Thursday, March 9, 2017

CIA leaks: Germany's most incompetent infosec "expert" strikes again - shooting the messenger

Note: The blogster had been hoping to grab the honorific "Germany's most incompetent infosec person" for itself*, but reluctantly gave up and left if to Dr. Sandro Gaycken. A year ago, this director of a private German institution of higher education accused Apple of profiteering in Apple vs. the FBI - and got it wrong.

Today, in the same paper, he declares Now, everybody can be the NSA in a guest comment on the Wikileaks publication of CIA documents.

While his Apple hit job tried to make many technical arguments, the current piece is a classic "shoot the messenger" opus.

The lede declares the CIA leak more dangerous than earlier leaks, states that it exposes one of the world's biggest intelligence agencies, and then teases: The damage is more serious.

Proclaiming it more serious than the Snowden leaks, Mr. G. launches into military imagery. It is a genuine explosion, maybe with delayed effect, but a mega ton strength one with global consequences.

He then talks of how this, likely first installment contains detailed how to instructions: and code pieces for high quality hacking attacks. For example, how to to use publicly available hacking tools, how to build weapons development systems, lists many structural weaknesses in security technology and operating systems, which versions of Windows, Linux and Solaris operating systems can be attacked most easily and are particularly attractive...

Judiciously placed adjectives are one of Mr. G.'s favorite instruments of exacerbation. The documents even include attacks on embedded systems...****

A crowd pleaser in the auto building nation of Germany is his mention of targeted killings using attacks on the systems of vehicles.

This, he then postulates, could hit German technology companies particularly hard, as they now need to assess the potential dangers and have to develop rock solid security concepts for affected areas of technology within the shortest possible time.

Having pumped up the urgency, he segues without as much as blinking into a process that would normally take years and for which there is already little appetite and money.

Another cadence of alarming bits and pieces then goes into "iffing": If the whole archive were to be published.... The world would be completely compromised. Then everybody could be his own NSA.

So much for the "now" in the title.

Having already attacked Wikileaks several times, such as when putting responsible redactions in quotes, he finishes off with the bold claim that this leak renders the CIA impotent and calls for questioning the limits of responsibility in leaks and why it is Wikileaks that blasts tools for attacks and mass surveillance into the world.

The claim that the leaks render the CIA impotent really goes to show that Gaycken has no idea what he is talking about, and the rest of the final paragraph is shooting the messenger par excellence.

Coming from an expert, you would at least expect to find a work on the ShadowBrokers release of NSA tools, would you not?

You would also expect to hear that the intelligence agencies have been talking of owning embedded systems and the Internet of Things. Maybe his "little appetite and money" phrase is his way of expressing concern.

Gaycken omits that many of the attacks in the Vault 7 release that deal with smart phones require physical access, which takes the blogster and even Mr. G. out of the target group.

Boring little details of the Vault 7 documents, such as the list of most popular routers on Amazon hardly qualify as alarming. The premature self deletion of an implant caused by a simple subtraction error in coding doesn't either.

Redirection of execution via the Windows registry or DLL injection are well known boring concepts.

And why is setting up keyboard shortcuts in the Options dialog of Microsoft Visual Studio classified as SECRET//NOFORN in the first place?

The blogster is well aware of the outsize role that "security through obscurity" continues to play in computing.  Relying on this is stupid, though.

** Es handelt sich um eine echte Explosion, vielleicht mit verzögerter Wirkung, aber im Megatonnen-Bereich und mit globalen Folgen.

*** Unter den Publikationen finden sich sogar Angriffe auf eingebettete Systeme

* Gender neutral.

No comments:

Post a Comment