The Unintended Harms of Cybersecurity

Interesting research: “Identifying Unintended Harms of Cybersecurity Countermeasures“:

Abstract: Well-meaning cybersecurity risk owners will deploy countermeasures (technologies or procedures) to manage risks to their services or systems. In some cases, those countermeasures will produce unintended consequences, which must then be addressed. Unintended consequences can potentially induce harm, adversely affecting user behaviour, user inclusion, or the infrastructure itself (including other services or countermeasures). Here we propose a framework for preemptively identifying unintended harms of risk countermeasures in cybersecurity.The framework identifies a series of unintended harms which go beyond technology alone, to consider the cyberphysical and sociotechnical space: displacement, insecure norms, additional costs, misuse, misclassification, amplification, and disruption. We demonstrate our framework through application to the complex,multi-stakeholder challenges associated with the prevention of cyberbullying as an applied example. Our framework aims to illuminate harmful consequences, not to paralyze decision-making, but so that potential unintended harms can be more thoroughly considered in risk management strategies. The framework can support identification and preemptive planning to identify vulnerable populations and preemptively insulate them from harm. There are opportunities to use the framework in coordinating risk management strategy across stakeholders in complex cyberphysical environments.

Security is always a trade-off. I appreciate work that examines the details of that trade-off.

Tags: , , , , ,

Posted on June 26, 2020 at 7:00 AM29 Comments

Comments

David Rudling June 26, 2020 8:06 AM

“Security is always a trade-off.”
Yes, but who should control the trade off?
High security should be available to me if required and I strongly object to my security being undermined by someone else’s trade off judgements. Sadly the latter situation is the reality.

Clive Robinson June 26, 2020 11:17 AM

@ ALL,

    “In some cases, those countermeasures will produce unintended consequences, which must then be addressed.”

This is not quite correct.

Firstly it’s not “some cases” but “all cases” such is the laws behind the rule of cause and effect. Secondly all effects have consequences just like ripples from a stone dropped in a pond, it’s unavoidable. Thus no matter how carefull you are there will be consequences that were not intended.

Thus the real question that concernces an individual is,

    Are those unintended consequences positive or negative in consequence for you?

But don’t forget the universe as we understand it calls for any effect to be a zero sum game on the resources that go into the cause, and the effect overall to be one of moving from a coherent state to an incohearant state.

Thus for every win both the winner and looser must loose resources to what is in effect entropy, as there can not be any perpetual motion machines.

mark June 26, 2020 11:45 AM

And then there’s the cybersecurity that, once outdated, becomes a disaster.

For example, 25 years ago, blocking email from an ISP that was a source of spam was a reasonable idea.

The last 20 years? Not so much. Around ’02, I was blocked from emailing a friend in Canada for that reason. The problem: my domain was Chicago Roadrunner, which provided most of Chicago (having eaten up all the small ISPs).

Right now, I get blocked on occasion. My hosting provider is hostmonster, which a tech told me supports literally millions of domains. Oh, someone creates a few burner domains to send out malware… and unless you’re paying business rates, your email goes out through a number of load-balancing mailhosts… and one blacklist site regularly blacklists that. Ditto – I just responded to a relative’s email from msn… and msn said I’m naughty.

Blacklisting major hosting providers is a disaster… but some folks won’t admit that times have changed.

Clive Robinson June 26, 2020 2:10 PM

@ mark,

Blacklisting major hosting providers is a disaster… but some folks won’t admit that times have changed.

Sorry to tell you this but the folks you say “won’t admit” are still making a rational choice.

As several here know I’ve made the choice not to participate in any email in my personal life (or social media).

Has it had any negative effects possibly, but not enough for me to worry about. Has it had any positive effects, well yes quite a lot so I’m not going backward on my decision any time soon and only with realy hard evidence the positives will out weigh the negatives which frankly appears unlikely. But even if I do, I will only whitlist from specific email servers and email account names I’ve decided I’ll alow everything else will just get a port reset. Likewise if it’s not 7bit ASCII with no attachments.

Yes I know it sound unkind but why should I waste my time on what is mostly junk I neither want or need to know. And that’s before the malware and phishing shite etc.

At the end of the day it is the recipient that decides what they want to spend their time on not the originator. If you chose to associate yourself with trouble, you should expect to be treated like trouble.

Let me put it another way, if you turn up to my abode and knock on the door, what makes you think you have the right to be acknowledged?

The answer legaly is “none”… I see no reason what so ever to treat unwanted electronic communications differently to the way I treat unwanted “cold callers” or those who turn up on my property without an appointment confirmed in writting. Then even if they do have a confirmed appointment I require copies of the callers “national level” ID documents, if they chose not to comply then I chose not to entertain their trespass on my property.

SpaceLifeForm June 26, 2020 3:52 PM

@ Clive

This.

“At the end of the day it is the recipient that decides what they want to spend their time on not the originator.”

Like you, I avoid email. It has to be really important. Not going to use as creds for a site.

That said, I am seeing another problem.

SMS. People that you know, that are, flatly losing their minds due to covid.

At some point, there is no recourse but to block them.

Thunderbird June 26, 2020 4:17 PM

Clive, the difference between a user deciding they only want to whitelist certain mail servers and an ISP deciding to blacklist a broadly-chosen set of mailers seems important. The latter disrupts communications between users that want to communicate with each other. I think it is a reasonable expectation that I should be able to send and receive email if I want to.

An analogy would be my choice to burn all incoming bulk mail in my wood stove versus my mailman discarding everything addressed to me from Chicago. Yes, I know analogies rarely work, but I am not feeling very clear today.

Impossibly Stupid June 26, 2020 6:24 PM

@mark

My hosting provider is hostmonster, which a tech told me supports literally millions of domains

Clearly they don’t. What it sounds like they do support is a few spammy customers by using a million others (including you) as human shields. Why you’d defend this practice is baffling. There are countless things they could do to actually support legitimate users, not the least of which is compensating the victims. Abuse coming from your network range is costing me money; make it worth my while to have my system do anything more than drop you into a blacklist.

@Thunderbird

I think it is a reasonable expectation that I should be able to send and receive email if I want to.

Google, almost certainly the largest email provider on the planet, disagrees. Whether or not their users have that expectation is another matter. But the fact remains that people keep using large email providers despite these unintended harms. I mean, I’ve had times when a Gmail user sent me a message, and then the idiots at Google dumped my response into the Spam folder.

mark June 26, 2020 8:36 PM

Impossibly Stupid • June 26, 2020 6:24 PM

Clearly they don’t. What it sounds like they do support is a few spammy customers by using a million others (including you) as human shields.

That’s bs. They have millions of customers. Tell me, how big do you think any company’s tech support staff, that deals with only that, is?

The spammers and malwareists create – actually, they probably have scripts that create disposable domains, use them till they’re stopped, and do it again and again.

You’re saying that you approve of collective punihsment, that millions of us are, in fact, liable for not jumping on the hosting provider?

Really? When I was in Chicago, using the ISP, what was I supposed to do, call the company, and expect them to pay attention to me? Really? At least now they will pay attention.

Eventually. You’re not thinking of the job the people on the other end have to do, and unless and until we can automate it, for the large, widely=used spam blacklisters (like manitu, which the CentOS general mailing list uses) to block everyone is exactly collective punishment.

mark June 26, 2020 8:41 PM

Impossibly Stupid – I have no idea what hosting provider you use… but I’m not a commercial enterprise, so I’m not going to spring a ton of money monthly for a private mailserver. I think I’m paying for level 2, where it’s only thousands or tens of thousands of domains from one set of mailservers, but I’m not sure.

Have you never been bounced?

And don’t tell me gmail, the contents of my email exchanges are not for them to scan for free and sell.

Impossibly Stupid June 27, 2020 1:09 PM

@mark

Tell me, how big do you think any company’s tech support staff, that deals with *only* that, is?

It’s not about size, it’s about competence and effectiveness. If they’re still mixing most legitimate customers in with spammers, that’s a problem they clearly haven’t been able to solve in 20 years. Stop making excuses for them; take your business to someone who won’t use you as a human shield for abuse.

The spammers and malwareists create – actually, they probably have scripts that create disposable domains, use them till they’re stopped, and do it again and again.

And? There are countermeasures to that (and consequences to them, as the referenced article points out). The onus remains on the ISP to police their network. If they’re doing a poor job of it, maybe the Internet would be better off without them being connected.

You’re saying that you approve of collective punihsment, that millions of us are, in fact, liable for not jumping on the hosting provider?

Yes. You are known by the company you keep. Apparently your ISP likes to keep company with spammers. If you, as a paying customer, are unwilling or unable to convince them to do otherwise, what hope does anyone else have? Again, you are being used as a human shield; willfully continue that relationship at your own peril.

When I was in Chicago, using the ISP, what was I supposed to do, call the company, and expect them to pay attention to me? Really?

Again, yes. That’s exactly what it means to get support from a company. Get your thinking straight.

I have no idea what hosting provider *you* use… but I’m not a commercial enterprise, so I’m not going to spring a ton of money monthly for a private mailserver.

Well, I know what I’m doing, so I’m able to run my own mail server (along with many other things) on a low-end VPS for under $2/month. It’s one that generally takes abuse seriously, too. Instead of throwing yourself on a pile of millions of other customers, consider seeking out a smaller provider who will actually value your business.

And don’t tell me gmail, the contents of my email exchanges are *not* for them to scan for free and sell.

You must be joking. As I already noted in my previous comment, Google is a big part of the problem. They’ve been my only source of deliverability problems, because their monopolistic practices when it comes to email results in them treating smaller providers like trash. Of course, that is not an unintended harm, though.

mark June 27, 2020 3:21 PM

impossibly_stupid: say what? My hosting provider is mixing spammers with legit customers? Your phrasing implies that they’re doing it deliberately.

You don’t begin to address the reality that I mentioned: they do toast them, as soon as they get to them. But do you really think a high-value target, like a huge hosting provider, isn’t going to be hit more than they can handle instantly?

And I don’t feel like paying the money for a static IP, given that I’m not running a business, so I’m don’t feel like running sendmail.

As soon as you say you’re for collective punishment, when you’re talking about hundreds of thousands of people, you’ve lost my respect.

Impossibly Stupid June 27, 2020 10:50 PM

@mark

My hosting provider is mixing spammers with legit customers? Your phrasing implies that they’re doing it *deliberately*.

Based on your description of the situation, yes. Get past your Stockholm Syndrome and you’ll come to the same conclusion. It’s not like it’s that unusual, either. All the big cloud providers do the same. I see tons of abusive traffic coming in from Amazon and Google and others, all from huge undifferentiated ranges (e.g., 52.0.0.0/11, 35.208.0.0/12, etc.). That doesn’t happen by accident.

But do you really think a high-value target, like a huge hosting provider, isn’t going to be hit more than they can handle instantly?

What I “really think” is that, if they were a reputable organization, they’d offer more than excuses to you and their millions of other legitimate customers. If it were me, or any other professional sincerely interested in security, I wouldn’t wait to be hit “again and again”. They’re demonstrating a level of incompetence that is most easily attributable to corruption.

As soon as you say you’re for collective punishment, when you’re talking about hundreds of thousands of people, you’ve lost my respect.

Because your thinking on the matter is turned around, your respect isn’t worth much. Web hosts are cheap and ubiquitous; switch to a more professional one. Don’t blame the world for closing the door on you when you willfully continue to associate with people who make the Internet a worse place.

Steve June 28, 2020 10:09 AM

It has been my experience that the Law of Unintended Consequences supercedes all others, including Gravity.

Chris Cronin June 28, 2020 2:40 PM

Center for Internet Security developed their risk assessment method (CIS RAM) to address this exact issue. CIS RAM uses the concept of “safeguard risk” instead of “residual risk” to remind people that they MUST think through the likelihood of harm they create to others or the organization when they apply new controls.

SpaceLifeForm June 28, 2020 11:59 PM

@ Steve

“It has been my experience that the Law of Unintended Consequences supercedes all others, including Gravity.”

I’m pretty sure that insanity spreads faster than the speed of light.

That is anecdotal of course.

I do not have the measurements to back that up.

FB probably has some stats.

SpaceLifeForm June 29, 2020 12:13 AM

@ Impossibly Stupid, Mark, Clive

“I see tons of abusive traffic coming in from Amazon and Google and others, all from huge undifferentiated ranges (e.g., 52.0.0.0/11, 35.208.0.0/12, etc.). That doesn’t happen by accident.”

So, you see.

Are you really sure that what you observe is reality?

It’s not an accident, I’ll grant you that.

But, be careful where you point fingers.

Attribution is hard.

To quote a learned one,
“You can observe a lot just by watching”

Maybe.

You have to decide if the S/N ratio is information.

The signal may be the noise.

Clive Robinson June 29, 2020 3:03 AM

@ SpaceLifeForm, Impossibly Stupid, Mark, Clive

Are you really sure that what you *observe* is reality?

For the purposes of managing your connection to the Internet by blocking dubious ranges does it matter?

The answer is probably not, however that does not mean that it is not important, all attacks and especially those under “false flag” are important in the overal prevention process. That is it’s part of the dictum of “You can not fight an enemy you can not see”.

It’s an important distinction when you talk about the difference between ofence and defence as a strategy to protect yourself. It is in effect the difference between targeted and general protection.

The problem with going down the offence road is that identifying the real enemy is at best difficult. Thus a well practiced “false flag” operation will get two parties fighting by the instigation of a third party whi does not enter the fight but proffits from it in some way or maner.

As we know the CIA had a whole suite of “cyber-falseflag tools” and I would assume so do all major powers and first world nations do as well, whilst other nations can buy in and modify cyber-weapons for quite moderate prices when compared to the cost of conventional weapons that will stand up against those of major powers and other first world and many second world nations.

Impossibly Stupid June 29, 2020 11:03 AM

@SpaceLifeForm

Are you really sure that what you *observe* is reality?

Yes. We’ve been through this before. Your grand conspiracy theories have far less foundation in reality than my log files, and that does you a disservice whenever those in power do choose to abuse it.

The CIA is not spoofing TCP/IP traffic just to scan my podunk server for WordPress exploits (or whatever). Far, far, FAR more likely is Amazon having garbage quality control when they try to eke out a profit from selling a sliver of time on their machines for 3 cents. Or their cheap customers getting hacked and being made part of a botnet.

Attribution is hard.

No, it isn’t. This is Amazon’s problem, full stop. Even if it were a false flag operation, it would be a problem for Amazon.

Weather June 29, 2020 11:48 AM

@impossibly stupid, Spacelifeform, Mark
You can change the source address to say Google and do up to about 10 packets blind spoofing the syn,back numbers, enough to send a exploit, with the shell code has the real address.
Just a though.

Steve June 29, 2020 6:22 PM

@SpaceLifeForm:

I’m pretty sure that insanity spreads faster than the speed of light.

Makes sense to me. It has no mass and less information.

SpaceLifeForm July 1, 2020 5:42 PM

@ Impossibly Stupid

Want to try an experiment?

Make sure your servers do not support TCP Fast Open.

Let us know if you see a difference.

Weather July 1, 2020 6:12 PM

@Spacelifeform
TCP fast open, if you send a Syn and a cookie, you are pre authentic and data, well at least one data packet is going to be send. going to read the Rfc, but what range for the key in the cookie 64000?

Thanks

SpaceLifeForm July 1, 2020 8:42 PM

@ Weather

By my reading of RFC7413, the TFO cookie is 4 to 16 bytes.

As to authentic, that is where a problem may lie.

Weather July 1, 2020 9:39 PM

@Spacelifeform
Something you can’t look up on Wikipedia stumped them, they don’t know that its wrong half the time, but maybe…

SpaceLifeForm July 2, 2020 3:29 PM

@ Weather

Note that the TFO cookie is not secured by any measure. It is part of a crappy handshake, before even any DHE has occurred.

It leads to fingerprinting.

It is not worth doing.

Fast, Secure. Pick one.

Then, think about Colluding Clients.

Weather July 2, 2020 8:57 PM

@Spacelifeform
If you can send a syn with the cookie plus some data that adds to a replied packet you in theory make them attack someone.
Not quite sure what you mean by fingerprint, don’t see how?
Yeah getting two clients to dos each other.

SpaceLifeForm July 3, 2020 2:43 AM

@ Weather

The fingerprint is the TFO cookie.

Colluding Clients – think outside the box.

It’s not a DOS between two clients.

C1 does the normal Fast Open, and gets the TFO cookie.

C1 passes the TFO cookie to C2, C3, …

Colluding Clients.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.