Thursday, April 24, 2014

Cry Me A River - But Don't Make My Heartbleed

   I am the organizer for a local Ethereum Meetup at this time. There was a recent comment of the hhos (ha ha only serious) variety posted about the potential for Ethereum code to have a backdoor included in it that would lead to World Domination. I chuckled, as was no doubt intended, and then countered with a serious reply about the need for such projects to be Open Source. Ethical Hacker, Mark Scrano, a colleague and friend replied in the meet up conversation saying:

"If critical mature open source software (openssl) can't audit it's code properly. I fail to see open source saving Ethereum or any open source project from including a bug or two of potentially critical nature ;-)"

To which I replied, 

"Clearly new processes need to be employed by companies who have decided to base their business on "free" software. Open Source "IS" the solution. The failure, imho, was not that the source code was obfuscated or unavailable. It was a failure to review the code. The notion that only the teams building the software should be reviewing it for bugs is a false one. The underlying problem here, as can be said for many of our societal woes in the US today, is GREED. (I think I smell a blog post brewing. ;) )"
   And so, now you are caught up. Here we are.

   Greed is nothing new to the human condition. There are those who suggest that all errors of character are learned behavior attributable to our environment. As a father, now watching two little girls grow up, I have a different opinion.

   This post is perhaps less about greed as it is the Heartbleed bug and moreover the state of Information Technology in Corporate America in general. There are some things which are in fact self-evident to anyone who cares to look. Perhaps the first is that greed exists. Let's not sugar coat reality. While we all enjoy community, and we all need and want friends (regardless of the anti-social's admonitions to the contrary), we also have a deep desire to be satisfied. It takes a larger mind to get past that obstacle, and that is an entirely different blog post.

   As a young man leaving the United States Air force
 and learning "the ways of the world" in the late 80s, I was often shocked to see differences between how the Military and Corporate America did things. I was stationed at Yokota AB, Japan; and, was a proud member of the Tech Control Facility there. While, admittedly, my time there had its ups and downs, I learned more there in just over two years than I suspect some learn in four years of college. We handled military communications. It was a high stress, highly technical job. Trouble-shooting was our business. We kept countless communications circuits up and running to help maintain global communications for all branches of the armed forces. Aiding us in this task was something that at the time I took for granted. It was documentation. 

   In the military there is often upward mobility that happens at almost a predictable rate of time. For others, a four year hitch has them in, trained, working, and out in as many years. Documentation is clearly required as enlisted men and women move into and out of increasingly technical jobs. How could the military function without documentation? It couldn't. I suggest, especially with a high turn over rate, or increasing lay-offs, down-sizing, and firing that takes place in the American job market today, that neither can companies continue to do business as they have. Documentation cannot be an after-thought or something to do when your work is done. In deed, it is a vital part of any IT professional's work, and a requirement for management if they are to gain or maintain any level of situational awareness.

   Let's consider a company in America that relies on technology for conducting business in some way. This is really just about every company in America today which at least uses electronic mail. As a consultant, I have performed Information Security Assessments for many companies across the United States.  What I have found nearly everywhere, is a lack of current documentation detailing the creation, storage, and flow of information through their organization. This is because documentation is often viewed in Corporate America as a "nice to have" or an "extra" - rather than a requirement of doing business with computers and networks.

   The first time this became painfully apparent to me was when I assisted a well known Fortune 500 Company during the Code Red and Nimda Worms cyber-crises. The company, like many in the world, was hit hard. The infection spread quickly from host to host, with each new infection in turn reaching out to infect more systems. 

   One would think that it should be easy to simply turn off infected systems as they were discovered. However, I found that there were no current network maps to help us actually locate the infected systems. This was a big problem.  This company's intranet was global. Even the local area spanned multiple campuses and buildings. In short, we couldn't physically locate infected systems in many cases. Of course I designed a solution to that issue and worked with a team of programmers to code a preemptive strike option; but the point is that there was not adequate documentation to manage the environment during a crisis.  Why?
   Enter greed and corporate politics. The simple reality I have found across the country is that while the armed forces have "Winning" as an underlying goal, American businesses have "Profit" as an underlying goal.  The basic problem I see with this is that profit for profit's sake is greed by any other name. While I have no problem with profit, profits, and profitability, I believe that companies should first be focussed on winning. 

   Winning in this sense means doing everything needed to properly manage Information Infrastructures. Networks and Computer Systems that house and protect customer and company information should be treated like a battle-field that needs to be secured, not a place to 'manage risk', unless the risk being managed is the potential to lose. Too many companies lose everyday, and they don't even know it.

   If there was ever a time when it was acceptable to say, "We have nothing attackers want", it has long since past. The reality is that in a hyper-connected world, and the plausible theory of six degrees of separation, you have a customer who has some access to something or someone an attacker wants. And this is even beyond the reality that an attacker may merely want your processing power, storage and bandwidth.

   Taking complex ideas and boiling them down into simple phrases is always fraught with peril. So, I'll add this as an open comment to the businesses of these United States:  Until a true Artificial Intelligence is created, you cannot run computer systems without proper oversight. Many of you have continued to buy more computer systems and roll-out new "features", even while laying off IT staff. People can complain about a lack of educated IT Security professionals available in the work-force, but the reality is that businesses don't even have enough Systems Administrators and Network Engineers on staff to manage their Information Infrastructures properly. Further, it is irresponsible, if not grossly negligent, to continue to roll-out new systems and applications when existing infrastructure is not documented to a state that can be demonstrated to facilitate managing a crisis.

   Lastly, if your company is going to run Open Source software as a part of your business. Then it is your responsibility to either review the code you run, or pay someone to do it for you. While it might be understandable for a start-up with limited capital to leverage Open Source without such investments, clearly the largest of companies turning profits while taking advantage of otherwise "free" software should know better. 

   And, allow me to preempt any of my colleagues' comments to the effect that "this isn't how businesses run" or "it isn't reasonable to suggest this" or "Ken you are an optimist" with the simple fact that the way things are working is not sustainable, and terribly broken from a vulnerability standpoint. If improvement is to be made, and if companies are to win in cyberspace, they must invest in people. They must hire more people to manage and secure their systems. If we are to rely on technology, then our work-force must be technical. 

   If Heartbleed is a wakeup call, then it is only such because of the wide-spread consumer awareness that it is generating. The reality is that the intellectual property of our nation has been hemorrhaging for many years. Things must change. As consumers begin to wake up to the realities of negligence, there will be law-suits. I hope companies re-think how they manage IT before that happens. Perhaps it is already to late for that. Perhaps those few people who actually have a clue inside companies that continue to place profits above people will jump ship to start better companies. That would be very American, in my humble opinion. 

   In closing let me quote a great football coach: "Excuses only satisfy the people that make them."

Yours in Information Security,

       Ken Walling

Kenneth R. Walling Jr., CISSP
CyberCede Corporation

In case you don't really have a clue about Heartbleed, I recommend this ...