Pill-Chomping Hackers and Security Whack-a-Mole

Tonight on twitter I saw an argument about how social-security numbers and credit card numbers are benign pieces of information and that they are only dangerous because of how banks and other organizations use them.

I smell bullsh*t.

Most PacketPushers followers are engineers.  They get paid to think.  We have some non-technical people too:  Managers, people in marketing, etc.  Whatever the case, you’re job is to think and to make choices.  I believe that’s the basic definition of a “knowledge” worker.

In order for you to make those choices, you need data.  Engineers need engineering data like performance metrics, technical requirements, and so on.  Managers might need financial data.  Marketers might need data about varying demographics that might buy their product.  The amount and types of data you need, you will find, is staggering.  Sit down and catalog it.  You must filter, sort, and process that information in different ways and in different contexts to execute your duties effectively.

There are so many points of information, in fact, that it is nearly imponderable.  Its hard to imagine anything ever gets done considering how much information is out there.  The buddha said there are four imponderables in this world, and I propose there is a fifth:  The incestuous, infinite, and contiguous field of information that exists all over the internet, in private networks, in our wallets, everywhere.  Data is hopelessly interconnected.

What does this have to do with the first sentence?

Hackers are knowledge workers too.  Just like you hackers need information.  Individually this information may seem benign.  Some of it even obvious such as: How many physical entrances are there for a building?  Hackers need this information.  Information is like pills.  Hackers are like Pac-Man.  Why is information so important?  Information equals attack vectors.  Period.  Its why shared numbering spaces (such as VLAN IDs, or, like, the whole damn internet) are evil.  Its why SSNs and CCNs should never be revealed.  Think about the obvious things they already know and think what is made possible by giving them ever more information.

This is an abstract argument.  Its not about SSNs in particular.  Or VLAN IDs.  Or the number of doors on your building.  Its about what is possible with a combination of the right data and the right hacker.  He/she could walk into one of those doors, plug into one of those conference room ports, and do a SQL lookup for anything containing that SSN.  Just like that they have financial accounts data, medical data, background check data, or anything you can imagine about you or your family members.  Or your children.

Note: This particular attack is *nothing* compared to real-life, multi-stage, multi-vector attacks executed by people way smarter than you or anyone you know.

You scoff.  You blame the victim or their horrible app.  However fixing the app, or locking the doors, or removing the SSN this time is pointless behavior.  Its not drastically different than playing whack-a-mole.  The interconnectedness of data is imponderable.  You can’t know all the ways you are vulnerable.  You can’t patch up holes you don’t know exist yet or are yet to exist.  You just can’t.  Engineering, ultimately, can only solve tactical problems as they become known.

Know this:  Information is risk.  The biggest threat to your organization (or to you) is your own information.

You need to manage the risk that your information poses.  Get into the mindset that other people do not need to have or know your information.  If another party legitimately  needs to know your information, you should know how they are protecting it.  They must earn your trust.  Ultimately you must decide what risk is acceptable to you.  Anyone who tells you otherwise… is probably trying to sell you something.  And whatever it is, its not secure.

Getting back to the first sentence:  The argument that any piece of information would be benign if it weren’t for some entity abusing it… is a non-starter.  Information is always ripe for abuse.  Intentional, or not.

 

Cloud Toad
CloudToad is adrift on the great sea of network serenity. - CCIE #15672 (RS, SP) JNCIE-M #721 Twitter: @cloudtoad LinkedIn: http://www.linkedin.com/in/derickwinkworth - Derick's opinions are his own and do not reflect those of the company he works for.
  • http://etherealmind.com Etherealmind

    Cracking read. All data is a vector but vectors are also needed for actual use. Enter the FUD Security debate …..

  • Fernando Montenegro

    Brilliant article, thanks. I dare add a couple of comments:
    - One, this points back to the NAT debate. If information is risk (and I agree it is), knowing internal addressing for an organization adds to that risk. It goes without saying that security by obscurity ALONE is downright negligent, but why should we make it easier for attackers?
    - It was not mentioned in the article, but the pervasiveness of things like SSNs and CCNs makes them particularly valuables as keys to tying information together.
    - Finally, it is interesting how this post highlights the information gathering for attacks builds on itself. My non-IT studies currently include things like ‘model thinking’ and it was nice to recognize features of a percolation model in this. I mention this because if I understand things right, one characteristic is that what makes the model ‘percolate’ can often be just one more element. In this discussion, it may mean finding one more thing – maybe the SSN, or the target’s real IP address – that makes the attack possible.

    Again, great post!

    • http://www.facebook.com/etjohnson81 Travis Johnson

      I really wish someone could give me a real reason for saying the ‘internal private IP addressing should not be made public’

      I think that it’s pretty well known that the majority of orgs have a network in 10/8, 172.16-31, or 192. What’s the big deal?

  • http://packetpushers.net/author/ecbanks Ethan Banks

    In this context, I similarly value disinformation. Corrupt what the hackers think they know about your environment.

  • Etjohnson81

    Good article toad. Just a thought though…. in paragraph 6….aren’t your children by default your family?