3. $104 and 8 hours of Amazon’s cloud computing is all it took to hack NSA’s we...

$104 and 8 hours of Amazon’s cloud computing is all it took to hack NSA’s website

It seems to me that perhaps your understanding of security and how the internet works may differ from mine.

First, TLS (Transport Layer Security) only works as designed when both client and server exchange certificates because it is based in the Diffie-Hellman key exchange which is based upon public-key cryptography. To date, almost nobody but the most paranoid of consumers have a personal certificate from a certificate authority.

SSL was created by Netscape to address the concern of businesses that consumers would not shop online if the consumer believed that their credit card data could be discovered by a 'man-in-the-middle' attack. So SSL was used to prove that the 'store' was indeed the actual store; and the business figured that the consumer would authenticate via credit card information and so a client side certificate was unnecessary. This completely breaks the entire protocol! And SSL/TLS has continued to have issues since I first privately demonstrated that 'SSL was broken' back in 2000 to 'bay area' financials.

Before this can happen however, you must ask a DNS (Domain Name System) for the address of a website. This is completely insecure, and everyone knows what website you are about to visit - even if you use SSL or TLS to connect to that endpoint. So you are not anonymous and all snoopers know exactly where you are going... Additionally, clever attackers can intercept your DNS traffic and send you to machines they control. Many, ISP's do exactly this and sell your information to advertisers.

Additionally, SSL/TLS is a 'confidentiality' protection - it doesn't do anything to prove the truth of information. But rather it proves the integrity which is that to say that only that the false information has not been altered. If the information is true - it also shows that the true information has not been altered. And to prove integrity you need to use a cryptographic hash, and this does nothing to establish 'attribution' or 'authorship' by somebody you personally trust (or the truthfulness of that information). That is to say you should not believe something until you can verify both the source and the integrity of that information. This is to say both the author must be somebody you trust, but also that what they said has not been altered by somebody.

Finally, the economics of security are anything but trivial. For something to be secure it must cost more to obtain the information for the attacker than the information is worth to the attacker.

And even that is perhaps not enough, because some attackers will attack you for reasons of ideology. Which is to say that if the attackers do not care if they can profit or not, they will attack you until they succeed because they hate you. They maybe willing to even die just to make you look bad in some cases. This is not something you can 'trivially' protect against. People hate the NSA since the Snowden leaks, and so many attackers now fall into this ideological category now. It simply does not make financial sense to protect public information from an ideologically motivated attacker, not even for the government.

In security we must not only protect against the known-knowns, which you falsely believe is trivial. (example: You can not patch the label printer from 1981 because if you do you can no longer print labels and ship products, and so your revenue stops until you solve the problem. Thus your business readily accepts the vulnerabilities...) We must constantly make trade-offs between security and core business functionality. This is the ART of security. That is to say we must operate securely with vulnerabilities!

Second, we must defend against the unknown-unknown. This is the zero-days (such as this bug) and the APT's. There is no possible way to defend against tomorrow! You can not patch the future today!!! We are all ignorant of the stuff we don't know - this is fundamental. As the saying goes - "The security architect must be lucky all the time, the attacker only need be lucky once!" The most damaging reality is that we all make errors, and those errors will be exploited. Nobody is perfect - it is impossible. Thus, vulnerabilities will exist and we either know about them or we don't - in either case they are there... again - we must be secure in-spite of the vulnerabilities!

The known-unknown, is the stuff we think we know that is false and this is where things fail most often and spectacularly. The fact is when we believe something to be secure that is not we fail-hard! In most cases we are indeed our own worst enemies. When we believe something to be true that is not; we create enormous vulnerabilities due to ignorance and hubris. Thus the real trick of security is actually protecting our future selves from the ignorance of our current self... because the errors we make today that we believe to be the right thing; that actually turn out to be the wrong this - must still be secure! That my friend is anything but trivial as you so describe it! Not to belabor the point - BUT WE MUST BE SECURE IN-SPITE OF THE VULNERABILITIES!

Only in hind sight is anything in security seemingly trivial because now we know however, at the time it the security control was implemented it was impossible to predict a future unknown state!

/r/hacking Thread Link - motherboard.vice.com
Previous
Next

Recently removed from /r/hacking

What is this on my cellphone? When I searched for it, it came up as a remote monitoring hacking interface, and I suspect that my work may be monitoring my cellphone. I think now, I actually have proof: Can the origin of this be detected? I am referring to the "com.drogecomputing.pro" Can someone answer the following? Is possible that I can get hacked this way? What does the padlock mean on the top left of my address bar? Is that the same as buying a proxy VPN? Bypassing BIOS passwords Find someone from California. A friend says he's been hacked I built Pass | Guess, the Ultimate password vulnerability demo How could one find out more about a phone number? Are there any specific examples of a hacker being forced/compelled by their government to attack another country or business? Certified Ethical Hacking for Pentesting Apple offers $1.5 million reward for anyone who can hack their new iPhone I just found out a website is storing my password in plaintext, what should I do? The NSA says it's time to drop its massive phone-surveillance program NSA Releases GHIDRA 9.0 — Free, Powerful Reverse Engineering Tool – PentestTools

More Random Comments

What is Sujamma made from? ¿Cómo están viviendo ustedes el repunte de covid de este inicio de año? ¿Lo ven peor que cuando inició la pandemia o pasable? ¿Creen que paren actividades otra vez? I think I know why people just don’t care. What should you avoid because its poison that rots your mind? Ya me tiene hasta la madre las propinas. b My girlfriend broke my PS4 for a TikTok trend I will not apologize for my "entire personality" involving me being a mom Better way to animate this liquid? Should I message the youth pastor who tried to "fix" me for being gay? How can ı get a deleted brush back? Patreon Updates (or Lack Thereof) Miért hisznek ennyien az asztrológiában? Intimacy problem Wrecked moms car