktop or laptop computer."

Ah ... it does ensure our profession is going to survive strong for years to come. Still, I'd prefer actually secure products in the first place.
The bring your own device revolution means that skilled malware writers are going to pay more and more attention to pushing their wares on mobile endpoints. How should businesses respond
2
1
Dhaval Brahmbhatt's profile photobreanna osmond's profile photoKevin Lausen's profile photoMichael J Wolf's profile photo
6 comments
 
BTW... +breanna osmond you must be used to the techno illiterate on facebook who don't put pix on their profiles, and have a 5th grade vocabulary, but most users I find on G+ are very intelligent, and might find it insulting to ask a users grade level...If that question was directed @ me you should have used my name...4 the record I have my GED and have been fixing people's windows/mac computers for over a decade(after crappy public school failed too keep my attention), using FREE software...and as always I reserve the right to be wrong. I truly wish I was...:~((
Add a comment...

Mike Maschino

Shared publicly  - 
 
Excellent information, diagrams, screenshots about the vulnerability. Its not clear why HTC has introduced these unsecured logging features without any serious thought about security for them. Any app can exploit the vulnerability. Why would I even want such a hidden service on my phone anyways?
7
1
ryan edge's profile photoJohn Draper's profile photobreanna osmond's profile photoRobert Armstrong's profile photo
4 comments
 
math
Add a comment...

Mike Maschino

Shared publicly  - 
 
A thing that the U.S. DoD does properly is NOT use the global set of PKI CAs out there. They have their own, separate, independent PKI. Military apps will be not digitally signed by a Chinese CA. And SSL use within the DoD's also physically separate networks are not protected using certs issued by Iraq.

Most of the anticipated uses for these devices do not have them connected to the wider Cyberspace of Internet, Wireless, Cellular ... but rather tunneled into the DoD's private controlled networks.

Not that there are issues and vulnerabilities about using Android and iPads/ iPhones by militaries ... there indeed are. But militaries do have some advantages since they actually DO care about, and spend money on, cyber security.
As a Cobra attack helicopter pilot, Marine Capt. Jim "Hottie" Carlson was running support missions above Afghanistan last summer when it occurred to him that it was taking far too long to find where ...
5
Mike Maschino's profile photoJack Owens's profile photo
4 comments
 
Can't help but think that they'd be safer creating their own operating system for these devices than using IOS.
Add a comment...

Mike Maschino

Shared publicly  - 
 
Ya know ... this could be yet another in the 100,000,000s of "reality shows" on the boob tube:

"Hackerz ... Size does really matter. Watch the dudes weekly as they swell the size of their hacking victories, and fight not to get p0ned."

Good to see there are goals to achieve and records to be kept. :)
Follow Us on Facebook. skip to main | skip to sidebar. Demon's Tech ®. Home; About; CONTACT. Home; Apple. iPhone; Mac. Computer Tips and Tricks. How to. Gadgets. Android; Blackberry; Dell; Intel; ...
2
Swapnil Mahajan's profile photoSascha Leib's profile photo
3 comments
 
@Lane: Don't forget: these are the good guys. The bad guys will hack your server, take all the data and never lose a word about it. Thanks to these "kids" you now know about your server's vulnerablilities...
Add a comment...

Mike Maschino

Shared publicly  - 
 
I just don't know what to say about this (sighing with my head in my hands). Sometimes I think stupidity on the part of companies should be criminalized.

The blog post is also a nice read as well.
LARES BLOG. The world of security changes at a rapid pace and so does the community within it. Some are inspired by new techniques, new technologies and new toys; We are inspired by just about everyth...
5
2
mike hoorens's profile photoJack Owens's profile photoRick Fowler's profile photoDominique Vienne's profile photo
6 comments
 
Well at least the password isn't 0000 like my luggage.
Add a comment...

Mike Maschino

Shared publicly  - 
 
More SCADA silliness. Just to avoid embarrassing 100,000s of companies that have done a middling to poor job on SCADA design, DHS wants to call these "design issues" and not bother reporting them to the public.

So the fact that your can can be stopped or speed up by a hacker texting a car ... design issue ... no need to embarrass the car company. The fact that an insulin pump can be wirelessly hacked to inject too much or too little insulin ... design issue ... no need to warn the people that use them. etc etc.
The Department of Homeland Security is reevaluating its use of vulnerability alerts to describe some types of security holes in industrial control and SCADA software, saying that they're too big to de...
5
1
Mike Maschino's profile photoPaul Moriarty's profile photoJohn Foster's profile photo
2 comments
 
Didn't we used to refer to them as features? :)
Add a comment...
People
Have him in circles
5,261 people
Andreas Lundgren's profile photo
Ian Schmidt's profile photo
Heng Chon Tan's profile photo
Dario Santarelli's profile photo
柳原鉄太郎's profile photo
caesar “xarzy” castro's profile photo
marco antonio villa's profile photo
Jim Arnold's profile photo
pranit verma's profile photo
Work
Employment
  • Cyber blogger on Google+. Host of weekly "Cyber Security video podcast" [ http://tinyurl.com/cyberPodcast ] on YouTube, iTunes, RSS. Mini-bio: retired Cyber/IA architect, systems engineer, business development manager, photographer, programmer, video podcaster, hard SciFi reader, hiker, gym-rat.
    1983 - 2014
Basic Information
Gender
Male
Other names
Cyber Mike
Story
Tagline
Cyber Security pro & Video podcast host
Introduction
Host of weekly "Cyber Security video podcast" [http://tinyurl.com/cyberPodcast] on YouTube, iTunes, RSS; Google+ is my blog.
Mini-bio:  retired Cyber/IA architect, systems engineer, business development manager, photographer, programmer, video podcaster, hard SciFi reader, hiker, gym-rat.
Bragging rights
BSEE, MBA, CISSP, ISSEP, IAM, Beta Gamma Sigma
Education
  • Northwestern University
    Elect Engr, 1977 - 1981
  • Arizona State University
    MBA, 2007 - 2009