06.08.2010

A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever.   Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS).   He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID).   Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen .   The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.

Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over.   Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type.   In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding.   This case is different.   It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree).   No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.

As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him.  Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic.  The oath itself looks like this:

“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.

It is communicated in an elegant and articulate manner and leaves no room for interpretation.   Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation.   Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man.  That day and duty will come and justice served in a military court of his peers at a time yet to be determined.  My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness.   Allowing anyone to enter into classified environment with read / writable media is not uncommon.   Read writable material is used within these environments.  However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least.  In most cases it does not and never should occur.

This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others.  The results?  Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find.   Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.

Tags: , , , Filed Under Crime and Punishment, Cyber Crime, Cyber Defense, Cyber Warfare, Next Generation Threats, risk management | Leave a Comment 

06.04.2010

Today’s blog post has been kicking around in the recesses of my mind for a while.  I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice.  It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have.   Customized, designer malware.   Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others.   Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore.   When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic.  It’s a simple value proposition for the attacker:

  1. Study your target(s)
  2. Collect and qualify intelligence while making discretionary decisions on what to discard or retain
  3. Study and evaluate targets of opportunity – technical and non-technical
  4. Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
  5. Engage and begin insertion within the target environment
  6. Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
  7. Assess opportunity cost
  8. Engage in compromise
  9. Secure targeted object of mission

10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)

11. Secure the target

12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question

Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious.  Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.

As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist.  In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.

So how do we begin fighting these threats?  We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance.   Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented.  Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware.   I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges.   These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish).  Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.

Tags: , , Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Information Security Philosophy, Malicious Code, Malicious Content, Subversive Multi-Vector Threats (SMTs), Trojans | Leave a Comment 

05.04.2010

The Evolution of a Sub-national Entity in CyberSpace: The Rise of the Cyber Cell

Rise of the Cyber Cell


Tags: Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Cyber Terrorism, Cyber Warfare, Subversive Multi-Vector Threats (SMTs) | Leave a Comment 

04.04.2010

Introduction:  Changing the Paradigm

Lately, cyber-crime legislation seems to be in vogue.  The Cybersecurity Act introduced by Senators Rockefeller and Snowe (S. 773), and the International Cybercrime Reporting and Cooperation Act, introduced by Senators Gillibrand and Hatch, as well as some serious talk in the European Union of creating a treaty to address cyber criminal activity, have caused me to put a lot of thought into what would make such laws or treaties successful, and what would cause them to be ineffective, or worse, detrimental.  We should all be able to agree (based on solid research and evidence), that cybercrime exists, and that, as the Internet knows no legal or national boundaries, that it impacts us all, whether we find ourselves in the Americas, Asia-Pacific Rim, or somewhere in any number of European–Middle Eastern – African nations.

However, though we can agree on the existence and prevalence of cyber-crime globally, what we struggle to do and fail to agree upon is arriving at succinct way in which to address, investigate, and prosecute it on a global level.  As such, the need for a truly international legal framework, one which scales and encourages all nations to participate while ensuring that proper recourse is taken and justice is being served without bias is required now more so than ever before in human history.  Legislation drafted in a vacuum – regardless of the intentions of those parties responsible for its drafting and creation, will only serve to cloud the already murky waters of prosecution while ultimately negatively impacting the ability of one or many nations to prosecute these types of criminals.  A new era in thought and deed is required to usher in a formulaic, repeatable approach to prosecuting those actively involved activities deemed ‘criminal’, while preventing those from considering involvement from getting involved in the first place.

A Farewell to Arms: A New Era in Prosecuting Cyber-Criminals

The first premise of this treatise, I owe to a great conversation I had with Will Gragido of Cassandra Security, Inc.   It involves basing the international cybercrime laws I’m referring to above in the RICO statutes of the Untied States of America.  The Racketeer Influenced and Corrupt Organizations Act (commonly referred to as RICO Act or RICO) is a United States federal law that provides for extended criminal penalties and a civil cause of action for acts performed as part of an ongoing criminal organization.  It was first enacted by section 901(a) of the Organized Crime Control Act of 1970 (Pub.L. 91-452, 84 Stat. 922, enacted October 15, 1970) and is codified as Chapter 96 of Title 18 of the United States Code, 18 U.S.C. § 1961–1968.

Originally, according to Gragido, its authors had envisioned it solely being used in prosecutorial endeavors targeting members of the United States branch of the Italian Mafia known colloquially as La Cosa Nostra.  Its use has been realized beyond its initial purpose and continues to be used creatively by law enforcement in prosecuting others who were actively engaged in organized criminal activity.  As a result, its application is much more widespread and effective than comparable legislation and traditional, perhaps even out dated, prosecutorial tactics.  Were there an equivalent or a porting of the RICO Act to the cyber realm, cyber-law would move forward at the speed of light, thus enabling it to truly meet the needs of the Internet dependent global economy.  RICO-like statutes would mean that we could prosecute people who were racketeering and conspiring to perform illegal acts on the Internet (as implied by the basic tenets of the act), in addition to those who knowingly associate with known criminal entities.  People like Alberto Gonzalez, who was recently convicted for his instrumental role in the TJX data theft – a theft culminating in excess of 44 million credit cards, could have been stopped while in their planning stages.  Legislation such as the type being described here might very well have prevented some other crimes, such as Hannaford, Heartland, 7-11, and countless others.

Tempus Fugit: Time Flies and Waits for No One

We are living in progressive and wondrous times.  The passing of the Rockerfeller-Snowe bill within the Congress of the United States of America demonstrates a small, yet important glimpse of just how progressive they are.  This bill would permit the United States to apply an enforce sanctions against a nation who knowingly harbors cyber-criminals.  Though the bill is well intentioned, and in truth ahead of its time in some respects, it is fatally flawed in many areas not the least of which its failure to approach the importance of geo-presence and location within the legislation.   Criminals, as we all know, can hide, spoof, and bounce off many countries while they commit their crimes little effort provided they are well organized and possess a rudimental knowledge of tcp/ip networking and spoofing techniques.  As a result we would in many cases find ourselves applying sanctions against mules, hapless redirectors, or a botnet lieutenant guilty of nothing more than having an un-patched system connected via an enterprise or home network, to the internet.  I started thinking about how we surf the internet, or in other languages, how we navigate through it.  That gave me an idea that I would propose could be a great foundation.  We need a RICO-like statute that is based on Admiralty law.  I propose calling it Cyber-RICO.

Cyber-RICO: Changing the Rules To Accommodate The Game

One might ask, why Admiralty law?  Well, for a variety of reasons.  First of all, Admiralty law (sometimes referred to as maritime law) deals with questions and offenses that happen in international waters, and I think that we can draw a solid parallel to the cloud like nature of the Internet and those very real waters.  It touches many countries, and we all have a vested interest in protecting it.  More importantly, no one nation can lay claim to, nor police international waters, as by definition, they are international and thus the responsibility of all who use and take advantage of them.  Think about that for a moment.  Who doesn’t use or take advantage of international waters if not directly, than indirectly? International commerce uses these waterways a seaborne transport mechanism for goods and services, much like people the world over use the Internet cloud.  And just like on the high seas, where for millennia privateers and pirates have sought to try to take advantage of the open, permeable nature of these waterways, so too in the Internet age have our own pirates (cyber-criminals) and privateers (economically motivated hackers), who have sought to take advantage of the nebulous nature of the Internet.

Back when maritime laws were developed, the principle reason that drove ratification of these multilateral treaties was self-interest.  Some nations, such as those that provided safe harbor to the pirates, were hesitant to come adopt them at first.  However, when the pirates turned against them, the countries own self-interest quickly encouraged them to ratify and espouse such a law

The basis of maritime law is that any country that has signed the multilateral treaty can involve themselves in the enforcement of the laws.  In the same fashion, the Internet Cyber-RICO would give countries the ability to prosecute cybercriminals that commit these crimes on the high seas of the Internet.  Even when country boundaries are crossed, international task forces could now work with a common framework of enforcement, such as with the current anti-piracy task forces that are working off the coast of Somalia.  They respond to any call for assistance, regardless of the flag that the afflicted vessel is flying.  That is the right spirit of the law, and it would work as well as it relates to cybercrime.

Filed Under Cloud Computing, Crime and Punishment, Cyber Crime, Information Security Philosophy, Uncategorized | 1 Comment 

03.26.2010

Introduction:

Just when you thought it could not get any weirder we bring you yet another installment of Bombs, Bullets, and Bits!  In fact this is Episode V and of the ongoing series and today’s installment focuses on the wonderment of open market promotion, marketing, and salesmanship within the sub-economic ecosystems of the underground.  Before we get going though I feel it is important to address a few key areas of economic theory in order to set the stage accordingly.

Adam Smith and Underground Sub-Economic Ecosystem of the Internet:

Adam Smith is revered the world over by economists and non-economists alike.  Smith (b.1723 – d.1790), wrote what is considered to be by many as one of the most important texts in economics and philosophy, The Wealth of Nations.  He is credited with coining the phrase and concept of the “invisible hand of the market” which, when allowed to move of its own volition, influences and churns economic cycles, conditions and markets in a natural manner reflecting basic and complex principles of conditions such as supply and demand.  If you’ve not studies Smith’s works I would suggest picking up his The Wealth of Nations, as it is timeless.  In the event you have not but are interested in understanding the basic premises of Smith’s philosophy (and if you intend on reading the remainder of this installment while being able to tie it all together), here is a short synopsis of the salient points contained therein:

Relevance to the Underground and You:

Ok, at this point you may be thinking “thanks for the economic philosophy lesson, but what does this have to do with the underground, malware, hackers etc.”, I’m glad you asked.  As we established above, every good and or service has what Smith called a “natural price”.  This “natural price” is determined by a variety of factors including at a high level:

As one might expect availability, efficacy or desired effect (what it does vs. what it does not do), and application are all capitalized upon by the seller when targeting potential buyers and consumers.  This is true in all markets to and including the various ‘sub-ecosystems’ of the underground.  In conducting research on botnets I recently ran across quite a bit of ‘marketing’ and solicitation, the likes of which would’ve made any professional sales team proud.   Want access to source code for a botnet to do with what you will? DDoS? SPAM? Malicious Code Infection? No problem, you can do it all with the right package.  In fact, in one case, the case of the ‘Blazebot’ botnet which I originally began tracking around a year ago, the author offered the following features to the highest bidder in the botnet’s final form factor:

Figure 1: Examples of Marketed Features In the Underground

Installation:
Service Startup
ActiveX Startup
Anti Debugger thread
Anti Dumping Mechanism
File Protection (can be seen on video)
Two types of process protection
Windows Firewall exception
Shared memory between service and userland app (ring 3)
User impersonation (Service steals a token from userland App to steal their data)
Pure API sockets (no ocx, csocketmaster or whatever)
Ring3 API unhooking
Commands: Update
-Allows users to update the bots with a newer version
Dump

-This will cover the retrieving of:
Windows serial keys
Antivirus/Firewall name
Basic Info
MSN passwords
Internet explorer passwords
Serial keys
Poison Ivy
-This command will download the preset shell code of Poison Ivy to memory to connect back to you for full control.
Download
-Downloads a file to HDD. Can also auto-execute and load DLL’s and EXE on request.
Execute
-This will run a specific executable file.
Nickname
-With this you can give specific bots commands
Exit
-Terminate your own process (does NOT uninstall)
Melt
-Program will uninstall itself
Unhook
-Bots will unhook themselves from API hooks in ring3
Self Patching
-You can let the bots patch their settings to connect to other hosts
DDOS
-This is basically a big bandwidth flood to take down hosts
Delete files
-self explanatory
Kill Processes
- self explanatory
Msn Spamming
This will spam anything you want into the ongoing msn chats without hooking anything.

In this case the author decided to take his project to the open market and solicit private bids.  Bids (which were rejected by the author), ranged from $50 USD to $400 Euros.  In the end the author sold the entire source code package to a private party who wished to remain anonymous for an undisclosed amount.  As part of the author’s campaign for a purchaser, he engaged in competitive marketing initiatives specifically targeting the ZeuS Botnet and community.  A key selling point made by the author was that unlike ZeuS he was selling the entire source code package not simply binaries thusly enabling the buyer to establish their footprint in the Botnet world in any number of ways all of which were at the command of the new owner.  Additionally, the author demonstrated the ability of the code to bypass detection of some 22 Anti-Malware engines.

Up On Olympus:

ZeuS is another wonderful example of this.  Currently, active orders are being solicited for 1.4.x.x of ZeuS with prices ranging from $4000 USD to $8000 USD depending on which modules are desired for specific functionality.  ZeuS is an interesting case in that older versions of the Botnet are easily had in the wild and can be used effectively though newer, more easily obfuscated versions of the code are available.  ZeuS is in extremely high demand, selling on a pre-order basis.   A testimony to its popularity and continued success for its authors, sellers and suppliers is its continued effectiveness in bypassing detection and delivering extremely high success rates in compromising hosts, impregnating them with malicious code & content packages with the end game being the establishment of participation within the greater command & control fabric.  These examples are certainly not representative of all examples of activity within the underground however they provide a clear and concise view of just how supply and demand are working on a routine basis.

Tags: , Filed Under Bot Nets, Cyber Crime, Cyber Defense, Malicious Code, Malicious Content, Next Generation Threats | 1 Comment 

03.19.2010

This post is very timely as we now have a use case that scratches the surface on exploiting Telematics.  For those of you that have never heard of Telematics, Wikipedia provides a great definition: “The integrated use of telecommunications and informatics, also known as ICT (Information and Communications Technology). More specifically it is the science of sending, receiving and storing information via telecommunication devices”. In most new cars today, you have the option of purchasing Telematics to provide integrated GPS, Wifi, Bluetooth, 3G and GSM.  These innovations are great as it keeps us connected and on track to our destination.  Furthermore, OnStar has been incredible to determine if you’ve been in an accident and with GPS can send first responders to your location…even helps if you lock your keys in the car ;-)  I just recently purchased a jeep and enjoy the benefits of Telematics as most consumers of these technologies.  However, at RSA San Francisco, I had an interesting conversation with my close friend and colleague Will Gragido on Telematics.  We discussed the dark-side/security risks associated with Telematics.  We went down the path of eavesdropping on conversations via Bluetooth, which can be done but difficult to pull off as you need to be in close proximity.  We also went down the path of hijacking the car’s wifi to see if we could get access to the GPS data and the fun we could have with that content.  We decided to table the discussion for a while but kept it on our list of emerging threats/exploitable technology  that could provide a new avenue for cyber actors to exploit.

Sadly, in my hometown of Austin, Texas someone pulled off a nefarious act of exploiting telematics.  Wired actually ran the story this week.  They did an incredible job in the article and for more information you can check it out: http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/ .  In short, a 20-year-old Omar Ramos-Lopez was accused of bricking cars through a service provided by Webtech Plus.  This gives the auto dealer the capability of trigger the car horn and disabling the car’s ignition remotely through the web.  Omar, choose to trigger the horn of a reported 100 cars.  Let’s step back and put our Blackhat on…just imagine the order of magnitude that can be delivered from a key board in disabling the ignition of all car’s that are connected to Webtech Plus.  Not playing armchair quarter back…but I will….this is classic insider threat/dis-gruntled employee and could have been avoided.  Let’s get to the basic building blocks of Information Security.  When someone leaves an organization, passwords and access must be changed, especially if they deal with the capability of controlling the ignition of car.  Although, Omar committed a nefarious act and should be punished according to the law if found guilty.  However,  the company should have done due diligence and this is probably a wake-up call in changing procedures when one leaves the company.

As this is a wake-up call to the auto industry, we as security professionals need to keep this threat vector on our radar and if we serve this business vertical, we should press the issue and making sure access to this type of information is tightly controlled.  Perhaps their are frameworks around this specific threat and I’m looking for it.  Until then, keep secure and keep educating.  Your thoughts on Telematics?

Filed Under Cyber Crime, Next Generation Threats, Uncategorized, risk management | 7 Comments 

03.16.2010

Cyber-crime: Evolutionary End or A New Beginning?

At times it can be very difficult to focus on the facts in a world where one is barraged by information in ways that the greatest of science fiction writers could never have dreamed.   Media figures along with industry pundits tend to spout facts and figures often in the absence of knowledge and authority.   Many times this leads to outcries amongst the information security intelligentsia who seek to ensure as little flawed logic and FUD (fear, uncertainty, and doubt) is interjected on a daily basis as possible.   Opposition from within the ranks of the intelligentsia is a good thing though many might suggest it is elitist and at times breaks from the tradition of all things ‘hacker’ in the sense that it establishes a clear ‘us’ and ‘them’.   The truth however is that not all members of this informal fraternity are “experts” on cyber-crime nor do they all have more than a working knowledge of it as it relates to their day – to – day roles and responsibilities.   No.  In fact, many if not most are engaged in other noteworthy endeavors with the hope being that those who do possess an acute understanding of this subject matter shall use it to the benefit of us all.  For many the overt goal is the sanctity of fact, preservation of information and its dissemination for the common good.  There is not one thing wrong with this attitude and in fact I would go so far as to suggest that we not only wish it to be the case but need it to be so.  The IC3 released its Annual 2009 report on cyber crime late last week and with it came a number of things:

The IC3 stated that the total dollar loss from all referred cases (that is cases which were referred to and studied by their team), was approximately $559.7 million dollars (US) with a median or average dollar loss per instance being reported.  The significance is quite noteworthy in that it demonstrates that from the year 2008 (which saw a total of $264.8 million dollars (US) in losses) to 2009, the IC3 saw an increase in losses of approximately $295.1 million dollars (US).  This growth represents a little more than two times what had occurred in the previous year.  One need not look too much further in order to see patterns emerging if they ever doubted they had existed.  That statistic alone should alleviate any doubt that cyber-crime is swiftly becoming (and will likely supersede) the most sought after element of modern criminal activity.

For many years, empirical evidence has been amassed and studied in order that trends could be determined via the careful application of analytics.  Through deep analysis an analyst begins to note trends and pattern development.   Similarly, an analyst would begin to note points of adaptation, deviation and evolution as they relate to the trends and patterns.  Many factors influence these patterns of development.  In the past I’ve found it both necessary and helpful to create impact lists of items that either influence or aid my topic of study.  The following list, though detailed, is by no means complete.  It demonstrates some of the more prominent elements at work (some of which the sub-economic environment shares with the traditional economic environment):

Who’s To Blame?

We could easily begin finger pointing and assigning blame to corporations and individuals alike however it is my assessment that was not and will not be necessary.  Would it be convenient to blame Microsoft for every bad piece of code written using their .Net framework?  Of course it would.  It would be just as convenient and likely every bit as easy to blame IBM for it’s rationale framework and in the same breath begin addressing the failures of individuals and organizations’ internal code developing.  It would also be intellectually dishonest and morally suspect.  I believe there is plenty of blame to go around and it is not entirely any one organization, or disciplines fault. It is all of our faults in the sense that we failed to communicate the value proposition of the importance of securing properly to avoid securing dangerously.  We speak of evolution, adaptation and sophistication as though they were the norm; part of the meme if you will of our industry though the evidence shows that there is significant disparity between idealistic states and those anchored in reality.   We talk of sophistication in attacks and exploits yet in many cases ‘sophistication’ isn’t even a consideration as many recently occur using unsophisticated means (Ghostnet).  We use terminology such as ‘elegance’ to describe the state that is arrived at upon being owned (and being made aware of said owning), by those with questionable or nefarious intent if a level of sophistication was demonstrated.  In reality, some of the more notable attacks of the last 18 months were not terribly sophisticated yet still quite effective.

First Steps

So who is to blame?  My answer is that we all have an ownership stake in this as I mentioned earlier.  We live in a world driven by deadlines and meeting/exceeding customer expectations.  There is nothing wrong with that.  Managing against deadlines is both noteworthy and sensible from a business management perspective.  I do however believe that sacrificing quality in order to meet deadlines introduces problems sooner or later.   As my father is fond of saying, you can’t cheat death and I think (at least in spirit), the same sentiment can be echoed with respect to doing poor work: you can’t cheat quality.  Often in my career I’ve worked with clients who simply could not afford to not meet deadlines (internal or external customer facing deadlines).

Recently my friend Josh Corman and I were discussing the basis for what became the Rugged Software initiative.  During that conversation we discussed many of the arguments – pro and con, (most of which are quite old it should be noted) related to SDLC (software design life cycle) and the challenges which seem to manifest into reality all too often in development houses.  My belief is that until SDLC is communicated in a manner to which demonstrates the value of the bits to the boardroom it will be an uphill battle.  That doesn’t mean it isn’t worth fighting but rather that until it resonates with the stakeholders, the business unit owners who set and oversee (and who are overseen by the board for example), it will likely fall on deaf ears.

My suggestion is that organizations and those charged within them for managing risk within and as it relates to them should begin by evaluating the organizational risk posture.  In doing so, provided the exercises are followed through upon, it will become clear what level of exposure the organization is incurring, what has been defined (formally or informally), as an acceptable level of risk and whether or not that needs to be re-addressed in order to align with the expectations set forth by the risk management team in preparing the organization for cyber threats such as those associated with ‘cyber-crime’.

Tags: , Filed Under Crime and Punishment, Cyber Crime, Cyber Defense, Cyber Fraud, risk management | Leave a Comment 

01.27.2010

This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.

Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.

My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.

By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:

1 – Confidentiality
2 – Integrity
3 – Availability

Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.

Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.

This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.

Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:

Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.

Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?

While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.

Filed Under Cloud Computing, Cyber Crime, Cyber Defense, Information Security Philosophy, Next Generation Threats, Risk, SaaS, Security Philosophy, risk management | 2 Comments 

01.17.2010

The German government has warned against the use of Internet Explorer citing that Microsoft’s recommendations to increase the security zone setting to High would not make the browser safe.

It’s an interesting statement in what sure is going to continue to be a tough time for Microsoft. You’ll see that in the article from BBC that I linked above, Mr. Thomas Baumgartner of Microsoft states, among other things, “These were not attacks against general users or consumers.” That’s where Microsoft has proven to me their short sightedness in their issues surrounding flaws in Internet Explorer.

In this specific case, Mr. Baumgartner is absolutely correct in stating that the attacks against Google, Adobe, Juniper and unnamed others weren’t attacks against consumers. However, I think he’s missing a key point, with IE installed on over 60% of computers worldwide there is a better than average chance that consumers WILL SOON be targeted and this why I have issue with Microsoft’s defense against the German government warning.

My comments in this post are not intended to be an indictment against Microsoft. The fact is that Microsoft has huge market share at both the OS and application level, thus it follows that their applications are more likely to be targeted for attacks. But, it’s all in how the situation is handled and how the vendor shows they understand the long term implications of this problem. As I stated above, based on the comments reported in the press, they don’t fully understand the potential depth of the problem.

Personally, if I were responsible for IT in an organization, starting tomorrow I would think very, very seriously about taking the following actions:
- First, on all systems running IE, implement Microsoft’s recommendations in the security advisory for this issue.
- Second, have my IT administrators develop a plan to install Firefox on all systems which require a web browser and do so as the default web browser.
- Third, remove Internet Explorer from all systems unless there is a specific internal application or other 3rd business application which only supports IE. Then I would have it only installed on systems requiring access to that app, would have the security settings tuned to high and would disable as much scripting as possible.

I’m not naive, I know there are vulnerabilities in Firefox, in fact when looking at Secunia this morning I found there to be more vulns in Firefox then there are in IE (versions 5.0.1 through 8.) However, the one thing I noticed as well is that Firefox vulns were more likely to patched in a quicker fashion that IE and that the vulns reported in Firefox collectively were not as severe as the vulns reported in IE. My recommendations are based on the fact that this isn’t the first time a critical vulnerability in IE has been exploited and the only defense was to wait for the patch. This recommendation is purely defensive to a future IE zero day that goes unpatched for a significant length of time after discovery.

Granted, zero day is generally defined as an attack that occurs against a vulnerability that was previously unknown. In defense of Microsoft, it’s pretty tough to patch a zero day vulnerability before an attack occurs. However, this series of attack occurred last week and the recommendations against exploit are browser settings, not a patch. This isn’t going to work for the consumer, casual user and very likely, won’t work effectively for the large enterprise.

The reasons are simple:

- Consumers and casual users (non-IT SMBs, etc) don’t understand what these settings really mean and will be very likely to “tune them back down” once their favorite website doesn’t display correctly.
- Large enterprises with thousands of employees can’t absorb the costs of taking calls from the help desk asking “how do I make these changes again?” or trying to explain why some website isn’t working.

It’s quite simple for me to make these changes on the two computers I have in my house and to manage them appropriate. But in actuality, it’s easier for me to have my wife and son run Firefox rather than risk the “next IE zero day.”

I realize that it very well may be Firefox tomorrow if everyone jumps to that browser, but we’ve been here before with IE and we’ll probably experience it again.

Anyhow, I see no issue with the German government advising against the use of Internet Explorer and would not be surprised to see other organizations follow suit.

Again, this is not an indictment against Microsoft, rather this is about taking the necessary steps to protect your critical information and systems. Finally, let me ask you a question. Do you rely on your builder or landlord to tell you how to protect your personal information in your house or do you trust the safe manufacturer instead? For information security, rely on the security professionals.

As a final disclaimer, these views are mine alone and do not reflect the views of my employer.

Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Information Security Philosophy, Security Philosophy, Vulnerabilities & Threat Research, critical infrastructure | Leave a Comment 

01.15.2010

The recent event news surrounding the Google cyberattack and the fact that web browsers were exploited to facilitate these attacks come as no surprise.  In fact, I recall in 2006 and 2007 when speaking at various seminars, user groups and large events such as ISACA, NASACT and ASIS, among others, I would lead in with the following question:

If I had a give away for you today and gave you the choice, would you rather have $1000 or this brand new 1GB USB thumb drive.  Almost unanimously the hands would raise for the $1000 cash because people want the cash.

The whole point of this series of presentations was to point out that security had everything to do with information and viruses, worms, Trojans, bots, etc were simply mechanisms used to enable access to that information.  I also pointed out that the web browser would enable these types of attacks simply because of how a web browser functions.

I submit to you today, the same thing that I would tell folks 3 years ago and more, that the web browser is the most widely used application in user land and as such, will allow and enable quite serious attacks against our infrastructure and critical information in the years to come.  We do our banking via the web browser, we order pizza through a web browser, I attend conference calls and presentation via the web browser, people attend college through the web browser.  You get my point.  It was only a matter of time before we realized a large scale compromise that was PUBLICLY announced that was enabled by flaws in the web browser and the near ubiquitous use of the browser on every computing device a user, consumer or employee of an organization uses  to go about their daily business.

I remember the first time I mentioned to an audience that the use of the web browser when taken into an information security context was like inviting a thief into your home or place of business and giving them access to your safe.  I had to explain that because a web browser and plug-ins like Java, XML, Active X, VML and others “just run” once the browser is launched, it’s no different than giving someone free reign to do whatever they want in your home or office when it comes to valuables.

This series of attacks and exploits of Internet Explorer have proven that point more than ever.  The opportunity was there 3 years ago and now the first of many attacks have arrived.  But the one thing that we must absolutely remember is that it’s not just these attacks that are all about access to confidential information, trade secrets and intellectual property; nearly all computer attacks have been about access to confidential information, whether it be credit card information of consumers or a chemical company’s intellectual property.

Security is about protecting information pure and simple, everything else is just a by product of that.

For more information on the presentations I mentioned above please check out:

http://bit.ly/8gQfrz

http://bit.ly/74tBEM

Filed Under Advanced Persistent Threats (APT), Bot Nets, Cyber Crime, Cyber Defense, Information Security Philosophy, Next Generation Threats, Security Philosophy, Vulnerabilities & Threat Research, risk management | 2 Comments 

Next Page »