A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever. Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS). He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID). Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen . The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.
Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over. Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type. In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding. This case is different. It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree). No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.
As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him. Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic. The oath itself looks like this:
“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.“
It is communicated in an elegant and articulate manner and leaves no room for interpretation. Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation. Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man. That day and duty will come and justice served in a military court of his peers at a time yet to be determined. My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness. Allowing anyone to enter into classified environment with read / writable media is not uncommon. Read writable material is used within these environments. However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least. In most cases it does not and never should occur.
This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others. The results? Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find. Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.
Today’s blog post has been kicking around in the recesses of my mind for a while. I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice. It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have. Customized, designer malware. Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others. Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore. When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic. It’s a simple value proposition for the attacker:
- Study your target(s)
- Collect and qualify intelligence while making discretionary decisions on what to discard or retain
- Study and evaluate targets of opportunity – technical and non-technical
- Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
- Engage and begin insertion within the target environment
- Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
- Assess opportunity cost
- Engage in compromise
- Secure targeted object of mission
10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)
11. Secure the target
12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question
Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious. Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.
As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist. In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.
So how do we begin fighting these threats? We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance. Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented. Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware. I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges. These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish). Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.
Recently I wrote a piece on Deep Packet Inspection (DPI), and issues related to its use within the Virgin Media Network in the United Kingdom. In that case, opponents to its use cited UK legislation that prohibits the unauthorized capture of communications and conversations on networks. I found this to be curious as this case dealt with Virgin’s desire to deploy a specific tool that focuses on the detection and identification of peer-to-peer (P2P) networks such as eDonkey, Bit Torrent, and Gnutella. The tool, CView, was to provide a DPI function important to ensuring the integrity and purity of good traffic while aiding in the identification, observation and remediation of bad traffic. Virgin’s concern was the health of its network and its desire to manage anomalous bandwidth consumption while combating illegal use and distribution of copy righted / trade marked materials. This doesn’t sound terribly unreasonable nor does it sound like a ‘violation of privacy’ rights as the opposition suggested.
This case caused me to reflect on challenges and opposition I have seen in hundreds of cases and clients with respect to Deep Packet Inspection (DPI) technologies. I believe many organizations and professionals within them have a fundamental lack of understanding of not only DPI, but also more elementary concepts such as traffic analysis (read: the ability to read and decipher packet captures). I’ve heard every possible technical and cultural argument against the use of packet inspection or session based analysis tools known to man. Some more well articulated and supported than others. I’ve been in countless hundreds of meetings where white board diagramming sessions ensued and network diagram sessions erupted into long debates regarding implementation and positioning of a technology and every reason why a given device could not be implemented. These conversations are healthy and important; they need to be had. However, facts are facts and most of the ‘concerns’ or arguments used against the adoption of intelligent, network-based security products is in fact flawed. Take for example one of my favorite arguments against the adoption of Deep Packet Inspection (DPI) technologies:
- Deep packet inspection solutions introduce latency into the network and in effect are prohibitive to the continued flow of traffic:
- This argument, when first presented, had some validity however DPI solutions, specifically Intrusion Prevention Solution (IPS) appliances have undergone evolution to the third generation. Most if not all offer some form of bypass kit which ensures that in the event of cataclysm (as defined by you or your organization), provided the building is not a smoking crater and that electricity continues to flow so to will your traffic
- Additionally, most platforms if not all offer multiple modes of deployment where in an organization has the ability to segue slowly into full inline integration DPI from a passive monitoring (IDS) mode
- It is true that any time any device is introduced into the flow of traffic some latency – no matter how infinitesimal, will be introduced. This is true of any device be it a router, switch, load balancer, server, firewall, ips etc.
- Deep Packet Inspection (DPI) solutions, specifically Intrusion Prevention Solutions are often never fully implemented often times seeing them remain in a passive monitoring mode. As a result, organization would never fully realize the Return on Investment (ROI), they expected as a result of making their purchase and likely could have settled for a much less sophisticated and costly platform:
- The adoption of the technology and / or the enterprise in questions readiness has no bearing on the efficacy of the technology
- It is intellectually dishonest to assert that had proper due diligence been performed and a readiness assessment undertaken, Return on Investment (ROI) and Total Cost of Ownership (TCO) would not have yielded positive results technical or otherwise
- The threat landscape is moving at a rate which no one can properly contend with and as a result, combat in its entirety:
- This not true for all systems utilizing Deep Packet Inspection (DPI) technology. Yes, there are some which rely on archaic and in some cases less well defined engines and analysis technologies however those who truly ascribe to the definition of Deep Packet Inspection (DPI) should be impacted far less by this than those who do not
- Deep Packet Inspection (DPI) solutions are complex and esoteric; they are not intuitive:
- This argument is weak but needs to be taken in context. In my experience when clients brought this point to the debate table it had more to do with the experience level of their staff than the tools complexity
- This can be overcome quickly and easily provided a proactive, open relationship exists between the vendor and the client
- Education should be ongoing; failure to educate (it is not only the responsibility of the vendor but the organization purchasing and adopting the technology) to ensure
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
- The application of this type of technology is traditionally done by those who are fluent and well versed in the need for it
- It is neither new nor is it beyond comprehension
- Given today’s threats and the complexities researchers and analysts continue to see in record numbers technologies such as this are now more important than ever before not to mention more effective than packet filtering and / or stateful inspection only systems
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
Conclusion:
The reality is that technologies such as Deep Packet Inspection (DPI) are extremely important. Their importance, though debated cannot be ignored and as a result they are more important now than ever than ever before. No longer are we contending with largely unsophisticated threats and adversaries. Cyber-criminals do not sleep. Nor do they take vacations or observe change windows. They are on the job 24 x 7 x 365 and are not deterred by (in fact I would imagine they welcome the objections which are proposed against the adoption of technologies such as DPI) by the presence of traditional mitigative technologies and controls. As a result, the need to strengthen our positions architecturally as well as procedurally must be recognized and acted upon. Time is of the essence and hesitation accompanied by intellectually dishonest or malformed thought processes must be overcome in order to address these threats.
Deep packet inspection is not a new concept. It is, in fact, quite mature and takes advantages of the best of IDS (intrusion detection solutions), IPS (Intrusion Prevention Solutions), and Stateful Inspection Firewalls. The technology is extremely effective in combating malicious code and content attacks and in enforcing policy to a variety of ends. Additionally, the technology is quite good at providing detailed intelligence with respect to application behavior and patterns as they appear within a given infrastructure. In modern enterprise and carrier networks this technology is both common and integral in ensuring operational efficiency while managing and minimizing risk.
Recently it has come under fire however and in at least one case, been dubbed a measure by which the privacy rights of end users can and will no doubt be violated. The case in question is that of the recent announcement by Virgin Media to utilize and deploy a DPI like technology package called CView within its network environment in order to better understand the prevalence and associated patterns of use seen in peer-to-peer networking sessions. The tool would be in effect, capable of tracking sessions associated with peer-to-peer networks such as Gnutella, Bit Torrent or eDonkey which has created a negative buzz amongst organizations such as Privacy International who appealed to the EU to step in and review the package proposed by Virgin Media. Virgin’s intentions seem straightforward to me but perhaps that is due to my being an information security professional:
- Gain an understanding of the usage and patterns of associated usage with these P2P networks and clients
- Analyze instability presented by them within the network in terms of inordinate resource consumption
- Analyze content for purposes of legality (avoid in the trafficking of either copy righted material of illicit illegal material)
- Implement throttling if necessary
- Implement policy control if found to be necessary by law or by virtue of Virgin Policy
- Mitigate risk posed to the Virgin Media network environment and its user community
- Prevent malicious code and content propagation to and including the propagation of advanced malcode kits and bot nets
I have to believe the goal of using a tool such as CView (if you look the tool up you will see it does not tie individual identity information to information harvested) is pretty straightforward and reflects much, if not all of what is seen above. I find it hard to believe that this is a case where privacy should be an issue though I am aware that in the UK under the Regulation of Investigatory Powers Act (RIPA), intercepting communications is a criminal offense regardless of what is being done with the data. While I am no expert in British Parliamentary process or law, it would seem that this act would be prohibitive, if not crippling in providing advanced security solutions while potentially curtailing illicit, illegal activity. Deep packet inspection is not the problem here, the problem is perception as it relates to the lengths to which personal ‘freedom’ extends and illegal activity begins.
One of my favorite parts of penetration testing is and always has been social engineering. I love it. In fact, I love it so much; I developed a real passion for it. My passion led well beyond the traditional social engineering and evolved into the study and practice of more sophisticated techniques associated with socio-psycho manipulation. It is a gift of sorts and who am I to question a gift? When speaking with prospective or current clients with respect to security assessments I have often implored them to include both physical security analysis and social engineering. This habit was formed upon entry into the world of professional security consulting where I sharpened these skills under the tutelage of many senior to me in both age and experience. Almost all of my earliest mentors in this space were or had been active in the United States DoD or like intelligence services, most of whom shared a common pedigree not unlike my own hailing from the world of information security and intelligence. These environments taught us to remain vigilant and open to idea that the unexpected should be expected therefore our ability to address anomalous events must remain categorically strong.
Over the years, within many engagements, activities of this nature were written into SoWs (Statements of Work for the lay person), and acted upon with full approval of parties both able to authorize such activity within and against their organizations and their legal representation (a detail I cannot stress enough that should not be overlooked). We would engage reconnaissance carefully leveraging skills we had cultivated in our former lives and applying them to the commercial world. We would engage in deep open source intelligence gathering and analysis in order to supplement our knowledge base regarding our target(s). We would become familiar with the physical environment in which our targets could and would likely be found. These locations would range from their places of business, to local restaurants and pubs, to local shopping districts to other geographic locales that we knew to be frequented by parties belonging to the organization, our target, in question. All the while we would be looking for ingress and egress points in addition to ideal areas for initial contact and exploitation. We would additionally identified areas in which useful information may or not be discarded by our targets that truly believed that no one would be interested (ah how I loved dumpster diving in my youth!). Finally, upon having enough information we would begin our careful insertion and infiltration. There is an art to doing this as much as there is a science and at times, the art becomes (or at least in my experience became), much more valuable.
These exercises almost always proved fruitful, as they would typically be multi-faceted involving multiple small teams each of which was cognizant of the others activities but all tasked with different missions during these exercises within the greater assessment. Some teams focused more upon the physical compromise of the environment, the acquisition of credentials and knowledge which could be socially engineered or stolen and thus counterfeited to serve our purposes in pushing deeper into the environment escalating our mission per our SoW and charter. Others would work on compromising individuals, seeking to gain their trust and subsequently their knowledge and any information considered noteworthy. Others still work on electronic and social engineering utilizing e-mail, web and telephonic techniques all designed to gain the trust of our targets or members of our target organizations in the hopes of escalating our privileges and advancing our efforts. This was good work. It was important work. And it was work that not all are capable of nor designed for. To the layperson reading this post I imagine it sounds outrageous if not frightening that work of this nature goes on and is conducted by security professionals in an effort to test and assess the security posture of a client and to a degree I can understand that attitude. However, this work is terribly important and often demonstrates weaknesses not previously accounted for within enterprise environments (public or private), during traditional security assessments and audits.
At this point you may be wondering whether or not there is merit in engaging a qualified team to do provide this type of service in addition to traditional services brought to the table as part of a security assessment. My personal perspective is that if you have overt responsible for the risk posture of an organization and understand that security or the state of being secure is contingent upon the three legs of the security stool (people, process and technology) being dutifully tested and exercised you most assuredly should do so. Failure to do so can expose you and your organization to a world of risk, which complying mindlessly with a three lettered data security standard or a mutagenic health-privacy act cannot hope to save you from. So what are we to do? First, if you haven’t already done so, conduct a meticulous review and analysis of your organizational information and physical security policies. If you don’t have any now is the time to remedy this deficiency. Should you (as I imagine most do, but will refrain from assuming), have these policies on hand review while employing a healthy dose of third party ego; remove yourself from the immediate, intimate involvement with them as they relate to your job and evaluate them as though you were brought in to do so as a third party. Do they look mature? Are they clearly articulated and well defined? Are they comprehensive? Do they address the natural bridges that occur between physical and logical security? Provided you have the resources, engage them to conduct preliminary assessments (provided they are qualified to do so), and if they are found to be lacking in the ability, do not hesitate to contact professionals with the appropriate pedigree, background and reputation to speak to about scoping a statement of work on your behalf. Remember that not every attack of a truly serious nature takes place across a wire and that many begin and end with a simple telephone call, a conversation around a smoking area or via a new hire.
By nature, I am an empiricist; it is who I am and works for me based on my bent toward analytics and multi-faceted (at times onerous), levels of thought and pontification. I am unapologetic about the way I approach things; it is simply who I am. Having said that, I recognize that I am not – nor is my way of approaching things, universally embraced or right for everyone. To assert otherwise would be intellectually dishonest. I am particularly intrigued (and spend a lot of time reading and studying), determinism and randomness theory and philosophy. For many of us, life is as simple as asking a question which the quintessential Canadian thinking mans band Rush asked on its 1991 album Roll The Bones “why are here, because we’re here, roll the bones”; while for others the question of why and perhaps more importantly the answer is not so simple. I fall into the latter camp.
I a student of empiricism; I am a stalwart advocate of critical thinking and reasoning especially when it deals with philosophical schools of thought such as determinism vs. randomness and how they interact within the world in which I professionally live and work. These ideas are not new. In fact they are quite old. They are in many respects extremely old and as a result of their vintage, they have been and remain the subject of great debate. Authors and thinkers such as Nassim Nicholas Taleb, who wrote two of my favorite books on the subject : Fooled by Randomness and The Black Swan: The Impact of the Highly Improbable, go to great lengths to explain these concepts along with their impact on causality. So too did David Hume, the famed Scottish philosopher, along with Karl Popper and Colin Howson. Needless to say there is a long and strong tradition in examining deterministic vs. random philosophy as it relates to probability. The concepts are as old as time itself; as long as mankind has had the ability to reason he has struggled with whether or not events occur due to deterministic causes (or more appropriately because of events which exist and influence other events thus arriving at the cause for a current event), or due to sheer randomness. We are no different than our predecessor in this respect. We seek knowledge with respect to the origins of things and events in addition to what there existence will mean to us as we move forward. This desire to know unequivocally what influences outcomes and the probability of those outcomes is central to the theme of our existence. As a result, it infiltrates (if we are paying attention), all aspects of our lies from the most complex to the least. We find ourselves asking why certain things occur at the time and place that they did, and to what end. I happened to be in New York City last weekend making my way to LaGuardia Airport via the Holland Tunnel at the height of the melee that was underway surrounding the events of the car bomb discovered in Times Square. Needless to say, traffic through the Holland Tunnel neither was less than forgiving nor was that which we encountered on way to Queens any better as a result. On the trip into the city news commentators could be heard speculating with respect to the cause of this event. Why would a young, respected young naturalized American citizen (Faizal Shahzad), find it acceptable to place a makeshift bomb in Times Square? What was his reasoning? His goal? His message? Who was behind the activity and what might be the logical extension seen as a result of this event? All valid questions. All seeking validation with respect to understanding whether or not the causality associated with these questions and the event in question (not to mention the young man), was in fact deterministic in origin or random. We know that it was in fact not random based on evidence that had been collected and authorities are continuing to investigate the events that lead to this event and ultimately influenced it from the perspective of cause. We humans tend to this with all manner of things ranging from the serious to the trivial.
With respect to information security or security in general, I believe we do so more often than people realize. Security or being secure, is in many respects dependent upon being able to detect, identify and observer causality. In being able to accomplish these three things, we are better positioned to account and prepare for the unknown. If you stop to think about that for a moment it should become quite clear that the act of securing anything – home, car, host, server, network, people – requires the acknowledgment of historic reasoning (in both deterministic philosophy and randomness), while at the same time the acknowledgment of the unknown.
We see this often within the friendly confines of our industry. Take for example the following: An organization is instructed by a governing body that in order to achieve a state of conformity with its governing body the organization in question must meet and demonstrate achievement of x number of criteria. Failure to do so will result in negative ratings that may or may not result in fines and / or the inability to conduct business transactions. The governing body assumes that arriving at a state found to be in alignment with its standards will discount and eliminate (due to deterministic causality), any potential for randomness to manifest, thus negating the possibility. But what if their assumption is wrong? What if the data which they have assumed to be whole and comprehensive is not so?
I fear that this is more common than not within our space due to a lack of due diligence and grasp of historical accuracy with a forensic like precision.
Here’s another example:
A software-publishing house for quick processing of financial transactions develops an application. It is seen as being mission critical to organizations that purchase it looking to capitalize off of any edge they can to beat their competitors to the market. Speed in this case is very good. The software publishers, realizing the importance and value of the application to their clientele decide to expeditiously develop and push the code to market rushing through all quality assurance (QA) and beta testing in order to beat the deadlines set by the executive teams in order to realize the greatest degree of revenue possible. The developers run through the exercise of white boarding the data flow and block diagrams, technical requirement documentation, marketing requirement documents and product roadmap documents. From there the code is pushed through the QA gauntlet at light speed and rushed into the beta testing customer environments. Initial results are noted and brought back to product management and engineering who then wrestle with addressing the issues in a timely fashion in order stay within budget (both financial and time budgets), while not missing their window of opportunity within the market space. The code is run through QA again, and pushed for GA candidacy.
But there is a fly in the ointment. Some young (or not so young), perhaps charismatic (or at the very least quirky), individual is asked to look at the code or application as part of an audit and assessment and finds that low and behold it is vulnerable to an abundance of potential threats all of which can be exploited in a trivial manner. At the same time this assessment is occurring the code and its publishers are reaping great successes and accolades. The code, now a fully baked financial suite is swiftly on its way to becoming one of the most popular suites of its kind in 21st century business; yet, it is as vulnerable to exploitation as a runaway at a Port Authority bus station. While our young or not so young, assessor of questionable charismatic quality, is reviewing the code, carefully noting the deficiencies and potential for complete exploitation, reports begin trickling into our software publisher that exploitative events have begun. Worse yet, they were events that were not accounted for during initial or secondary quality assurance testing and thus perceived as being random. We know however that randomness is simply the failure to take note of events that feed into causality, which therefore can be interpreted as a failure in paying attention to detail. Perhaps one of the gravest mistakes anyone can make yet all too common within our world and history, let alone our industry. So what are we to do about this? How can we, as professionals convey a sense of urgency that supersedes and avoids a “chicken little” like knee-jerk response to events we encounter? This is easier said than done especially in a world where information travels at the speed of light. I believe that in order to achieve the proper perspective we need to encourage the following:
- a healthy respect for that which is known or what we know to be true
- a healthy respect for the known or what we are not sure of
- an acceptance of our current posture as we understand it
- a recognition of our strengths as we are aware of them
- a recognition of our weaknesses of weaknesses as opposed to a denial of them
- an ability to process this information and begin formulating a plan
- The ability to execute that plan and due course perpetuate its repetition in order to avoid falling victim to said trappings.
This is by no means a trivial event; nor has it ever been an easy proposition. The ability to interpret historical events and data — even when they appear to be disparate and unrelated is paramount to achieving the goal of comprehensive deterministic understanding. In short this allows us to avoid via scientific means the pitfalls associated with randomness and its associated theories. In order that we may achieve this the ability to reflect upon our data sets and circumstance all while applying observing ego is of paramount importance.
The Evolution of a Sub-national Entity in CyberSpace: The Rise of the Cyber Cell
Recently I spoke at a private conference sponsored by a global, multi-national manufacturing and biomedical organization. It was a real pleasure to speak there for me as I was doing so with a colleague and it is always fun for me to present in such a way. The topic for our presentation was influenced by information we received from the organizers with respect to their wide and diverse audience, an audience which during the initial presentation would include 130 + people in person, and several watching via streamed video in 7 different countries. It would eventually be used by the organization to educate their 26,000 + day-to-day computer users, something to be pretty excited about. These users, like users in many other organizations ranged in experience level, some having basic knowledge of information security and others having much more in-depth experience. It was going to be a fun presentation and the opportunity to share knowledge and, in turn, be exposed to the experiences of others was going to be worth the effort.
Realizing the diversity of the audience and experience levels, we decided to produce a deck which would explore the Internet Threat Landscape touching on key ideas and concepts which the organizers believed to be appropriate for the time and audience. We were to speak at the end of the day so we decided to encourage an interactive approach during our presentation versus the traditional academic style presentation. We were privileged to wonderful audience response as a result. A calculated risk but a risk nonetheless. A lot of information was covered in a relatively short period (we lost 30 minutes of a 90 minute slot and were notified not long before taking the stage). Lights, camera, revolution! Opening remarks were made, obligatory joke to break the ice and set the tone, and then through the looking glass and on to the Threat Landscape. It was going to be a good presentation. As we progressed through the deck it occurred to me that there were looks of disbelief, shock and awe appearing on the faces of many in the audience. They dotted the local landscape the way wildflowers do hillsides in Spring. Additionally, the knowing nod of heads could be seen as well; a good sign that the mark was being hit. As the presentation continued to flow we began introducing common threat vectors being exploited along with a brief historical overview of malware from 1971 to the present. I introduced the idea of evolution occurring naturally within the sub-ecosystems and greater ecosystem which accounts for the ecology of the Threat Landscape. It occurred to me while introducing this idea to the crowd how pedestrian things become when you are exposed through research, analysis and extensive study to your subject matter and yet, how powerful and enlightening something can be to fresh eyes. It is part of what we do which I love most; the education and subsequent recognition of the new. It is a beautiful thing.
We introduced the concept of web based application attacks, and though we didn’t have time to provide any real-time examples, demonstrated statistics provided through our own research and that conducted by organizations like Whitehat Security, Inc. and IBM ISS X-Force. These statistics spoke to the prevalence of vulnerabilities such as SQL Injection, Cross Site Scripting (XSS), and Click Fraud; specifically their commonality in Internet based application activity seen today. Some of the statistics were shocking to the audience; you could see it in their eyes; they we not prepared to hear them; to see them; to realize what they meant to them on a personal level. Next, we introduced the concept of cyber-crime to the audience and began discussing just why someone might go through the lengths required to exploit one or more of these vulnerabilities. As the realities associated with our topic matter began resonating with the audience, again looks of disbelief appeared on the faces of some; sometimes only appearing in their eyes, while knowing looks appeared on the faces of others as they nodded their heads in agreement. This too was good.
We discussed the role of the individual operator, broached on the concept of confederations and criminal exchanges and then touched briefly upon the role of true organized crime entities in this space. In order to the drive the concept home we elected to introduce the concept of the botnet to the audience in order to illustrate some of the points we were making with respect to our topic matter. I spoke about botnet architecture, the role of cryptovirology in hiding binaries (making them undetectable by signature solutions and non-signature solutions alike), and much more. It felt good. What didn’t feel good was the realization that there is so much more education to do and how often there is so little time to do it within in order to be effective. This organization was no different than many that I have spoken at or consulted with over the years. Fortune 1000 organizations often times have the same problems as do Fortune 50 organizations. Some organizations embrace education and awareness more seriously than do others while there are some, who in order to protect the identities of those who work and toil on a daily basis in an effort to try introducing change, shall and need to remain nameless. Shattering the illusion of security via obscurity is as important within these as any other, perhaps more so. I encourage more education of this type. I believe there has never been a more appropriate time for it. The advent of Web 2.0, mobility, universal connectivity (all topics touched on in the presentation provided at the conference mentioned above), affects us all in both wonderful and potentially dangerous ways. It’s a situation akin to Pandora’s Jar where upon opening it, much danger; much evil was released into the world yet when finally exhausted, at the bottom of the box, there lay hope. We must have hope. We need to encourage this and in encouraging it, we can encourage change. Much needed change.
This post was provided to us courtesy Mr. Robert Former an information security professional and energy industry information security expert. We’d like thank both Robert and his employer, Itron,Inc. for their time and co-operation.
Will Gragido
Smart Meters – An introduction
- INTRODUCTION
Like any commodity, energy, gas, water and sewage disposal must be measured to be sold. Over time a number of technologies have evolved to accomplish this goal. Naturally as long as there has been a way to meter a service, there have been people trying to figure out how to get around the metering systems and get those services for free. This paper will examine some of the new metering technologies and compare them to the older traditional methods in the light of a secure implementation.TRADITIONAL METERING (Electro Mechanical)
The way services and utilities have traditionally been monitored has been with a mechanical system. Gas or water runs past some sort of vane which spins, driving gears and turning dials. Similarly a mechanical electric meter uses induction loops to spin an aluminum disk which then turns gears that spin dials. Of course this data needs to be collected to be billed. With this type of metering, a utility will typically get an actual read through a meter reader and use sophisticated statistical modeling to estimate the rest of the time. How often the actual read occurs is really a function of state regulation and utility policy. Now an interesting thing that you can do (among many) is that if you understand the cycle that your utility uses, you can invert the meter. That’s right, pull it out of the socket, turn it over, put it back in and you still get electricity, but the meter runs BACKWARDS! Cool, free electricity as long as you don’t let the meter reader see the meter installed upside down. Some meters had mechanisms to prevent them from running backwards, but not all. A way the utilities have come up with to combat this and other methods of fraud goes back to the sophisticated statistical modeling. If the system sees a significant change in your usage pattern, you get flagged for a live read.AUTOMATIC METER READING (AMR)
Automated Meter Reading was introduced to accomplish two primary goals; improve the accuracy of metering by getting more live reads, and reduce the work force required to gather meter data. AMR is set up to send the data back to the billing system via some communication method, be it fixed service radio, data over power line, Meter reader with a handheld device, or by a truck driving around and gathering the data over a low power radio link to the meter. AMR introduced another interesting feature: the ability to detect if someone had tampered with the meter. As the technology has advanced, and traditional mechanical meters are replaced, AMR systems have become increasingly prevalent. The major downside to an AMR system is that it is mostly a one way communication system. The meters “bubble up” the data on a periodic basis to the utility. Newer Advanced AMR systems have integrated some limited two way functionality adding features like reading meter data on demand and remote disconnect switches. “Demand Reset” is also a function sometimes provided in two-way AMR. When you track a customer’s peak demand, the meter records the maximum peak instantaneous usage over a period. At the end of that period, you need to reset the demand back to zero so you can record during the next period. In earlier days, there was a locked button or lever the meter reader would press (they had the key) when they did the readings. More modern devices can do it based on a clock. In two-way AMR you can send a demand reset command after you’ve successfully retrieved the demand value. This inevitable march of progress has led us to the latest in service metering technology, AMI.ADVANCED METER INFRASTRUCTURE (AMI)
Advanced Meter Infrastructure is where it gets cool (and spooky to some). AMI is the natural evolution of AMR technology. A full two way communication system that allows on demand reading, Time of Use (TOU) billing, remote disconnect operation, load limiting, demand response, and more. Where things get really interesting is when a Home Area Network (HAN)is integrated into the meter. Now the meter can talk to properly equipped furnaces, air conditioners, water heaters, micro generation systems, thermostats and In Home Display (IHD) devices that tell you just how much running the dishwasher will cost you to run at 3 in the afternoon vs. 3 in the morning. Past that it enables portable billing and usage of Personal Electric Vehicles (PEV) which can also be leveraged as local storage devices to help manage load spikes on the distribution system. Another interesting feature is the ability to subscribe to a service from the utility that allows them to reduce your power consumption by managing large appliances in return for a lower billing rate.Notice I said SUBSCRIBE. You have to sign up for it. This is important because for all the really interesting things AMI can do, it has also stirred up some serious political debate. While the technical concerns around security are addressed further on, let us examine the paranoia that AMI has raised. The first fear is that The Government (you know who I mean, the socialist/fascist (sic) fat cats in and around DC) is going to take control of your appliances and dictate when you can use them, and how much. This is followed rapidly by the fear that The Government will collect your usage information and somehow use it against you. None of this is helped by political pundits and demagogues who have decided to whip the masses into a frenzy using this as one of the egg beaters. Politics aside, there ARE some genuine security concerns to look at, and that is one of the things we will look at starting with the next installment, “The Risks”. There are some intermediate steps in the evolution from electro-mechanical metering to AMI, but they are outside the scope of this discussion. If you would like more information about the details, Wikipedia has some good articles.
About Our Guest Author:
Robert Former: Robert is a security engineer with 20 years experience in the IT field. Throughout his career, Robert has work in many aspects of Information Technology and has experience in the design, implementation, and operation of cabling, LAN, WAN, MAN, both traditional and IP telephony, data centers, server systems, and for the last 7 years, Information Security and Compliance. Robert currently holds the ISC(2) CISSP™, ISACA CISA™, and NSA IAM/IEM certifications. He is employed by Itron, Inc, a leading manufacturer of energy measurement systems, as the Principal Security Engineer in the R&D department. In his spare time, Robert enjoys spending time with his family as well as pursuing photography as an enthusiast and amateur radio.
Full Disclosure – I am a former McAfee employee, and currently draw a paycheck from a McAfee partner. The following are clearly my own thoughts and do not represent McAfee, my current/former employer(s) or anyone else.
Having been in the IT security industry for at least a decade, I have come to two key realizations:
1.) The IT security industry, as it relates to vendors selling products is largely based on FUD (fear, uncertainty, doubt), and
2.) Antivirus in almost no significant way equals comprehensive security
As many across the interwebs have already brought to light, McAfee had a very public snafu with one of their DAT updates (DAT 5958). Here is a mildly humorous link from Engadget’s site. To be clear, the point of this post is not to say the antivirus market poor or is dead, that McAfee has substandard products or solutions (usually the contrary), but that mistakes like this hurt not just one vendor or end customer, but the entire industry at large suffers.
That last part is an important point, especially in the case of endpoint security. Mistakes happen. QA processes are not perfect, vendors are trying to cut costs at every turn to increase profitability, so these things happen. In this specific case, if you were running VirusScan Enterprise with default settings, you will be a bit better than those who enabled “scan process by enable” or ran an on-demand scan with the 5958 DAT and scanned svchost.exe as the SVP of McAfee Support mentions in his blog post.
I see this with a lot of security practitioners where they turn on non-default options and get burned. Again, not picking on McAfee, but they also had a recent issue in their Patch 3 release of VirusScan Enterprise 8.7i where you enable “Prevent Windows Process Spoofing” (also an option that is disabled by default). This does not affect you if you don’t start turning on options you don’t fully understand. So, if you are responsible for endpoint security, a few simple tips:
1.) Have an IT test environment in place. Like Noah’s Ark, have representative systems (hardware, OS levels and apps installed) to test before you deploy. Many large enterprises wait 12-24 hours before rolling out DATs, and those who did were largely unaffected by this issue. Vendors like to throw around FUD here and push people to deploy reactive DAT coverage, and in few instances does security supercede system availability.
2.) Stick with the default options unless you are ready to accept the consequences – if you left the default options in place, neither of these two recent McAfee issues would have affected you. Quit turning knobs when you don’t fully understand what they do. A lot of us in IT assume instead of “trust but verify”.
3.) On-Demand scans are of minimal help on end workstations. AV scanning, especially on a scheduled basis is reactive. You already have malcode. Use realtime protection/on-access scanning, whatever. Save the scheduled reactive scanning for your file servers, SharePoint, and other file and data repositories.
4.) Antivirus is not total security, it is only one countermeasure. And, most importantly it is a reactive countermeasure at that. Regardless of what spin vendors put on it (heuristics, sandboxing, lookups in the cloud, etc.) by its very nature it is a reactive countermeasure. Implement more/better countermeasures, which leads me to …
5.) Complement endpoint security with more than just desktop and network firewalls. If you don’t use Host-based Intrusion Prevention on your laptops and critical systems, you probably should. Big difference in detecting malicious code or signature viruses versus stopping malicious traffic, and there is way more to it than blocking a port or protocol.
The point of this is not to unleash a hit piece on a specific vendor or technology, but to make sure practitioners frame the security tools and countermeasures in the appropriate context. AV won’t save you from malicious traffic for the most part, or from a targeted attack. Just like network security is not the answer to all of your security issues. The answer is an honest assessment of your countermeasures and their configurations, and if that maps to an acceptable level of protection versus risk. Sounds so simple, yet the devil’s in the details.
