South Korea military cyber command was hacked(english.yonhapnews.co.kr) |
South Korea military cyber command was hacked(english.yonhapnews.co.kr) |
2. Government blames North Korea
3. ???
4. Profit! Err, I mean, government support goes up.
Well, maybe North Korea did it, maybe it didn't, but the current state of South Korean politics created a perverse incentive structure. The more severely the government is hacked (or otherwise attacked by North Korea), the more it is politically rewarded.
So, expect nothing to change any time soon.
* Ensure that the advice IAD was generating was untainted by SIGINT influence
* Enable IAD to independently collect vulnerability intelligence and disseminate it (most importantly, to vendors) without having to endure a bogus equities process to ensure they weren't blowing a SIGINT operation.
Of course, this only works if IAD is stripped completely out of the NSA, and perhaps out of the DoD entirely. IAD probably belongs under DHS.
Lobbying against SIGINT vulnerability collection doesn't actually make us materially safer --- even if things like the "Shadow Brokers" became routine (rather than the unprecedented shitstorm it actually was), the number and caliber of the vulnerabilities we're talking about are a tiny fraction of the threat we face.
There's nothing special about NSA or 0-days here. We're using very generic platforms. Lots of organisations have exploits. We're still in a situation where you can point a fuzzer for a few hours at any popular app and get yourself a new 0-day. The only thing that will help you is getting rid of the possibility of exploitation, and limiting the scope when it happens.
Right now, government doesn't care. Right now, it is cheaper to get hacked, spew all your information, and then say, "sorry". Not right.
Our security strategy is to:
A) surveil, infiltrate, and block conspiracies to do so before they happen, and
B) identify, track, and punish our attackers after the fact.
I don't think (and "cyber" policy makers don't seem to think) that making every piece of software free of vulnerabilities is realistic. Sabotaging hacking groups, and building sufficiently scary capabilities for retaliation against nation-states that might attack us, seems much more attainable.
Actively harming the security of Americans is extremely wrong.
They've made absolutely certain of it.
Every Intel motherboard since 2008 has had a "spy" on board, almost every home router is working for someone's botnet and will never be patched, medical devices and factory automation systems ship with default passwords because no one assumed they would ever connect to the Internet and don't get me started on browsers and JavaScript.
It was a multi-decade long fight to get the seat belt adopted, so I suspect that we aren't going to fix this the old way - surely at some point we stop?
Hardware keystore with physical switch to generate and enroll keys, user/owner controlled secrets, one-time programmable as an option, hardwired SAK and OS personality switching key.
Real-time security isolation kernel, hardware-enforced containerization with MMU-protected GPU passthrough.
Does North have hackers skilled enough to perform such (or any) attacks? How did they acquire their skills given the internet is forbidden there?
Considering the timeline (within the last month or two) and the recently discovered issues in antivirus products from multiple vendors, I think that this scenario (or something similar) is, at the least, plausible.
A compromised UTM firewall would not be unheard of either.
It's not a bunch of people living under thatch houses.
If the government wants to make strides in something, they will. They can send their students overseas and get their education there. They can collaborate with other countries.
It's not something every citizen can achieve, but you only need a subset to be effective in cyber warfare.
The US media doesn't say that. The average N. Korean is very much cut off from the rest of the world....somewhat changing with smuggled in phone and DVDs, but still.
For what it's worth, that problem works both ways; I'd imagine South Korea (and the CIA and whoever else is interested) has all sorts of access to North Korean systems.
If the smart ones who work for the government wants can feed their entire family, why would they do something different? To strive for a democracy like ours where a racist, bigot and xenophobe like Trump is a vote away from being president?
All NK needs to do is air some of Trump's speeches to prove dear leader was right all along.
We aren't talking about the average N. Korean. Their best and brightest are sent offshore to study in STEM fields (with their family held hostage against their eventual return of course).
So anyhow, it's not like a footrace where the major nuclear powers are at the finish line and NK is trying to catch up. They're following their own path appropriate for the situation they're in.
- I don't think the chronological order in which we've developed technologies matches up with the difficulties of cloning/repurposing/using them. I wouldn't expect NK to be able to put a man on the moon prior to, say, being able to make a Facebook clone.
- not everything is being invented from scratch. If individuals can smuggle data and devices in, do you doubt the military acting with the full resources of the country couldn't manage the same?
The median venture capitalist in the valley could outspend the US --- actually, probably the world --- on vulnerability acquisition. But there probably isn't an investor and there may not be a single tech company that outspends the USG on defensive security acquisitions.
I don't disagree on the lack of private hardening spending, which is really beside the point, because obviously there is very little incentive for a company when all they have to do is budget for useless CYA lifelock service.
Exploit development is a rounding error in that budget.
Is the money being spent wisely? Different question. But: nobody really knows how to effectively spend 100MM on hardening (a nice round number I picked at random).
You're redefining "hardening" to "hardening I agree with".