Navigating Cyber

Back in the mid-1970's, I was an undergraduate studying Cybernetics and Instrument Physics in the Department of Cybernetics at Reading University in the UK. I was attracted to the ideas of feedback and control theory introduced by the MIT mathematician Norbert Wiener in his landmark book, Cybernetics: Or Control and Communication in the Animal and the Machine, which I had devoured in my final year of high school.

Those ideas were eventually subsumed into a variety of specialized fields - missile guidance systems, bionics, artificial intelligence, economics and econometric modeling, ecology, general systems theory and others. Meanwhile, my own journey took me into electronics, personal computing hardware, software, operating systems, software development, networking and eventually, the destination for many of us old jacks-of-all-trades, computer security.

Titles are more a matter of fashion than semantic precision, so in due course, I became an information security consultant - or, for added gravitas, an information assurance consultant. Whatever it was called, it was a long way from my starting point of cybernetics.

And then, suddenly, the circle closed. "Oh, you work in cyber security?", I was asked.

And so several years of teeth grinding began.

The term "cybersecurity" began its rise to popularity thanks to a National Security Presidential Directive issued late in the George W. Bush Presidency. NSPD-54 of January 8, 2008. The accompanying memorandum (now declassified) defines "cybersecurity" to mean "prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation".

The prefix "cyber", in this context, seems to relate to the next definition: "cyberspace", which means "the interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries".

The term "cyberspace", in turn, was coined by the science fiction author William Gibson in his 1982 short story collection Burning Chrome, but really popularized in his novel Neuromancer. Wiktionary suggests it is a "Blend of cybernetics + space".

So, where does "cybernetics" come from? Although Wiener coined the modern meaning with his 1948 book, its etymology begins with the Ancient Greek, κυβερνήτης, ("kubernetes") which means a steersman, pilot or navigator. The κυβερνήτης was the man holding the steering oar at the rear of a galley (something I know from another course at Reading, The History of the Warship, taught by an eminent materials scientist with a classicist bent, Prof. J. E. Gordon). It was the steersman's job to keep the ship on course, despite the vagaries of wind, tide and currents, maintaining a course for the next headland.

It is from this root that we get the word governor - originally referring to the centrifugal governor, an arrangement of spinning brass balls which levered a valve open and closed to regulate the speed of a steam engine - perhaps the earliest example of a feedback system applying proportional control.

And of course, the same root gives us the terms govern, government and governance. The latter is important in information security - corporate governance is the arrangements for oversight of management which acts to correct things when an enterprise is "off course", and leads in turn to information systems governance and information security governance.

So, in that sense, we're still in the realm of cybernetics.

The change from information security to cyber security has wrought some changes, though. The former term encompasses information in all its forms; it extends beyond computer and network security to cover paper (which is why we have information handling rules for classified documents, cabinets, safes, etc.) as well as tacit knowledge. But "cyber" carries other connotations - it abandons the physical world and replaces it with allusions to robots, androids, Dr. Who and the Cybermen and the online world.

On the other hand, "cyber" also connotes machines and brings us to the world of cyber-physical systems - drones, autonomous vehicles, industrial control systems, power plants, factory and warehouse robots, and even bionic devices such as pacemakers, bionic limbs and implantable cardioverter defibrillators. While risk management for infosec specifies impact on information assets in dollar terms, now we have to think in terms of injuries and life safety.

When people talk about "cyber security", though, what do they actually mean? In my experience, they're really talking about the security of things connected to the Internet, and securing systems against attacks delivered via the Internet. This tends to de-emphasize insider attacks, taking us back to the firewall-centric, M&M model of information security: hard and crunchy on the outside, but soft and gooey on the inside. That view was always problematic - all the more so with the move to deperimeterization and cloud services.

In the end, we still don't have a well-defined term for what we do - "systems security" might be the most appropriate, in my view. But at least you know why, when you talk to me about "cyber" ("cyber all the things!") you are met with a quizzically raised eyebrow.

You keep using that word; it does not mean what you think it means.

How to FAIL at Online Customer Service

In just over a week, I'm flying to the US for a conference (the NIST NICE Conference, as it happens). My office has booked my flight with Qantas, and today I received an email from the airline offering me the chance to upgrade for a combination of frequent flyer points and cash.

Clicking the "Make your offer" button in the email takes me to a page where I can select how much I wish to bid for the upgrade, using a slider. The instructions state:

1. Select the flight segment(s) you wish to upgrade. If there’s more than one flight segment, you can choose to make an upgrade offer for some or all of the segments. If you do not wish to make an upgrade offer for a segment, move the slider to the left to indicate ‘no offer’.
2. Adjust the slider to show the amount of money you want to offer and if you are a Qantas Frequent Flyer member, input the Qantas Points you want to offer and select the update button.

Only, there's no slider. In both Firefox and Chrome, the part of the page where the slider should appear looks like this:

The slider is probably supposed to appear either above, below or between the "No Offer" label and the maximum amount of $4,105. But it's not there.

So I open the browser console, and there's a very obvious JavaScript error:

The error is in this line:

plusgrade.page.modules.bid.slider.loyaltyPointsFormat.groupingSeparator = ","; 

You can't set a property of an object that doesn't exist!

It turns out there is no way to make an offer and get an upgrade.

Now, I'd like to notify Qantas of the problem with this process (which is outsourced, by the looks of things). I'm helpful like that. I mean, how many customers are willing and able to provide you with this kind of console log information to quickly resolve a problem?

Only, there's no way to get the information to Qantas. Replying to the email simply gets a bounce: "Please note that this email is unattended.". Clicking on the "Online help" link at the foot of the email leads to https://qantas.custhelp.com/app/ask, which, despite being titled "Email Us" has nothing to do with email at all. Rather, it uses a pair of "Category" and "Sub category" drop-downs to try to categorise the user's query. After carefully inspecting these drop-downs - a time-wasting exercise if ever I saw one - there appears to be no way to direct a query relating to the upgrade process. I could search a library of FAQ's, but I don't have a question - I have a failure. I don't think searching the FAQ's for "loyaltyPointsFormat undefined" is going to get me very far, do you?

This is the heart of the problem; in an attempt to reduce customer service costs, the company has ensure that the customer cannot obtain service. Worse, it wastes the customer's time.

So, I'm writing this up in hopes that, one day, someone from Qantas will stumble over it and fix their broken upgrade bid process - and, more importantly, provide a way for customers with problems that Qantas doesn't anticipate - and they're the ones they really need to hear about - can get service. Until they do, they're going to miss out on business, fail to maximize revenues, give users a lousy customer experience (CX) and drive down their NPS (Net Promoter Score).

I'd call that an epic online customer service FAIL - wouldn't you?

Update: Afternoon of 29th October - three days later, somebody has finally woken up and the problem has been fixed. We can finally see the slider, and - wow! a little dial which provides a graphical indication of where the slider is positioned! Somebody is really thinking through the usability!

Oh, well. At least it's working. . . for now.

Installing YARA from Source Code on CentOS 7

A short post - really more of a reminder to myself - on how to install YARA on CentOS Linux 7.

CentOS is an enterprise Linux distribution, and as a consequence aims for stability - it tends to have older versions of many software packages. This can make installing some software a bit of a challenge.

YARA is a pattern-matching program for use by malware analysts - it's a kind of Swiss Army Knife that can calculate hashes, perform string and regular expression matching, and understands various binary executable formats, like PE - most of the techniques that are useful for finding and investigating malware.

Preparation

Installing the various required packages can only be done as root. Rather than prefixing each command with sudo, just su to root
# sudo su -
Many of the packages required by YARA are also a little ahead of the standard CentOS releases - but that's common for up-to-date versions of many programs, like PHP and others. So you may already have the first requirement - a Yum configuration for the EPEL (Extra Packages for Enterprise Linux) repository. If you have, then you're good to go - otherwise, enable EPEL with the command

# yum install epel-release

If that doesn't work, because you don't have the CentOS Extras repository enabled, then try this:

# rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm

Now you're ready to start installing the required packages. Start with GNU Autoconf and libtool:

# yum install autoconf libtool

Then add the OpenSSL development files:

# yum install openssl-devel

If you intend to use the YARA cuckoo and magic modules:

# yum install file-devel
# yum install jansson jansson-devel

Finally, the latest YARA rules require Python 3.6, so if you don't have it:

# yum install python36 python36-devel

Installing YARA itself

From this point, everything goes as per the instructions at http://yara.readthedocs.io/en/v3.7.1/gettingstarted.html. You should drop your root privileges (exit or switch to another session) then download the latest version of YARA. From that point, it goes something like this:

$ tar xzvf yara-3.7.1.tar.gz
$ cd yara-3.7.1
$ ./bootstrap.sh
$ ./configure --enable-cuckoo --enable-magic
$ make
$ sudo make install

Finally, run the YARA tests:

$ make check

Among the output that follows, you should see:

PASS: test-alignment
PASS: test-api
PASS: test-rules
PASS: test-pe
PASS: test-elf
PASS: test-version
PASS: test-exception
[...]
============================================================================
Testsuite summary for yara 3.7.1
============================================================================
# TOTAL: 7
# PASS:  7
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================
If all is correct, you're good to go! Have fun, and nail that malware!

Optus Cable with Google Wi-Fi

We had Optus Cable installed yesterday, replacing an aging ADSL connection. We already had Google Wi-Fi installed, replacing a complicated setup consisting of a Linux-based firewall and multiple access points, but ADSL had become painful, with disconnections whenever it drizzled, let alone rained, and one phone line not working at all (perhaps disturbed by a linesman while trying to get the ADSL fixed).

Up with this, I shall not put!

I had no intention of downgrading our Google Wi-Fi setup with the somewhat primitive devices Optus supply, so the problem was to get the combination working. Google Wi-Fi can lose some functionality if hidden behind another router, so I had googled for information on the Optus-provided devices to see how they performed. Posts on discussion boards suggested the Netgear CG3000 could be configured as a bridge via some barely-documented settings, while the Sagemcom devices should be avoided at all costs. With that in mind, I selected a plan that provided the CG3000 and figured I would let the Optus technicians get it working and then figure it out. I also took the precaution of buying a spare CG3000 - just so I could replace a Sagemcom if worse came to worst, or perhaps have one configured the way I want and the original to put back into place if necessary.

In the end, there was far less drama than expected. The Optus techs turned up with a Netgear CM500V modem and a separate Sagemcom 3864V3 router. I let them install it, connected to it via my laptop to show it was all working, and bid them adieu.

Then I unplugged the Sagemcom and put it back in the box and performed the following procedure:

1. Switch off the CM500V. This is necessary, as the modem remembers the MAC address of the router it is connected to and will not talk to the Google Wi-Fi router without a reboot.
2. Switch the CM500V back on again. It may take a few minutes to connect, so get it started while you're doing the rest of this procedure.
3. Unplug the Google Wi-Fi router from the ADSL modem.
4. Check the Google W-Fi router has realised it is offline - it should show a pulsing amber light.
5. Turn off mobile data on your phone, then run the Google Wi-Fi app and go to Settings -> Network & General -> Advanced Networking -> WAN. The WAN settings are not editable unless Google Wi-Fi is offline and your phone is talking to it directly on the wireless LAN.
6. Change the WAN settings to "DHCP" and tap "Save".
7. Check the CM500V - the Power, Downstream, Upstream and Internet LED's (the top four) should all be solid green by now.
8. Plug in the Ethernet cable from the Google Wi-Fi WAN port to the modem. Give it a few seconds - the Ethernet LED on the CM500V should turn green and the Google Wi-Fi router will get its WAN IP address via DHCP and should settle down to a stable white light.



Phew! That's better!

9. Go back to the Google Wi-Fi app Shortcuts page, tap "Network check" and then "Test Internet". Marvel at the impressive speed test result!

The NBN HFC Internet connection box sits, forlorn, on the wall of our house while nbnco tries to figure out how to get DOCSIS 3.1 up and running on the cable. We just couldn't wait that long in the end. However, I expect this procedure should work just fine with an NBN cable modem.

Final caveat: I haven't tested the CM500V with a phone, since we have an Asterisk VoIP setup. But I've no reason to suspect switch to the Google Wi-Fi setup will affect phone operation in any way.