The Security of Nature, or “Nature on Security”

The raison d’etre of this site is to define just what is “the nature of security.” I introduced this meme with the first article on this site – http://michaeltheroux.com/2011/08/08/nature-and-the-fallacy-of-idealism-in-security/, and I’ll continue to expound on this necessary process of security acculturation to move away from the current and accepted haphazard Skunkepistemology. My forthcoming book, Nature on Security develops this idea in great detail, and will be available in January of 2013.

Nature provides a framework of security that outshines any unnaturally derived theoretical model in existence. And its methodology is simple. Let’s briefly delineate how the animal kingdom has developed a simplified system of protection. Animals have 5 basic responses to danger:

1. Fleeing

2. Warning

3. Armor

4. Camouflage and Deception

5. Weaponry

Many animals utilize one, or maybe two of these responses at a time – some utilize all of them. What if we could apply these 5 basic responses to computer security? Let’s summarize how this model could play out against malicious attacks – step by step.

FLEEING

You would be correct to assume that this technique used to avoid attacks is mostly unusable where computers are concerned – since your machine is identified by a fixed location – it can’t simply run away. One way to potentially solve this would be to “trunk” all network connections (there are companies that offer this). “Trunking” (as paraphrased from Wikipedia) is a concept by which a communications system can provide network access to many clients by sharing a set of lines or frequencies instead of providing them individually. This method has been used in two-way radio communications for many years, where “trunking” refers to the ability of transmissions to be served by free channels whose availability is determined by algorithmic protocols. So, instead of having a fixed IP address, your IP would change constantly as the site controller assigns them based on the available pool of IPs. The familiar “Tor” application currently does something similar in the browser environment by obscuring internet traffic analysis, but it lacks protection against end-to-end timing attacks (if your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your chosen destination, he can use statistical analysis to discover that they are part of the same communication). While this computer analogy is somewhat relative to the nature of “fleeing,” it still doesn’t solve the issue that most computers reside in a fixed location, and cannot run away.

Real network trunking, implemented between ISP and endpoint, would obfuscate actual location at the endpoint, or more correctly, the point of inception of the communication (due to the fact that the IP assigned to the computer changes constantly).

Unfortunately, if this trunking were adopted, it would be with great certainty that someone would develop “trunk following” in short order (much as it was developed for radio scanners). And, if this architectural shift were adopted, it would, of course, present several other security nightmares if managed incorrectly; add complexity to systems; and may add latency to the network. This technology is currently available, and overall, adds an ever-changing secure layer to a normally fixed target.

WARNING

Again, warnings to potential attackers won’t do much where computer assaults are concerned – hackers will simply ignore them, and automated malware can’t read. But, the slap of a beaver’s tail doesn’t so much warn the attacker to stay away – it warns other beavers in the vicinity that danger is present. If computers that initially recognized danger from a malware attack were able to warn other computers on the same network that danger is present, the network may be better able to proactively protect itself. This can be accomplished by its incorporation into locally installed antivirus (AV) applications. The AV application installed on a single computer on the network ably detects the presence of malicious code from its signature file, and then warns all computers on the network to check that they have the signature installed to detect the malware, and/or check to see if a patch needs to be installed to avoid the exploit. With automation, this technique could then install signature files or patches where necessary, thus reducing the impact to the network.

ARMOR

Now we’re entering the realm of usable, and accepted responses to attacks that are already operational. Armor varies greatly in the animal kingdom, but all armor has the simple function to protect the victim from attacks. Our computer firewalls are our armor, and while there are many varieties of firewalls, they all serve us up the same basic purpose – they simply deter malicious attacks by controlling access in and out of our networks – both internal or external. They are like the great walls that keep out our enemies, the moats of castles, and the science fiction of force shields – and left to their simple purpose, they can inevitably be breached.

One must not rely solely upon these crude blockades – many a fortress has been sacked due to this pollyanish reliance on the security of a secure facade. Like the genius of the Trojan Horse of the Greeks that allowed them to finally to enter the city of Troy, malware has conveniently disguised itself as a friend, and piggybacked upon applications already accepted as legitimate by the firewalls in place.

CAMOUFLAGE AND DECEPTION

The animal kingdom has a long and ancient history of camouflaging its presence to either avoid attacks by predators, or disguise themselves to prey. ThCamouflagee chameleon, leopard, walking stick insect, and so many others all disguise themselves by blending in with their surroundings so that predators and/or prey have great difficulty seeing them. They simply do their best to appear as something they are not. This stealthy security circumvents most attacks from predators and likewise fools prey into a false sense of security. Since hackers and automated malware often initially assess the viability of their targets before an attack, the stealthy methodology of camouflage or deception on the victim’s part can be an invaluable asset. If your attacker is looking for a Windows host, and you appear to them to be running unix, they’ll simply look elsewhere. And if you can be invisible – that much better.

WEAPONRY

Here is where we depart from the conventional security ideology, and step into the real realm of how nature deals with security. At some point, nature may need to fight back. Most animals that generally rely upon the previous methods of avoiding attacks have little to worry about – but on occasion, they will be discovered and must fight back. Others in the animal kingdom, rely solely on their “weaponry” to fight off an attacker.Scorpion

Our individual imprint in the computer world is a sitting duck. If we are connected to a network, we are vulnerable to attacks, and have little recourse to strike back if we are assaulted. We only have tools to defend against attacks. This is not how it works in nature. All other protections aside, if those are exposed and become indefensible, nature strikes back. Were we able to strike back at a malware attack, and have some success, attacks would dwindle (based on the effectiveness of the counterattacks).

IN SUMMARY

Security in nature may tell us how to handle security in other situations. Nature herself provides a solid foundation for her adeptness at security. How does nature handle security? She handles it deftly, functionally, and purely out of the necessity of survival. Our computer security models can benefit greatly from the simple observations of nature.

First follow NATURE, and your Judgment frame
By her just Standard, which is still the same:
Unerring Nature, still divinely bright,
One clear, unchang’d and Universal Light,
Life, Force, and Beauty, must to all impart,
At once the Source, and End, and Test of Art
Art from that Fund each just Supply provides,
Works without Show, and without Pomp presides:
In some fair Body thus th’ informing Soul
With Spirits feeds, with Vigour fills the whole,

~Alexander Pope, An Essay on Criticism

Advertisements

Eleven years after Y2k – we are still alive…

In 1998, I wrote an article entitled, The Millennium Bug And The New Industry Of Hysteria. Twelve years later we are still alive. I found this thread of comments (see below) on my article archived on greenspun.com, and was quite amused. Either I pissed them off by pointing out obvious flaws which would possibly hurt their grifting ability, or they just didn’t get it.

I suspect both.Y2K Hysteria

These people believed the “gloom and doomer” Gary North then – he prophesied the world would end as we know it – from this Y2k programming laziness – and he’s still around, now purporting to be an economist (http://www.garynorth.com/). Good luck with that too.

I know….they’ll say the reason the world didn’t end as we know it was because the tragedy was narrowly averted by upgrades and fixes. So much for their third-world hypothesis – that those countries wouldn’t fix anything, and the world would still end.

Above all, the prize for the best response goes to this one:

_______________

This is the main point that Mr.Theroux cannot grasp and does not understand. What will bring everything down is the propagating from one mainframe to another, worldwide, on a systemic basis, bad/corrupt *DATA*….

from Mr. Theroux The Millennium bug is obviously not a virus. A computer virus is simply a program that is able to replicate by itself (not necessarily sinister). A program that does not replicate is not a virus, regardless of whether it does damage to a computer or not. In order for a computer virus to actually do anything, it first has to be run on the computer ” it doesn,t do anything all by itself until it is run by the user.

Now this guy, Brian, understands what I’m talking about and this is his assessment of my theory in the first paragrap above about *DATA*

Hmm. I work with “communicating computers” and must say that Andrew is precisely right. Date-dependant calculations have nothing to do with data-interchange validations routines. What Andrew is pointing out is that non- complient programs will produce data that is wrongly calculated; these errors will spread magnitudianlly throughout the global financial system. Validation routines between data interchanges simply verify that the parameters are correct: not the calculations forming the data. This is the meaning of corrupt data: bad information, not bad parameters. Andrew (and Gary North) are precisely correct. You are espousing the “misguided, unsupported idea of “corrupt” data ” equalling bad parameter transfers. That is incorrect and a straw dummy. Corrupt data = data correctly parametered yet wrongly calculated. Wrong calculations beget wrong calculations ad nauseum. Within 24 hours of the turnover, the Global Finacial System will either A)be completely corrupt B)be completely shut down so as to avoid A. The result is the same in either case; even if we don’t go Milne, you are going to see a mess bigger than you can imagine. Alan Greenspan was entirely correct when he stated that 99% is not good enough. We will be nowhere close–not even in the ballpark. The engines have shutdown; the plane is falling–we simply haven’t hit the ground yet. Scoff if you must; as a professional working with professionals, I know the score. It’s going down. This is why at least 61% of IT professionals are pulling their money out before it hits–of course, in 10 or 11 months, that number will rise to 100%; but then, it will be to late. We know for a fact that that 50% of all businesses in this, the best prepared of countries, will not perform real-time testing. As a Programmer/Test Engineer, I can therefore assure you that at least 50% of all businesses in this, the best prepared of countries, are going to experience mission-critical failures, Gartners new optimistic spin not withstanding. Remediation sans testing is not remediation. The code will still be broken, just in new and unknown ways.

Got wheat?

Bryan (:)

If you remember nothing else about the complexities of y2k, just remember the concept outline above, this will bring us all down, this is the Achilles Heel.

Got wheat?

— Andy (andy_rowland@msn.com), November 20, 1998.

___________________

Well, the next great apocalypse is coming soon…maybe I’ll be wrong on that one.

See: http://www.greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=000G4l for some fun reading.

MT