Hackers & Stuxnet: Education & Best Practices can Change Perspectives

Speaking of hackers in general, the video "Creating panic in Estonia" was well done.  It speaks to aspects of cyber security I have touched on personally with peers and users who are generally unaware of how dangerous the Internet can be, and do not understand how they should be protecting themselves and in turn the rest of the user community at large.  The global dependency on the Internet as a necessary aspect of daily life can, and may, eventually lead to its demise.  It used to be seen as a tool, something that made research easier or necessitated more efficient processing of goods and services to customers.  The global Internet is far more interconnected than most people can comprehend.  We, as IT pros and field experts, find ourselves at a unique crossroads when it comes to the cyber realm.  On one hand, we are users who find entertainment and conduct business transactions through the Internet.  We keep in touch with friends, relatives, and associates.  Pay bills and send gifts to people, through the Internet.  We curiously investigate other perspectives on anything we can think of, reachable with a simple search string.  On another hand we develop and/or service information systems and are responsible for ensuring that the users are not their own worst enemy, and the executive stakeholders understand why expenses are necessary to ensure seamless operations while maintaining data security and integrity through digital interactions across the company or across the Internet.  Yet another proverbial fork is that of a hacker.  Not necessarily one that breaks into systems with malicious intent, which are primarily the hackers (criminals) most people hear about, but the white hat hacker who, like the man who works for Kaspersky in Russia, looks to improve the quality and safety of the Internet.  In order to beat a hacker, one must be able to think like a hacker, and have the intimately specific knowledge of software and systems, how they interconnect, and how users interact with them.  This whole-view perspective on digital communications is necessary in order to properly safeguard oneself, and also the global user community.  Education and repetitive reinforcement have been the successful combination for me in getting users at all levels to start to invest in cyber security and take a different view on what they share on the web.  People contact me regularly to clean infections from their systems and networks.  Unfortunately, most of these users are of the mindset that "it should just work, and never give me problems, regardless of what I do" which has no substantive basis in reality.  In reality, it takes the combination of dozens, if not hundreds, of software applications to make a system function the way it does today.  Since no user situation is ever the lab-tested "ideal" situation, users must be educated on not only how to use their system, but a basic level understanding of how their use affects everyone connected to their system, and the subsequent systems the collective interacts with.  As experiences and exposure to different interactive scenarios manifest, continued education is the key which not only makes a better user but a better system as a whole.

The Stuxnet event could have been avoided with the right engineer designing security protocols, establishing policies, and integrating hardware solutions designed specifically at denying access to unauthorized devices on a network.  Granted, Estonia may not have had access to the technology necessary to affect such a system, but those types of systems do exist.  It is this reason why companies like Symantec, McAfee, and Kaspersky have integrated a feature into their anti-everything software packages to instantly scan any removable device attached to a protected system.  Granted, the Stuxnet did not yet have a known signature and thus could not be specifically scanned for, but those packages also have zero-day detection capabilities, meaning they have an algorithm designed into the software to detect virus-like patterns and flag them as suspicious - which is how Stuxnet was ultimately found, through a zero-day detection algorithm.  While they are highly effective, they can only be detected on a system with this type of software installed.  Unfortunately, there is a large number of users who do not have protective software, let alone hardware solutions, installed in their systems and/or networks which leaves them, and anyone they connect to, highly vulnerable.  Here again, education is the key - once the people can be made to understand the risks involved, they will be willing to learn how to best safeguard themselves, which protects everyone else they interact with digitally.  It is like getting an immunization for a disease - if everyone gets the shot, then no one can transfer it or get it from someone who is infected or has not had their immunization.  The shot cures any carriers of the disease, prevents spreading of the disease to others, and does not allow the inoculated to become carriers again.  That is the same philosophy of security software, and important for the same reasons.

~Geek

Reference: Video On Demand - http://digital.films.com/PortalPlaylists.aspx?aid=7967&xtid=50121&loid=182367

A discussion about RFID

My class is talking about the viability of using RFID technology to subnet networks as an alternative to moving away from IPv4 because IPv6 is so complex, so I did some research.

The Internet is running out of public IP addresses to assign to websites and devices publicly connected to the Internet.  The current standard in use, IPv4, supports about 4.3 billion addresses (2^32), with more than 588 million of those assigned to the private address range which is not routable on the public Internet (you see those ranges in your office or home LAN). The next version of the IP protocol is IPv6, which supports 3.4 x 10^38 (340 undecillion) (2^128) unique addresses in total, but only 42 undecillion (2^41) have been made available at the moment by ICANN...that is enough for about 4,096 unique IP's per person in the world, assuming 8 billion souls and /48 allocations by ISPs.

One of my classmates proposed that we use RFID chips embedded in a person to enable subnetting of devices they use; such as computers, tablets, smartphones, game systems, appliances, along with NFC (Near Field Communication) tags that use the RFID tag for systems access, even opening your front door and paying for groceries, etc. - using the RFID tag in the person as the host with the public IPv4 address, and the private IPv4 range for anything that connects through the tag.  All device communications go through the RFID chip embedded in the person to some access point or NAT device.

While in concept the idea seems logical and relevant to the future of interactivity through a relatively cheap tech to work with (averaging between $0.05-$0.17 per RFID tag) that has a broad range of possibilities, I do not think this is a viable alternative to avoid moving to IPv6.  Two primary reasons stick out in my mind as to why: 1) That I know of our can find, RFID technology does not contain the logic processing, nor the physical hardware capacity, to negotiate the infrastructure methods necessary to make this plausible, especially when implanted in a human (biochemical considerations), and 2) a highly sensitive consideration of a person's privacy as these RFID tags can store contact details, bank account information, and, with NFC sensors/readers installed, your activities.  Most would be fine with this level of invasiveness because it would simplify life interactions across personal and professional spaces (and it in all honesty could), a lot more would not because literally everything you do would be tracked and cataloged for whomever is linked to the system to extract and use for whatever they need the data for.

Assuming security is properly implemented, specific privacy issues resolved, and technological evolution to allow RFID tags to work like this - a hypothetical win-win for all sides - it would only delay the inevitable.  We would still run out of IPv4 addresses sooner than later.  Implanting tags in every person adds nearly 8 billion more unique addresses, which is more than the total capacity of IPv4.  Trying to update a system that embedded (surgically inserted into a person) would cost everyone so much money it would defeat its entire purpose.

Because we only have a couple billion IPv4 addresses left available world-wide, the move to IPv6 is already well under way.  While I like certain aspects of RFID use - retail sales tracking like Wal-Mart uses for automated restock orders, or vehicle tracking used by trucking lines and manufacturers, processing payment through the RFID chip in a credit/debit car, etc., making processes more efficient and effective for their respective purposes -  it scares the crap out of me with the direction a lot of authorities want to take the technology.  I won't go into the conspiracy theory side of RFID (that is a lengthy conversation), but the implication that it will one day be used to track us and all our activities (yes, all of them) is real.  Here's the real question - given the expected future of RFID, would you get chipped, even if only for the purpose of instant access to your medical records and payment for goods and services?

~Geek

References
http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/rfid.htm
http://rednectar.net/2012/05/24/just-how-many-ipv6-addresses-are-there-really/
http://spectrum.ieee.org/semiconductors/processors/the-plastic-processor
http://itknowledgeexchange.techtarget.com/whatis/ipv6-addresses-how-many-is-that-in-numbers/

This blog is only to express the opinions of the creator.  Inline tags above link to external sites to further your understanding of current methods and/or technologies in use, or to clarify meaning of certain technical terms.  Any copyrighted or trademarked terms or abbreviations are used for educational purposes and remain the sole property of their respective owners.