Thursday, September 25, 2014

Self-destructive digital management of the human race

"While the tiger cannot stop being a tiger, it cannot be de-tigered, man lives in perpetual danger of being dehumanized." This lurking danger, brought out in this quote by Ortega y Gasset, is on our own nature and leads us every day into a self-destructive situation of risk.

The story of the day, and presumably, of the month, is the discovery of a serious vulnerability in Bash variables management, which is the command interpreter for Unix operating systems (Linux and OS X). Such bug allows to execute code ignoring all kind of protections. Some experts began to consider it as the new Heartbleed because it practically affects the vast majority of services, whether they are websites using accessible CGIs, servers with SSH enabled, DHCP clients with shells, applications, operating systems based on Linux (like Android), ATMs, smart TVs, so basically any tool running over a Unix shell system. Most distributions are working on fixing the problem. Patches for different services  have started to emerge, but as usual, it requires every single administrator of these kind of systems implementing the patch and it could take long.

Yesterday under Bash bug’s shadow, we learnt of other two positive stories that bring light for the future of our civilization. The NSS cryptographic library, which is essential for a proper performance of secure connections (HTTPS) in many Internet services (such as Firefox, Thunderbird or SeaMonkey) received an update that solved another critical vulnerability, which could have been exploited for months, allowing phishing attacks on supposedly secure connections.

Meanwhile Twitter, the birdie’s microblogging network implemented the necessary checks to ensure that requests made to its servers came from its domains, thus preventing CSRF (Cross Site Request Forgery) attacks. The odd thing was that part of the job had already been done. Requests were together with a (well done) random token but it was not validated at any time. Hence in practice the anti-CRSF measure never went into action, allowing that malicious requests (such as posting tweets, stealing account’s login credentials, personal details, follow, RTs, FAVs) were launched from other tabs or services.

We may add to this how Russian phone phishing, which historically is one of the most active phone phishing, is spreading to less explored territories, such as the Internet video calling services. The telecoms’ crusade against this attacks along with the proliferation of VoIP services such as Skype have led these cyber criminal gangs to migrate its resources to this Microsoft’s service to perform blackmail and economic demands allegedly in behalf of a victim’s friend.

Why do we acts this way? Why do we hurt not only to other species, but also to other human beings? Virus Bulletin 2014, one of the events focused on the most important AVs of the year held in Seattle left the death of computer viruses as corollary. It might seem good, but it has a big ‘but’. The virus itself, i.e. the tool used to cause evil in digital media has evolved and diversified its scope so much that today its definition is inaccurate. Nowadays antivirus software do not protect against virus, but against threats of various kinds. In this sense, the only thing they inherited from this old cyber weapon is only its destructiveness.

All this led Nico, one of the Spanish CON No Name’s organizers, to wonder the actual meaning of security events proliferation. What are their objectives? What is their value for the society? And above all, he wonders if all this "circus" is feeding human voyeurism, missing the point about what is truly important: know the risks we face, and give the user the tools to address them.


Post a Comment