Profile

Cover photo
Mike Maschino
Works at Cyber blogger on Google+. Host of weekly "Cyber Security video podcast" [ http://tinyurl.com/cyberPodcast ] on YouTube, iTunes, RSS. Mini-bio: Cyber/IA architect, systems engineer, business development manager, photographer, programmer, video podcaster, hard SciFi reader, hiker, gym-rat, traveler (not enough international though); current focus on IA (information assurance) and cyber security for governments, infrastructures, and macro organizations; not allowed to name my place-of-work per-agreement for the video podcast.
Attended Northwestern University
5,106 followers|19,759 views
AboutPostsPhotosVideos

Stream

Mike Maschino

Shared publicly  - 
 
Okay ... this is a 401-level paper on CyberSecurity and Gaming theory. It broaches and challenges one canon that security experts constantly diss (including myself): security by obscurity. The paper looks at some other aspects of application of gaming theory to security. Good read if you are deeply into the cyber security domain.

Of course, there is no real formal sanctioned universally accepted definition of "security by obscurity", though the paper does cite the phrase's origins by Auguste Kerckhoffs in 1883. The paper looks at "security by obscurity" as well as "security by secrecy". In its conclusion, the paper posits the claim that security by obscuring one defensive measures presents an advantage to the defender. The paper does not say to abandon security by secrecy (e.g. private keys, passwords, tokens) but complement that with obscuring defensive measures.

And I certainly agree with that. When myself and others discuss "security by obscurity", we generally refer to when programmers and designers OMIT security or utilize trivially poor security, and hope no one will find out. These type of people think they are smarter than the rest of the 7 billion people on the planet, and no one will figure out what they (poorly) did. It is an "arrogant-style" lack-of-security using obscurity.

I would phrase the "security by obscurity" concept promoted in this paper as "obscured security" or "obscuring security". One is still using CyberSecurity techniques (protect, detect, react, remediate) and still relying upon security by secrecy. However, one can use numerous obscuring techniques so that the "enemy" is not sure which protective techniques are in-play. The older concept of defense in depth was a static view of this ... have multiple layer of defense that are different in technique, such that the attacker has to have a large set of attack skills. The problem with classic defense in depth is that it is static ... once an attacker has "mastered the maze" of a set of defense in depth emplacements, every other attacker can be informed about how to get past the old crusty unmutable defenses.

Using better dynamic techniques, the set of available and active defenses can be made to be different attack by attack. This obscures the cyber attack surface, making an attack series that worked once not work a second time. We are beginning to see this already in early forms ... Microsoft's kernel space randomization, "VM hopping", frequency hopping.

Its a lesson learned from attack-ware itself. Most of the really REALLY good attack-ware has many attack vectors built-in. It "explores" to find vulnerabilities, attacking one site differently than another site. It uses different entry vectors for different types of platforms, OS, middleware. Thus the attack-ware is going more "offense using obscurity" or better "offense using diversity".

Defense-ware needs the same sophistication. It should present different defenses (in combination) each time its attacked, even from the same attack-ware. It may reserve some defenses from low level threats, obscuring that it has more advanced defenses for more advanced threats. It may "randomize" the gateway's through the network boundaries (why DO we use a universal port# for individual protocols, especially in closed networks?). Thus it becomes "security through dynamic diversity".

Good stuff for alot more research, and I know that research is going on :) One just hopes it can move alot more quickly from research to reality. Another advantage the attackers have ... they don't worry about formal research, funding, testing, deployment. They just try and do ... over and over ... quickly and easily. The pace of "evolution" of attack-ware is certainly 10x over the "evolution" pace of defense-ware.
8
2
Mike Maschino's profile photoScott Michaud's profile photo
3 comments
 
The first case where it breaks down is where the entity doing the security through obscurity is not the entity being attacked: If I get attacked through a Windows or Mac exploit I know less about what the attacker is doing than if I had access to the source-code such as through Linux or BSD.

That wasn't really what you were talking about, however -- but in practice is common to say the least and "Bad Times".

But still: one-on-one security you really shouldn't assume that obscurity is gaining you any ground. I admit that I too cannot really think of any one-on-one situations where obscurity will lose information about the attacker but I also cannot visualize how that is definitely not the case as well. Maybe it is more my fear of security complacency that unsettles me but it unnerves me to say the least.

I mean it treats security as a probabilistic situation which is good but could easily fall into the trap of being considered a solution rather than a tweaking of probability -- and as I postulated earlier -- maybe not even in your favour all-things-considered.
Add a comment...

Mike Maschino

Shared publicly  - 
 
Episode #4 Rev 2 "Fuzzing Yourself"
2
John Draper's profile photoMike Maschino's profile photoFlorian Huber's profile photo
3 comments
 
If you are looking for an interesting person to interview, I would be game. Contact me at jdcunchman at gmail if you want to schedule me in. I was on TWIT TV a few weeks ago, and doing some really interesting things my fans are going to want to know about. BTW, Thanx for adding me to one or more of your circles…. I've added you to my Ecoviso G+ Circle because I think you should know some things you might not be aware of. I hope you find our discussions useful in the years to come. It's all about sustainability in 5 major areas. Financial, Energy, Transportation, Food, and Water, where we discuss small manageable steps we all can do to achieve sustainability. Our site is currently under construction at the moment, but you will know as soon as the site is up, so you can take part in the important discussions we intend to have. So welcome to Ecoviso.
Add a comment...

Mike Maschino

Shared publicly  - 
 
And for the cyber-elite, here is a 301 level discussion of ISO Layer 1 packet injection.

And you better remember and know the classic naming conventions for Alice, Bob, and Mallory :) The Wikipedia page for the naming convention has a nice summary with some examples too: http://en.wikipedia.org/wiki/Alice_and_Bob

Where this is relevant is again at WiFi hot spots, or with any digital radio that lacks encryption. I suspect if you ask radio manufacturers, they'll give the usually arrogant security by obscurity answer that no one can figure this out, and if they did (and indeed Travis did), well they are sure no one could exploit it.

Anyone who makes that statement should have to pony $100,000 out of their pocket into escrow, defaulting on it when they've been proven wrong that no one can figure out how to exploit something.
2
Add a comment...

Mike Maschino

Shared publicly  - 
 
Very interesting presentation at TED. There are copies of this up in YouTube, and some others have posted that version. I thought I'd give the link (and credit where it is due) to the TED site where it originated.

(And http://ted.com is a GREAT SITE ... if you consider yourself more than just a mindless game-playing game-watching social-updating drone, there is some very VERY excellent presentations by some real thought leaders)

This is not really a cyber-security issue. But it does give one pause to think about what the cyber experience is evolving to. And the sad pathetic but unfortunately successful people that are shaping that experience for all.
7
5
Jack Owens's profile photoSteve Gillham's profile photoTim Cuthbertson's profile photoIrvin Velazquez's profile photo
4 comments
 
I watch that so long ago.. but it serve as a reminder..
Add a comment...

Mike Maschino

Shared publicly  - 
 
ah ... this article will stir the hackles of the hacker and cyber-libertarian alike. Very nice visual graphics too. Applies only to the U.S. Looks like Verizon overall is the worst offender. None of this is unexpected of course... but there sure is a lot of variation. I don't expect these retention periods to ever get shorter ... given laws in many countries, they could well get much longer if you take a global perspective.
3
2
Jack Owens's profile photoMike Maschino's profile photobreanna osmond's profile photo
3 comments
 
what are ou doing my friend
Add a comment...
In his circles
3,153 people
Have him in circles
5,106 people
Kris Findlay's profile photo
Tiffany Renee's profile photo
pranit verma's profile photo

Mike Maschino

Shared publicly  - 
 
The next trend is already here ... poise to explode. "After years of test runs that largely affected mobile phone users overseas, cybercriminals are now rolling up their sleeves and readying their wares to resemble what malware victims are used to seeing on their desktop or laptop computer."

Ah ... it does ensure our profession is going to survive strong for years to come. Still, I'd prefer actually secure products in the first place.
2
1
Jón Kristinn Ragnarsson's profile photoDhaval Brahmbhatt's profile photobreanna osmond's profile photoKevin Lausen's profile photo
6 comments
 
BTW... +breanna osmond you must be used to the techno illiterate on facebook who don't put pix on their profiles, and have a 5th grade vocabulary, but most users I find on G+ are very intelligent, and might find it insulting to ask a users grade level...If that question was directed @ me you should have used my name...4 the record I have my GED and have been fixing people's windows/mac computers for over a decade(after crappy public school failed too keep my attention), using FREE software...and as always I reserve the right to be wrong. I truly wish I was...:~((
Add a comment...

Mike Maschino

Shared publicly  - 
 
Excellent information, diagrams, screenshots about the vulnerability. Its not clear why HTC has introduced these unsecured logging features without any serious thought about security for them. Any app can exploit the vulnerability. Why would I even want such a hidden service on my phone anyways?
7
1
John Draper's profile photoryan edge's profile photobreanna osmond's profile photo
4 comments
 
math
Add a comment...

Mike Maschino

Shared publicly  - 
 
A thing that the U.S. DoD does properly is NOT use the global set of PKI CAs out there. They have their own, separate, independent PKI. Military apps will be not digitally signed by a Chinese CA. And SSL use within the DoD's also physically separate networks are not protected using certs issued by Iraq.

Most of the anticipated uses for these devices do not have them connected to the wider Cyberspace of Internet, Wireless, Cellular ... but rather tunneled into the DoD's private controlled networks.

Not that there are issues and vulnerabilities about using Android and iPads/ iPhones by militaries ... there indeed are. But militaries do have some advantages since they actually DO care about, and spend money on, cyber security.
5
Jack Owens's profile photoMike Maschino's profile photo
4 comments
 
Can't help but think that they'd be safer creating their own operating system for these devices than using IOS.
Add a comment...

Mike Maschino

Shared publicly  - 
 
Ya know ... this could be yet another in the 100,000,000s of "reality shows" on the boob tube:

"Hackerz ... Size does really matter. Watch the dudes weekly as they swell the size of their hacking victories, and fight not to get p0ned."

Good to see there are goals to achieve and records to be kept. :)
2
Sascha Leib's profile photoLucia Hill's profile photoSwapnil Mahajan's profile photo
5 comments
 
Unfortunatly, that doesn't even help us, because it sounded like all of our hosting was hacked. I'd be more greatful if it was just our server.
Add a comment...

Mike Maschino

Shared publicly  - 
 
I just don't know what to say about this (sighing with my head in my hands). Sometimes I think stupidity on the part of companies should be criminalized.

The blog post is also a nice read as well.
5
2
Jack Owens's profile photoMike Maschino's profile photoKevin McGinley's profile photomike hoorens's profile photo
6 comments
 
Well at least the password isn't 0000 like my luggage.
Add a comment...
People
In his circles
3,153 people
Have him in circles
5,106 people
Kris Findlay's profile photo
Tiffany Renee's profile photo
pranit verma's profile photo
Work
Employment
  • Cyber blogger on Google+. Host of weekly "Cyber Security video podcast" [ http://tinyurl.com/cyberPodcast ] on YouTube, iTunes, RSS. Mini-bio: Cyber/IA architect, systems engineer, business development manager, photographer, programmer, video podcaster, hard SciFi reader, hiker, gym-rat, traveler (not enough international though); current focus on IA (information assurance) and cyber security for governments, infrastructures, and macro organizations; not allowed to name my place-of-work per-agreement for the video podcast.
    Principle Cyber/IA Architect, 1983 - present
Basic Information
Gender
Male
Other names
Cyber Mike
Story
Tagline
Cyber Security pro & Video podcast host
Introduction
Host of weekly "Cyber Security video podcast" [http://tinyurl.com/cyberPodcast] on YouTube, iTunes, RSS; Google+ is my blog.
Mini-bio:  Cyber/IA architect, systems engineer, business development manager, photographer, programmer, video podcaster, hard SciFi reader, hiker, gym-rat, traveler (not enough international though); current focus on IA (information assurance) and cyber security for governments, infrastructures, and macro organizations.
Bragging rights
BSEE, MBA, CISSP, ISSEP, IAM, Beta Gamma Sigma
Education
  • Northwestern University
    Elect Engr, 1977 - 1981
  • Arizona State University
    MBA, 2007 - 2009