Search This Blog

Monday, February 22, 2010

Were google attacks an insider threat problem?

Recently, I came across Bruce Schneier's view on the Google "Chinese" hacking attacks. In essence, he analyzes the situation mentioning various facts (the existence of backdoors to various systems due to wire tap requirements) and concludes about the dangers of building the ultimate surveillance system and establishing a police state.

I think that the title of the article is a bit misleading though. In my honest opinion, the title should instead read : "US fails to handle the inside threat problem in critical surveillance infrastructures". I will explain my point of view.

Schneier's view is fundamentally correct. Indeed, we need to be careful about the procedures and the persons who handle surveillance systems (I am not going to discuss here whether we need these systems, this is a big issue. For the purposes of highlighting the insider issue I axiomatically accept that we do need them).  This essentially points to the insider problem, a big issue that is left to the side in the process of securing surveillance infrastructures.

I do not want to reveal details I do not know about, but from my experience as a system administrator and security researcher, I understand that it takes a lot more than knowing the existence of a backdoor to a system to exploit it. Google might have indeed left backdoors to Gmail, this creates a vulnerability. To exploit this vulnerability a catalyst is needed and that is the person who knows the failsafes (procedures/passwords) and hands them over (intentional misuse) or a person that is naive enough to design procedures that are too open (accidental misuse). Without these factors, it is difficult for me to accept that Google's systems could have been compromised.

Interestingly enough, Schneier mentions the high profile wiretap case of the Greek government in June 2004. In my view, the problem was not that Ericsson enabled the surveillance functionality into the ground stations for the Greek government, nor the fact that Vodafone Greece had issues with their procedures for enabling the issues. The very fundamental issue is that someone took a decision to consult/allow important members of the Government to discuss government issues using a normal private carrier and ordinary phones, with no further security failsafes (further encryption, VPN and other mechanisms). That is essentially a policy mistake made by an insider ( an advisor that the Government trusted to secure the communication channel or the lack of him).

I often argue that for every external breach of security, there is almost always an internal reason (naive users, laizy IT admins, absence of policies from CIOs). The same is true for surveillance systems. The funny thing is that these problems have been highlighted by many US government funded workshops of insider threats and other gatherings around the world. And my question is: "When will people listen to insider threat researchers?"