Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs). The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD). Were their other names for these threats in the years prior to the coining of this term? Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest. Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.
This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model, regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise). Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over. Experience is the best teacher. This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over. What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.
There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”. We need to ask ourselves why? Why are we surprised by this rationale? Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense? And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics? Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.
Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real. As Tom Clancy said, there is a “Clear and Present Danger” here. This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic. To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic. This is both foolhardy and ill advised. This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism. Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.
You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost. Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they peerless or without fault. True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks. This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested. Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives. Agendas drive everything whether we wish to admit so or not. Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before. The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.
First, I’m a fan of Social Networking and I was not expecting a re-direct to another site. Although this was temporary it was frustrating. After doing some poking around and speaking with my good friend and colleague, Will Gragido, I stumbled across this article that gave a little more insight into the issue. According to Claudine Beaumont, Technology Editor of the Telegraph UK, “visitors to Twitter.com were automatically redirected to another web page, which displayed a green flag and English and Arabic writing: This site has been hacked by the Iranian Cyber Army,” read the message. “The USA thinks they control and manage Internet access, but they don’t. We control and manage the Internet with our power, so do not try to the incite Iranian people.” First, I don’t categorize this as a hack but a compromise/Cyber Noise like a DDoS attack. I would have been impressed if they tagged the web site directly. The sophistication to pull this off is on the level of a “Script Kiddie”. The tools are freely available on the Internet that my 11 year old could pull off with the a few Google queries. I guess the Iranian Cyber Army has not been keeping up with the news lately. The US Gov’t ceded control of ICANN to the World for more information please check out the link: http://bit.ly/6KSuny .
The good thing is the people at Twitter were able to correct the issue very quickly as I mentioned, the level of sophistication and 
indirect control was minimal. Additionally, Twitter had another breach early this summer for more information on that please check out: http://bit.ly/2lUzNM. I don’t think this is going to be the last time and I’m sure other Social Networking sites have increased their security/posture/awareness. Lastly and more importantly, the Iranian Military has seized control of an oil field in Northern Iraq, link to Reuters: http://bit.ly/7H7TC5. With that said, although this is purely speculation a Cyber attack/message less then 24 hours before a physical attack. Could these be tied together…not sure but interesting though. Everyone’s thoughts and comments are welcomed.
The Rosie Scale and Stopping Stupid
Ok, girls and boys, gather round the campfire, because it’s story time here at Camp Cassandra. A long time ago, and in an office building far far away, I worked in the I.T. department at the corporate headquarters of a large telecommunications company. I liked my job, and the people I worked with were, generally speaking, pretty easy to deal with. There was, however, one person who’s name struck fear into the hearts of everyone on not only my team, but my entire department. This person wasn’t feared because she occupied a position of great authority, or had corporate political clout, or social connections. This person was feared by my colleagues in the I.T. Department for one reason and one reason alone; she might have been the dumbest person to ever sit down in front of a keyboard, and her name was Rosie. The people in my department knew that when Rosie called, it was more likely than not to consume the better part of a day. A visit to Rosie’s desk became a hazing event, in fact – the desktop support people reveled in sending new techs, oblivious to Rosie’s reputation, just to see the look of horror on their faces when they got back into the bullpen where we all sat.
This is not to say that Rosie was bad at her job – she was certainly competent at whatever it was that she was there to do, or they wouldn’t have kept her around. She also wasn’t a rude or unpleasant person to deal with – quite the contrary, in fact. She was actually quite a smart and witty person, but put her in front of a computer and her IQ would drop by an order of magnitude. Rosie had the tragic touch – she could cause a blue screen of death by walking PAST a computer. She once single-handedly took down the entire company’s network of email servers for an afternoon, in a single act of “wow, I didn’t know that would happen.” (if you’re curious about how she accomplished this, she did it by sending an email containing a 200MB attachment addressed to all 90,000 people in the company, and inadvertently exposed a serious flaw in the message size limit mechanism built into Microsoft Exchange 5.5 in the process.) Rosie could break a computer like no one else I’ve seen before or since. She’d have made a great QA engineer, if she could only tell anyone with any degree of specificity what the heck it was that she was doing when her computer went up in a mushroom cloud. Training Rosie on how to properly use her machine was a pointless exercise – it was like trying to fill a bucket that had a hole in the bottom. Rosie could make an abacus crash. She might have been the reason Microsoft invented Bob. The term “stupefyingly stupid” seems redundant, but it’s really not all that far off the mark. We’re talking weapons-grade stupidity here.
One night, after many beers and while swapping war stories at happy hour, a few of us decided to come up with a (admittedly imprecise) metric of end-user technology ability, which became known as The Rosie Scale. It’s been a few years, but from the best I can recall, the Rosie Scale looked something like this:
0 – Alan Turing
1 – Tim Berners-Lee, Dennis Ritchie, Steve Wozniak, Grace Hopper
2 –Linus Torvalds, Larry Wall
3 – Sysadmins, clueful developers, QA folks and support people
4 – Your average MCSE bootcamp graduate
5 – Your average corporate end user
6 – Your average AOL user (hey, it was the late 90s)
7 – Algae
8 – bellybutton fluff
9 – a bag of hammers, a box of rocks
10 – Rosie
Now, the sad thing is that Rosie is by no stretch of the imagination a unique individual. In fact, I’m willing to bet that among those reading this who’ve done end-user facing support for any length of time, a fair percentage have already given themselves whiplash from nodding in acknowledgement. We’ve all known our own Rosie, and we’ve got the emotional scars to prove it.
And this brings me to the moral of this little story. I came across this article earlier tonight and thought it worth a mention. This article discusses something that’s fairly well-established among I.T. Security professionals: that the biggest threat to the enterprise isn’t from the outside – it’s from the inside. Typically, the threat is from insiders who are not only acting without malice, but more than likely acting without the knowledge of why what they’ve done was bad in the first place. A colleague of mine once told me that he thought that 90% of IT security with regard to the endpoint was “stopping stupid,” and I couldn’t possibly agree more. Think about it: Most endpoint-based malware prevalent in the wild these days relies, at least in part, on social engineering; taking advantage of the end user’s trust or lack of sophistication. In fact, DLP, which has almost overnight become an endpoint must-have, is almost ALL “stopping stupid” – again protecting the end user from doing something dumb, like copying data including orders for troop movements to an unencrypted USB stick and then losing it in a nightclub in Cornwall, like this guy did. This person wasn’t acting with malice, and didn’t intend to compromise the data to which he was entrusted. He was being stupid, and worse yet didn’t know how stupid, and got caught out for it – but only because the person who found the USB stick turned it over to a newspaper rather than to the UK Ministry of Defense.
And this brings me back to my old friend Rosie. For the IT people out there, I want you to close your eyes, and think about your Rosie, the least-sophisticated, error-prone, “oh I wasn’t supposed to click on that attachment?” user you have. When viewed in the light of “stopping stupid”, this is the person you have to worry about the most.
I’ve noticed something recently: that we, as an industry, talk a good game when it comes to internal threats (the above-linked article being an example of that) but it still seems that we have a bit of a blind spot when it comes to providing actual protection, focusing more on direct attacks from external sources. As much as we worry about Eastern European or Asian organized crime gangs, or foreign government spies, or some kid sitting in their basement with too much time on his hands, anti-social tendencies, and a full bottle of Ritalin, the real threat is sitting in your office right now. The well-meaning but clueless person in your company who just doesn’t understand the consequences of what they are doing (in other words, your Rosie) is a bigger threat than all of those people combined, because they’re the ones holding the door open for the guys who are acting with malice.
And, your Rosie is the only thing standing between you and your organization’s next outbreak or data breach. If that doesn’t scare the pants off you, you’re in the wrong business.
Give Me Liberty or Give Me Yes!: These Prices Are Insane
Trojans are tricky. For a brief period of time (a few years back now), they were written off and believed to be trivialities; easily detected, easily dealt with and largely sooooo 2001. It would’ve been fool hardy to totally dismiss the Trojan as both a convenient and effective means of distributing malicious code and content and that is why security researchers of all denominations (blackhat, whitehat, grayhat – remind me to expand upon my feelings of grayhats at a later date), never did. The reality is that Trojans are as popular in the underground and as much en vogue (perhaps more so), today as they were ten years ago.
Trojans and exploit packs associated with Trojans, are quite easily obtained, assembled and had for what could be argued as minimal investments when the potential revenue to be had from their use is taken into account. Take for example the following Trojan and exploit packs currently being discussed within the underground. You’ll note the following about each:
- Detailed explanation of the associated / included exploitations (and if perhaps the vulnerability related data)
- Price
In other posts, I’ve discussed the movements and evolutions in the underground with respect to cybercrime and crimeware as a service (CaaS). The following information represents examples of both while additionally breaking down each pack (and value added services associated with / provided by the given vendor).
Unique Pack Sploit
latest: v.1.5 (0331)
exploits:
[+] modified Mdac for IE6
[+] Pdf (v.8.1.2 05.01.08) – new Pdf sploit for IE7, Opera & FF
[+] Adobe Acrobat 9 Exploit – new sploit (11.09.08)
[+] Pdf Double – two Pdf sploits
[+] Ms Office Snapshot – for IE6 and IE7
[+] Ie 7 XML Spl – new sploit for IE 7
[+] FF Embed – for FF <= 3.0.5**
[+] IE 7 Uninitialized Memory Corruption Exploit – new sploit for IE7 (18.02.09)
[+] Spl Amaya 11 – for Amaya 11
[+] Foxit Reader 3.0 (Build 1301) PDF Buffer Overflow Exploit (Universal) – all browsers
price: 600$
Notes on Unique Pack Sploit: Blended attacks & exploits with heavy emphasis on browser security weakness. Additionally, you’ll note exploits using MS Office and structured data formats.
YES Exploit System
latest: 1.2.0
exploits: alot. good crypted
price: 700$
Notes on YES Exploit System: Lots of buzz around this but not alot of detail; more research is required with respect to exploits and associated vulnerabilities . The authors (vendors) suggest its full of solid exploits and contains a crypto-pack.
Neon exploit system
latest version: 2.0.5
exploits:
- IE7 MC;
- PDF collab;
- PDF util.printf;
- PDF foxit reader;
- MDAC;
- Snapshot;
- Flash 9;
price: 400$, minor updates – free
Notes on Neon Exploit System: Fair number of exploits associated with this pack. Mainly targets Adobe vulnerabilities however the authors also include MDAC, MS Office Snapshot and a Flash exploit for good measure. Additionally, the vendor offers maintenance — scary right?
Nuclear
exploits:
MDAC – ie5, ie6
Snapshot – ie6, ie7
PDF Collab.collectEmailInfo – all browsers
PDF Util.printf – all browsers
PDF Collab.getIcon – all browsers
XML – ie7, ie8
MS09-002 – ie7, ie8
price: 900$
Notes on Nuclear: First off, it’s the most expensive of those discussed thus far, however the vibe in the underground suggests it’s quite effective. This remains to be seen in testing. You’ll note many of the same exploits (or promised exploits) present within this pack as in others with a few additional Microsoft exploits thrown in, specifically those targeting IE vulnerabilities.
Liberty Exploit System
latest: 1.0.5
exploits:
MS06-014 Internet Explorer (MDAC) Remote Code Execution Exploit
PDF util.printf(), PDF collab.collectEmailInfo(), PDF collab.getIcon()
Flash 9
MS DirectShow
Snapshot
Java 0day
price: 500$
Notes on Liberty Exploit System: From a blended malware exploit pack offering perspective it’s interesting. It combines may exploits targeting many potential system & application vulnerabilities. It’s getting a great deal of buzz and the authors are quite insistent that it’s effectiveness is indisputable.
The above is a statistical representation provided by the vendors to demonstrate the effectiveness of their tool. This particular shot demonstrates specifics regarding unique instances of exploits, downloads and success ratios in terms of percent.
My point in sharing this information on this blog is twofold:
- To educate those tasked with stewardship of enterprise environments & themselves
- To implore the industry to not dismiss the seriousness of the challenges and parties responsible for these threats
The seriousness of these threats and like threats, are growing and subsequently challenging professionals and amateurs alike. It is crucial that we prepare ourselves for the challenges ahead.
What is old, is new again
I read an interesting report this afternoon from Graham Cluley at Sophos on how applications are turning up all over the world infected with the Win32/Induc-A virus. Sophos’s investigation turned up a rather unique infection vector: it appears from their analysis that this new nasty doesn’t attempt to attack existing executables or application data files. Instead, Induc-A attacks in a very different way: by inserting itself at compile-time into Delphi applications being compiled on an infected machine. It’s a direct attack against the compiler.
Now, this concept isn’t really new. Ken Thompson saw this coming 25 years ago, and talked about it at length in his Turing Award lecture, entitled Reflections on Trusting Trust. In that paper, Thompson posited that “You can’t trust code that you did not totally create yourself.” Thompson’s paper goes on to demonstrate that a backdoored compiler could, in turn, infect every program compiled with it, and, in fact, re-insert itself into a non-backdoored version of the source code of the compiler itself!
So, what does this mean for us? Not much, yet. Induc-A doesn’t really do much other than self-replicate. It’s an interesting proof-of-concept, though, and it may signal another round in the escalating attack/counterattack AV arms race. As far as I know, there are no AV products that check source code or compilers. My best guess right now is that as a result of this, we’ll start to see source-code and compile-time checks sold as a feature in either existing products or perhaps a new, dev-specific AV product.
