Senator Ron Wyden has sent a letter to Dana Deasy. (shown here) He is the CIO of the Department of Defense and earlier this week, Wyden asked him to adopt best practices to secure the department’s public web properties. Few of these sites use HTTPS and many have feeble authentication processes. “The DoD cannot continue these insecure practices,” Wyden said, noting that failing to heed these warnings “will erode the public’s trust in the department and its ability to defend against sophisticated cyber threats.” One of the websites cited was that of Deasy’s own office. As Wyden reminded him, per Office of Management and Budget guidelines, all public websites should be using HTTPS and deploying trusted digital certificates by now. Wyden asked for an action plan by the end of July. Other industries have been adopting HTTPS at a rapid clip, thanks to actions of Google, Let’s Encrypt and other major vendors in this area. It is unfortunate that the feds, and especially our defense agencies, can’t lead by example here.
Elsewhere on Capitol Hill, other senators were hearing testimony from a group that first appeared in 1998, the members of L0pht Heavy Industries hacking organization. (shown here) Here is the link to a recorded stream of this testimony. (Video quality is wanting but the audio is solid.)
In this week’s outing, they traded jokes about how little hair they now had. But there was a serious undertone to the reunion. A poorly recorded stream can be found here. The members were given nameplates with their nom de hacking both then and now, not just to be cute but because they were afraid of lawsuits. Back in 1998, they warned that computer networks were embarrassingly insecure and bragged that any one of them could take the entire Internet down in a few minutes, thanks to weaknesses in the core BGP routing protocols. In this week’s testimony, four of the group returned to say that while technology has improved, some things haven’t changed. The same BGP flaws were used to in the MEWkit attack earlier this month. Joe Grand (Kingpin) said, “Nearly all of what we said 20 years ago still holds true. Yes, there have been improvements, but the general class of problems are the same.”
Since their trip to the Hill, they have mostly remained in cybersecurity. Some have founded security vendors or VARs, others conduct research for the government, and some have gone very corporate. Space Rogue, Cris Thomas, now works for IBM’s X Force for example.
They testified that state-sponsored hackers and international criminal organizations, once just a hypothetical menace, have emerged as a top digital threat to governments and companies around the world. Thomas said this week that “we have better visibility into our network endpoints, if we choose to gather it, and can make educated decisions about where to apply our limited resources (10:00)… Strong encryption is more prevalent, but we aren’t applying the knowledge of how to make something secure evenly.” (12:00) (I have provided time codes keyed to the video stream, in case you are interested in tracking on your own.)
Chris Wysopal (Weld Pond) is now the CTO of CA/Vericode. He said, “There are so many more threat actors now. We have gone from teenagers to nation states doing the hacking.”
Peiter Zatko (Mudge) said that “while it feels better to buy the more complex security solution, it might have a larger attack surface and be more vulnerable.” (1:03:00)
If you have time to review either or both recorded streams, you can see how little we have accomplished in the 20 years, and how many of the L0pht warnings haven’t been acted on.