Tag Archives: China

Stealing the keys to the kingdom

There are some interesting tidbits coming out about the Chinese hack of Google. Apparently the source code to Google’s SSO technology was a target (although this is misstated in the headline as a “password system”). It’s unknown at this point what source code (if any) was taken, but this highlights the nightmare scenario of the SSO world.

If a vulnerability is found in your token generation code such that someone can spoof a token, then your SSO system and every system connected to it is compromised.

Of course just having the source code is not in itself a problem. Typically there is a private key that is used to encrypt or sign the token. But protecting that private key is the issue and that is where the source code is key. If you think your key has been compromised you can replace it. But the code that authenticates the user and generates the token needs to get the private key to do the encryption (or signing (or both)). If the secret algorithm to access that key is compromised, then the attacker can then attempt to penetrate the system where that key lives and get the key. With the key and token generating code in hand the attacker can then access any SSO protected system.

And here is an ugly secret. If the SSO technology is public key encryption, they key on needs to exist where the token is initially generated. If it’s based on symmetric key encryption then the key has to exist on every server in the SSO environment.

So just use public key encryption, that solves the problem right? Not so fast. One critical aspect of SSO is inactive session timeout. That requires the token to be “refreshed” when used so that it expired based on inactivity. Refreshing the token at every server in the SSO system (every PEP if you will) requires either that server to have the key, or it make a remote calls to a common authentication service to refresh the token.

There are pluses and minuses to both approaches. One puts the keys to the kingdom in more locations but the other adds overhead to the token refresh. When security and performance collide, who do you think usually wins?

These kinds of trade offs are what make SSO so interesting to me.

Note that I am not talking about federated SSO (SAML or openid) or intranet SSO (Kerberos) as they present a different set of challenges.

Just a bit more complicated than that

Phil Windley posts about Google’s recent moves in China and describes them as a result of conflict between Google’s desired to do what’s right (not censor) and doing what it needs to do to stay in business in one of the largest markets in the world. That’s an interesting take on it, but it doesn’t wash with recent history.

To be clear, Google was fine with doing evil for several years now. The lived with the government restrictions and did business up until recently when they were penetrated (reportedly badly) by hackers that no one seriously believes aren’t at least backed by the Chinese government. Also the decision to buck the government was also made easier by Google’s own lagging competitive position in China.

If the real story ever comes out I’m sure it will be fascinating. Until then I’m not sold on Google’s altruistic motives in this dispute.

What’s not being said

I usually find what’s not being said far more interesting than the platitudes that are uttered. According to this article Google and China are negotiating a face saving compromise to allow Google to remain in China. What is being said is that this is about the level of censorship. What is not being said, and what is probably really the truth is that this is really all about the Chinese government hacking Google.

I mean seriously. Google China censored content from day one and now it all of a sudden decided to “do less evil”? As Corporal Nobbs likes to say “pull the other one, it has bells on it”.

No, what changed is that the government has hacked Google and gotten caught doing it, and probably affected some high-level Google execs.

Here is my prediction; the face saving compromise will involve a little easing of the censorship rules, a promise not to hack Google any more, and Google quietly giving some sweetheart deals to some high-level Chinese officials.

Misplaced Blame

Bruce Schneier writes this, in which he lays the blame for the Chinese hack of Google on the US Government. His reasoning is that since Google put in a back door surveillance mechanism to enable the US to  eavesdrop on Google users, it is then the US’s fault that Chinese hackers used that mechanism to hack Google accounts.

This is a little like me blaming my employer if I have an accident on the way to work.

While I agree that companies should not be making it easy for governments to spy on people, when legally required to do so it is also their responsibility to make sure that this done in as secure a manner as possible.

Also note the interesting linguistic phrase that most journalist have used in this issue. The hacking of Google is usually described as being done by “Chinese hackers”. That’s not wrong, but it missing the most important point. No one seriously believes that the attacks were not done at the behest of the Chinese government itself. That is a very important distinction.

Mr. Friedman praises the slave owners

Is a slave with a wise master better off than a free man that makes bad decisions?

Thomas Friedman would say yes according to this jaw dropping editorial in which he praises the Chinese government because it is in his words “enlightened”. I kid you not. Read it for yourself. He favorably compares a despotic regime with the US democracy because they are willing to ignore the will of the people and implement unpopular decisions.

Democracies aren’t perfect. But to refer to a country like China as “enlightened” is an insult to the thousands of its citizens who have been arrested, jailed, tortured, and killed for the crime of wanting freedom.

Of course Mr. Friedman is free to say whatever he wants in this country. An irony that is sadly lost on him.

The cyber-cassandras vs the cyber-pollyannas

When I blogged here about the recent announcement that backdoors had been left in the US grid infrastructure, I had predicted that many would respond with the standard “hackers with no ties to any government” theory. Well, when you’re wrong, you’re wrong. Instead I saw some interesting reactions that seem to say “what the big deal?”

For instance Joel Hruska from ARS Techinica has this take:

At the end of the day, we’re watching a movie remake. The special effects have been updated, and some of the actors are new, but we’re still talking about security threats from “out there” and the need for a new type of national security. The Internet is merely the latest-and by most measures, the most benign-means by which one country could attack another. Personally, given the choice between ICBMs, chemical weapons, “the bomb”, or V-2 rockets, I’ll take the Internet.

I would point out to Mr. Hruska that these options are not mutually exclusive. Note that recently the country of Georgia was not bombed solely with packets.

And Bruce Schneier writes:

Read the whole story; there aren’t really any facts in it. I don’t know what’s going on; maybe it’s just budget season and someone is jockeying for a bigger slice.

Honestly, I am much more worried about random errors and undirected worms in the computers running our infrastructure than I am about the Chinese military. I am much more worried about criminal hackers than I am about government hackers. I wrote about the risks to our infrastructure here, and about Chinese hacking here.

And from this Evgeny Morozov article titled “10 easy steps to writing the scariest cyberwarfare article ever”:

1. You need a catchy title. It pays to cannibalize on some recent tragic event from the real world; adding “cyber” to its name would usually trigger all the right associations. Studies show that references to “digital Pearl Harbor“,”cyber-Katrina“, and “electronic 9/11” are most effective, particularly for stories involving electricity grids or dams. Never make any explicit attempts to explain the bizarre choice of your title- you need to leave enough ambiguity out there for your readers to “connect the dots” themselves. This is a win-win: readers love solving important cyberspy puzzles – and you could get away without doing any analysis of your own. Quoting real facts would spoil the puzzle-solving experience; plus, the fewer facts you quote, the harder it would be to debunk your story!

Perhaps this is just a tempest in a teapot. Perhaps I am just being a cyber-cassandra. But for all the dismissive rhetoric from the cyber-pollyannas, there is one thing you won’t hear: a reason why these penetrations were attempted. You won’t hear it because the plausible explanations are a bit more worrisome that the cyber-pollyannas want to admit.

Tiny steps

Google, Microsoft, and Yahoo are going to announce new policies regarding how it does business in repressive countries according to this Reuters article:

Under the new principles, which were crafted over two years, the companies will promise to protect the personal information of their users wherever they do business and to “narrowly interpret and implement government demands that compromise privacy,” the Journal said.

They will also commit to scrutinizing a country’s track record of jeopardizing personal information and freedom of expression before launching new businesses in a country and to discuss the risks widely with their executives and board members, the paper said.

While I haven’t seen the whole set of principals, it’s interesting to note what they are not saying. They are not saying that they won’t give these regimes everything they ask for; they are just going to make them be specific about it.

And that’s probably the best that we can hope for.  I don’t expect these companies to stop doing business in some of the largest countries in the world just because they aren’t free.

But consumers need to know that and act accordingly.