Print

[WO7R]

Thus breaching the LoTW Server would not allow an adversary to gain access to complete "Callsign Certificates" and use them to forge confirmations or flood LoTW with bogus confirmations.

What are you talking about?

Once the server is successfully breached, records can be created (fake card-based ones if need be) that bypass everything, including any certificate checks.

The whole problem with server breaches is that they always have ways of getting deeper into the system and having privileges to override everything.  If it is not the LoTW server proper, then it is another with the deeper DXCC records access. I don't know whether ARRL's is one server or seventeen with distinct roles.  Doesn't really matter in the end.

The whole history of server penetrations shows that once they get inside, even with a nominally under-privileged account, the danger is they can 'escalate' privileges (and very often do so) to some point where they render the planned security measures irrelevant.  If they don't the attack fails.  But so, so often they do once they get that far.

They can also do other kinds of damage that certificates don't help with, such as ransomware attacks, deleting records, and general havoc.

[AA6YQ]

Thus breaching the LoTW Server would not allow an adversary to gain access to complete "Callsign Certificates" and use them to forge confirmations or flood LoTW with bogus confirmations.

What are you talking about?

Must I explain how public key cryptography works?

Once the server is successfully breached, records can be created (fake card-based ones if need be) that bypass everything, including any certificate checks.

All of the information stored in the LoTW database is also encrypted.

The whole problem with server breaches is that they always have ways of getting deeper into the system and having privileges to override everything.  If it is not the LoTW server proper, then it is another with the deeper DXCC records access. I don't know whether ARRL's is one server or seventeen with distinct roles.  Doesn't really matter in the end.

The whole history of server penetrations shows that once they get inside, even with a nominally under-privileged account, the danger is they can 'escalate' privileges (and very often do so) to some point where they render the planned security measures irrelevant.  If they don't the attack fails.  But so, so often they do once they get that far.

The cost of doing that would be quite high. Since there would be no financial benefit, what adversary would be motivated to spend lots of time and big money in order for forge QSOs or just trash LoTW? A forged QSO with a highly-sought-after DXCC entity would be quickly detected.

They can also do other kinds of damage that certificates don't help with, such as ransomware attacks, deleting records, and general havoc.

+ The LoTW database is frequently backed up; ransomware would be quickly detected.

+ Given unlimited time and funds, most any system can be penetrated. The question is whether the rewards justify the effort. In the case of the LoTW Server, I doubt that anyone would be motivated to bear the costs.

+ Here's a challenge: see if you can connect to the LoTW Server.

 

[WO7R]

Dave, cryptography is irrelevant if it is bypassed.

There is always, always some level of DB admin that can get beyond the certificates.  That's all that's needful here. Some emergency or general utility, perhaps.  That would be downright classic.

But, suppose there is no such code?  I still don't care what is encrypted by whom.  Once you breach a server, eventually, you can get underneath the cryptography.  There is some level where the code has to work and work on data in the clear.  Such code gets the relevant keys.  Once someone breaks in, all bets are off in terms of access to said keys and the code that accesses said keys and whether it behaves as expected.

It could be as simple as a one byte patch to the code that has full access to the DB and simply believes that all presented LOTW certificates are valid thanks to said patch.  It is the very same code otherwise.  That code will have access to the relevant encryption keys -- it must -- and so it will make the relevant changes to the data base it is told to do.  This is but one attack of hundred of attacks that might work.

I'm not suggesting that any of this will be easy -- or easy to discover even if there is a breach.  I am suggesting that it happens every day and while cryptography can help, it is no magic wand once your attacker gains sufficient authority to essentially look at anything and change anything.  Which is exactly what all too many breaks do.

Since there would be no financial benefit, what adversary would be motivated to spend lots of time and big money in order for forge QSOs or just trash LoTW? A forged QSO with a highly-sought-after DXCC entity would be quickly detected.

1.  A lot of people out there do hacking "just because they can".  It's a sicko form of showing off.  It's depressing but true.  They are probably more likely to trash the DBs than to forge QSOs.  It's easier and fits many of their sick profiles.  Heck, they probably are more interested in whatever credit card information they can glean.  But any sort of attack would damage the league to some degree.  And, they might look at the baroque system and delight in working around it, who knows?  Hacker psychology is not something one can make very many assumptions about.

2.  If we take your argument seriously, there should have been no security to start with.  Clearly, people inside the league think that attacking this system is important.  It's just that the ARRL may have neglected the most obvious path for it.

I've done a small amount of professional work in this area.  What I learned:

1.  The amount of resources devoted to security must be assumed to be small compared to the resources of the attacking community.  One's only advantage is that they are disjointed, but one can't count on that.  Also, every dime spent on security is begrudged by management in the end, especially as the potential expenditure gets higher and higher for more marginal returns.  And you have to do a lot of things perfectly.  One bad password, one inadequate procedure renders the rest irrelevant.

2.  You may as well proceed as if there are multiple attackers attacking multiple things.  Serious security analysis, then, looks for the neglected trap door.  Because while the attackers are busying their security tools, trying to breach certificate passwords, and failing, the same attackers (or some separate set of them) will have much leisure to try other things.  If they find the shorter path, they abandon the cert attack and the league loses.

3.  If a forged QSO is so easily detected, you are again undermining the argument for the other security to begin with.  Presumably, outfits like Clublog, with no apparent security, rely on stuff like this.  So do my own suggestions, for that matter.  The 2m EME crowd, for instance, is sufficiently small that anyone who fakes, from scratch, a 2m EME WAS is certainly going to get found out if anyone notices the award was granted to start with.

Accordingly, whatever resources the league has probably need to be focused on things beyond the certs.  The certs are doing a bang up job. General crypto of DBs help also.  But all they may assure is that more attention is focused on easier paths where none of it matters.

I wish you joy of your assumption that ransomware would be easily detected.  There are far too many victims of it to assume that.  Those that engage in ransomware seem to have a lot of success.  There are a lot of companies out there with inadequate or no backup facilities.  I know this from my professional work.  As the saying goes "you'd be surprised".  Those guys surely get "caught" by such attacks.  But, backups could get compromised any number of ways without necessarily being detected.  The devil is in the details and each company is its own adventure.

Here's a challenge: see if you can connect to the LoTW Server.

My failures tell nothing whatever about the system's vulnerabilities.  Nor would it change my opinion in the least.
 Besides, I don't engage in that sort of behavior.  And, real attackers fight dirty.  They are not above dumpster diving, compromising personal computers all over the world and having them trying out nefarious attacks in great numbers, and much, much else.

The biggest problem in all of these things is that it is very difficult to know what you can do in the face of inspired guessing.  Maybe I can't guess how to access the server.  But a miscreant with much experience?  That could be a different story. 

For instance, some of the cipher messages in WW II were broken simply because it was possible to assume that they all or mostly all ended "Heil Hitler".  Those composing the messages almost certainly never gave it a second thought.  A lot of inspired attacks are only retrospectively obvious.

[AA6YQ]

As we all know, it is not yet possible to build a provably-secure system. All one can do is make the likely cost of penetration exceed the likely value of penetration. The security mechanisms included in LoTW were designed with that principle in mind.

Even reputation-driven hackers consider opportunity cost.

Victims of ransomware either don't generate sufficiently-frequent backups, or don't prevent those backups from being damaged by ransomware.

The fact that security threats continuously evolve - cough log4j cough - further weighs against the CEO's plan to leave the current LoTW implementation unstaffed for years while a currently non-existent IT Director recruits a development team to design, implement, test, and document Project X.

[AC2EU]

The only time I had any trouble with LOTW is when I tried to transfer the key to another computer.
I got it work , though.

The LOTW system is designed to be  a QSO confirmation system, not an operators log.
I have my own electronic logs on HRD. I transfer my logs to LOTW with a point and click type operation.
Very simple once it's set up. I'm OK with the way it is.

I wonder; How many reading this thread think that expanding LOTW to a full log is desirable?

[VA3VF]

Aside from the security, how is ClubLog different from LoTW? Some of the ARRL CEO's ideas seem to be already implemented in ClubLog in some shape or form.

If not for the DXCC program, ClubLog would be the only system I would use.

[K0UA]

I wonder; How many reading this thread think that expanding LOTW to a full log is desirable?

I wouldn't have much interest in expanding it as noted.

[WO7R]

The fact that security threats continuously evolve - cough log4j cough - further weighs against the CEO's plan to leave the current LoTW implementation unstaffed for years while a currently non-existent IT Director recruits a development team to design, implement, test, and document Project X.

Exactly.

And, there's one more thing that reinforces your point.  Even a very good security architecture can be eroded by even a handful of mistakes in execution. 

Hackers look for the weak spot and if they find it, the rest of the splendid infrastructure is meaningless.  It is something that requires attention over time.  Reviews even.  It is also something that can erode.  Code can be checked in that bypasses security standards, yet still works without anyone noticing the bypass was done.  The damnable thing is that even if the hacker might generally look at the security architecture and despair of a frontal assault, if they sniff around and find some side door of this sort, they can win due to a very cheap, targeted assault on a singular flaw.  And, it doesn't cost much for them to look for these kinds of things.  If they fail, oh well.  But if they don't. . .

[WO7R]

I wonder; How many reading this thread think that expanding LOTW to a full log is desirable?

Given the problems Dave documents, my answer is "no".

In fact, the much maligned eQSL will function splendidly in the role of anyone's backup log.  It already tracks any fields I would be interested in -- including notes/comments which are sometimes quite important if I had to reconstruct my log.

Clublog, like LOTW, is incomplete, but more desirable in the end in such a role.

Or, one could simply do adequate backups.  Today, that's getting easier and easier.  Between Google, Microsoft, and Dropbox, to name three, anyone who hasn't backed up their log almost deserves their fate.  It is easy and, if done rightly these days, even automatic.

But, offsite backup of something as important as one's ham radio log ("important", at least, as defined by a given ham) is just too easy to accomplish now at a consumer level to neglect.

Anyone reading these words should be investing in some sort of at least occasional offsite backup.

[AA6YQ]

Or, one could simply do adequate backups.  Today, that's getting easier and easier.  Between Google, Microsoft, and Dropbox, to name three, anyone who hasn't backed up their log almost deserves their fate.  It is easy and, if done rightly these days, even automatic.

But, offsite backup of something as important as one's ham radio log ("important", at least, as defined by a given ham) is just too easy to accomplish now at a consumer level to neglect.

Macrium Reflect is free, and can be used to automate backup of your log to an external mass storage device or to a mass storage device on another computer on your LAN. Combine this with copying your log to free cloud-based storage each week, and you'll be covered against the full range of disasters.