April 25, 2024

The mountain of shit theory

Uriel Fanelli's blog in English

Fediverse

The Authority is coming.

Uriel Fanelli 0 Comments

The Authority arrives.

It is interesting how the cybersecurity authority arrived a few days before the listing of millions of Italian profiles, with medical information relating to their vaccination.

Obviously everything is described in such a way as to trace the idea that it is the Elite troops of the Postal Service, or in any case an action group, composed of high-level experts, capable of intervening. The Navy Seals on the net, or something like that.

Beyond the vision that the newspapers give it, reading the decree that establishes it (as an effect of the corresponding European directive) what you read is just that: the image they give is that of a group of super-consultants.

And let's be clear, in itself it is not bad, but it seems that for them "cybersecurity" and "cyber attacks" are the cases of breaking into a system to take data. But that's not exactly how things are.

Anyone who has understood how data moves, or the richness that the data underlies, knows well that the data is in TWO places.

The first is the ministerial server that the new specialists will be (I hope) very good at protecting and keeping safe. Very well.

And let's be clear: it must be done.

But there is a second copy of that data, which is in the hands of the citizens. Let's take an example with vaccination data.

It will soon arrive, and will be installed by practically everyone, in the App system that will allow the agents to be shown that the person is vaccinated. This will allow you to enjoy some freedoms and we can predict that almost everyone will download it.

Let's take the 60 million mobile phones that there are in Italy (but we can also use any other nation). What is the situation of the OS? How many are up to date?

This is the fragmentation of Android systems in the world:

The Authority arrives.

Now, if you look at the distribution, even considering that the vaccine passport app will probably NOT run on very old mobile phones, there are two cases:

  • or it will be a failure because it runs on too few cell phones, as we have excluded the old ones.
  • or it will run on a very large number of cell phones that have not received security updates for years.

And this is a problem: assuming that the seven million stolen records were stolen on the server, in this situation, is very wrong. A virus that infects outdated cell phones and steals data is very feasible. This virus is expected to affect six million android devices, and if the app is installed, take the data and send it.

At that point, on 60 million mobile phones, even infecting only 10% of them, there are the data of six million Italians who escape. But no one has touched the central fortress system.

Moral?

Like all the rest of the IT business, the center is no longer on the servers, but on the users' systems. The data today is in the consumer world.

Not for nothing, after all, the various Google and Facebook are not going to take data from governments or telcos: it is their software, which runs on mobile phones, that sends the data to GAFAM.

It is not clear why the attackers should do otherwise.

But the next question will be: but what should an authority do to us?

Define mandatory best practices for the IT MARKET.

Well, for example, it could decide that companies have a duty to provide security upgrades for at least 10 years, and that cell phones without antivirus cannot enter the network.

How to implement this is a housing problem, but the point is that in the current situation, if we want to identify the resources in danger we must not only talk about government servers and strategic organizations, because today it is strategic the USER, and a virus can infect MANY.

But we can go further, and take another classic example: the IoT. We are in 2025 and everyone has air conditioning connected to the internet in their homes. With its beautiful APP. Well.

As usual, five / six brands dominate the market. A virus infects the first 5/6 models. This virus does nothing but align the time of the device with a stratum 2 or 3 NTP server, in order to be precise, and turn off all the air conditioners in the hottest moment. All within a few tens of milliseconds.

If you give the power grid such a blow, the effects are unpredictable, but potentially devastating.

What should an authority do in this case? Prohibit the installation and sale of any internet-connected device whose shutdown transient is too short and power beyond a certain number of Watts, for example.

And finally, one last example: your home router. Aside from the proliferation of very cheap brands with known vulnerabilities, there are a number of routers that are old and haven't received updates for years. In the case of VOIP, they expose a nice 5060 port.

If the firmware is the usual five-year-old linux with a five-year-old SIP server, it probably has already been infected with some worm, or some botnet.

And this means that it is possible to both listen to the phone calls, take the metadata, and use the router to do DDOS.

What could the authority do? For example, requiring by law that router manufacturers must provide upgrades and security patches for a certain number of years, that routers that are too old cannot enter the network, and so on.

And this, I repeat, because today the data is found BOTH in the super-protected server (hopefully) and in the user's computer. Why would the attacker attack the bank if everyone has money in the house, under the bathroom rug, and the house is easy to attack?

Let's be clear, protecting the national digital perimeter is essential. But a copy of the same data is found in the world of the consumer. On old computers, on old routers, on old and outdated systems in SMEs.

I can protect national giant X from attack – right and right. But all of its suppliers, if they are SMEs, are using systems that are as open as mussels. I find the same data OUTSIDE the national giant X.

So, it would be time for some "authority" to start moving for manufacturers to guarantee periodic upgrades and security patches.

But that's not enough. By the time the given camera turns out to be puncture and there are 5 million DDOS on someone, it 's too late.

What could the authority do? It could say that the various routers, in addition to a "guest" network as they all have, have an "iot" network, let's say with a limit of 10Kb for the outside. Routers NOT configured this way (and IoT devices that don't necessarily attach to that network) are not salable.

I don't need a lot to turn on my lights in the garden.

Would that solve the problem? No. Would you mitigate it? Yes.

But to introduce these good practices to users, you need power. You need a power that these authorities DO NOT HAVE.

The data today is also on the user's devices. Creating a perimeter around sensitive systems is obviously necessary. But not enough. Indeed, it could be argued that it is a mild measure.

To protect a country, the consumer market must be strengthened, the place where the data we want to protect really are. For this, you need power ON THE CONSUMER MARKET.

Before you start saying “gomunismoh”, I would like to point out that you cannot buy the “anyway sgrause” cars you want. There are MINIMUM safety requirements to be met. However, you cannot sell household appliances free, there are safety minimums to be respected.

All other markets are regulated, and no one has complained yet. The only market not regulated on the security side is the IT one.

An authority is needed that sets minimum TECHNICAL safety requirements, to be IMPOSED on the products for sale.

Otherwise, you will have protected a perimeter, which however does not contain the main target of the assaults: the users' resources.

So it's okay to have this authority because you need to protect the servers and strategic systems, but if you don't protect the other endpoint (which today is very weak), it will be a mild measure.

And of this, the price will be paid later. The authority must also have market power, and set minimum security requirements for all devices.

  • updates and security upgrades AT LEAST once a month for ten years.
  • ban on entering the network if you do not have the latest version.
  • definition of the technical characteristics of the IoT devices that you want to connect to the network.

This, mind you, would only be the BEGINNING. That's what has been missing for at least 15 years. But it takes powers.

Without these powers, protecting a perimeter that contains only one of two copies of the data is, and will remain, a BLANDA measure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Create a website and earn with Altervista - Disclaimer - Report Abuse - Privacy Policy - Customize advertising tracking