A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever. Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS). He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID). Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen . The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.
Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over. Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type. In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding. This case is different. It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree). No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.
As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him. Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic. The oath itself looks like this:
“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.“
It is communicated in an elegant and articulate manner and leaves no room for interpretation. Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation. Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man. That day and duty will come and justice served in a military court of his peers at a time yet to be determined. My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness. Allowing anyone to enter into classified environment with read / writable media is not uncommon. Read writable material is used within these environments. However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least. In most cases it does not and never should occur.
This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others. The results? Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find. Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.
Recently I wrote a piece on Deep Packet Inspection (DPI), and issues related to its use within the Virgin Media Network in the United Kingdom. In that case, opponents to its use cited UK legislation that prohibits the unauthorized capture of communications and conversations on networks. I found this to be curious as this case dealt with Virgin’s desire to deploy a specific tool that focuses on the detection and identification of peer-to-peer (P2P) networks such as eDonkey, Bit Torrent, and Gnutella. The tool, CView, was to provide a DPI function important to ensuring the integrity and purity of good traffic while aiding in the identification, observation and remediation of bad traffic. Virgin’s concern was the health of its network and its desire to manage anomalous bandwidth consumption while combating illegal use and distribution of copy righted / trade marked materials. This doesn’t sound terribly unreasonable nor does it sound like a ‘violation of privacy’ rights as the opposition suggested.
This case caused me to reflect on challenges and opposition I have seen in hundreds of cases and clients with respect to Deep Packet Inspection (DPI) technologies. I believe many organizations and professionals within them have a fundamental lack of understanding of not only DPI, but also more elementary concepts such as traffic analysis (read: the ability to read and decipher packet captures). I’ve heard every possible technical and cultural argument against the use of packet inspection or session based analysis tools known to man. Some more well articulated and supported than others. I’ve been in countless hundreds of meetings where white board diagramming sessions ensued and network diagram sessions erupted into long debates regarding implementation and positioning of a technology and every reason why a given device could not be implemented. These conversations are healthy and important; they need to be had. However, facts are facts and most of the ‘concerns’ or arguments used against the adoption of intelligent, network-based security products is in fact flawed. Take for example one of my favorite arguments against the adoption of Deep Packet Inspection (DPI) technologies:
- Deep packet inspection solutions introduce latency into the network and in effect are prohibitive to the continued flow of traffic:
- This argument, when first presented, had some validity however DPI solutions, specifically Intrusion Prevention Solution (IPS) appliances have undergone evolution to the third generation. Most if not all offer some form of bypass kit which ensures that in the event of cataclysm (as defined by you or your organization), provided the building is not a smoking crater and that electricity continues to flow so to will your traffic
- Additionally, most platforms if not all offer multiple modes of deployment where in an organization has the ability to segue slowly into full inline integration DPI from a passive monitoring (IDS) mode
- It is true that any time any device is introduced into the flow of traffic some latency – no matter how infinitesimal, will be introduced. This is true of any device be it a router, switch, load balancer, server, firewall, ips etc.
- Deep Packet Inspection (DPI) solutions, specifically Intrusion Prevention Solutions are often never fully implemented often times seeing them remain in a passive monitoring mode. As a result, organization would never fully realize the Return on Investment (ROI), they expected as a result of making their purchase and likely could have settled for a much less sophisticated and costly platform:
- The adoption of the technology and / or the enterprise in questions readiness has no bearing on the efficacy of the technology
- It is intellectually dishonest to assert that had proper due diligence been performed and a readiness assessment undertaken, Return on Investment (ROI) and Total Cost of Ownership (TCO) would not have yielded positive results technical or otherwise
- The threat landscape is moving at a rate which no one can properly contend with and as a result, combat in its entirety:
- This not true for all systems utilizing Deep Packet Inspection (DPI) technology. Yes, there are some which rely on archaic and in some cases less well defined engines and analysis technologies however those who truly ascribe to the definition of Deep Packet Inspection (DPI) should be impacted far less by this than those who do not
- Deep Packet Inspection (DPI) solutions are complex and esoteric; they are not intuitive:
- This argument is weak but needs to be taken in context. In my experience when clients brought this point to the debate table it had more to do with the experience level of their staff than the tools complexity
- This can be overcome quickly and easily provided a proactive, open relationship exists between the vendor and the client
- Education should be ongoing; failure to educate (it is not only the responsibility of the vendor but the organization purchasing and adopting the technology) to ensure
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
- The application of this type of technology is traditionally done by those who are fluent and well versed in the need for it
- It is neither new nor is it beyond comprehension
- Given today’s threats and the complexities researchers and analysts continue to see in record numbers technologies such as this are now more important than ever before not to mention more effective than packet filtering and / or stateful inspection only systems
- Fire-walls which adopt and integrate Deep Packet Inspection (DPI) are complex, introduce latency and are less intuitive than their less complex packet-filtering and stateful inspection peers:
Conclusion:
The reality is that technologies such as Deep Packet Inspection (DPI) are extremely important. Their importance, though debated cannot be ignored and as a result they are more important now than ever than ever before. No longer are we contending with largely unsophisticated threats and adversaries. Cyber-criminals do not sleep. Nor do they take vacations or observe change windows. They are on the job 24 x 7 x 365 and are not deterred by (in fact I would imagine they welcome the objections which are proposed against the adoption of technologies such as DPI) by the presence of traditional mitigative technologies and controls. As a result, the need to strengthen our positions architecturally as well as procedurally must be recognized and acted upon. Time is of the essence and hesitation accompanied by intellectually dishonest or malformed thought processes must be overcome in order to address these threats.
Deep Packet Inspection: A Legal Liability?
Deep packet inspection is not a new concept. It is, in fact, quite mature and takes advantages of the best of IDS (intrusion detection solutions), IPS (Intrusion Prevention Solutions), and Stateful Inspection Firewalls. The technology is extremely effective in combating malicious code and content attacks and in enforcing policy to a variety of ends. Additionally, the technology is quite good at providing detailed intelligence with respect to application behavior and patterns as they appear within a given infrastructure. In modern enterprise and carrier networks this technology is both common and integral in ensuring operational efficiency while managing and minimizing risk.
Recently it has come under fire however and in at least one case, been dubbed a measure by which the privacy rights of end users can and will no doubt be violated. The case in question is that of the recent announcement by Virgin Media to utilize and deploy a DPI like technology package called CView within its network environment in order to better understand the prevalence and associated patterns of use seen in peer-to-peer networking sessions. The tool would be in effect, capable of tracking sessions associated with peer-to-peer networks such as Gnutella, Bit Torrent or eDonkey which has created a negative buzz amongst organizations such as Privacy International who appealed to the EU to step in and review the package proposed by Virgin Media. Virgin’s intentions seem straightforward to me but perhaps that is due to my being an information security professional:
- Gain an understanding of the usage and patterns of associated usage with these P2P networks and clients
- Analyze instability presented by them within the network in terms of inordinate resource consumption
- Analyze content for purposes of legality (avoid in the trafficking of either copy righted material of illicit illegal material)
- Implement throttling if necessary
- Implement policy control if found to be necessary by law or by virtue of Virgin Policy
- Mitigate risk posed to the Virgin Media network environment and its user community
- Prevent malicious code and content propagation to and including the propagation of advanced malcode kits and bot nets
I have to believe the goal of using a tool such as CView (if you look the tool up you will see it does not tie individual identity information to information harvested) is pretty straightforward and reflects much, if not all of what is seen above. I find it hard to believe that this is a case where privacy should be an issue though I am aware that in the UK under the Regulation of Investigatory Powers Act (RIPA), intercepting communications is a criminal offense regardless of what is being done with the data. While I am no expert in British Parliamentary process or law, it would seem that this act would be prohibitive, if not crippling in providing advanced security solutions while potentially curtailing illicit, illegal activity. Deep packet inspection is not the problem here, the problem is perception as it relates to the lengths to which personal ‘freedom’ extends and illegal activity begins.
This post was provided to us courtesy Mr. Robert Former an information security professional and energy industry information security expert. We’d like thank both Robert and his employer, Itron,Inc. for their time and co-operation.
Will Gragido
Smart Meters – An introduction
- INTRODUCTION
Like any commodity, energy, gas, water and sewage disposal must be measured to be sold. Over time a number of technologies have evolved to accomplish this goal. Naturally as long as there has been a way to meter a service, there have been people trying to figure out how to get around the metering systems and get those services for free. This paper will examine some of the new metering technologies and compare them to the older traditional methods in the light of a secure implementation.TRADITIONAL METERING (Electro Mechanical)
The way services and utilities have traditionally been monitored has been with a mechanical system. Gas or water runs past some sort of vane which spins, driving gears and turning dials. Similarly a mechanical electric meter uses induction loops to spin an aluminum disk which then turns gears that spin dials. Of course this data needs to be collected to be billed. With this type of metering, a utility will typically get an actual read through a meter reader and use sophisticated statistical modeling to estimate the rest of the time. How often the actual read occurs is really a function of state regulation and utility policy. Now an interesting thing that you can do (among many) is that if you understand the cycle that your utility uses, you can invert the meter. That’s right, pull it out of the socket, turn it over, put it back in and you still get electricity, but the meter runs BACKWARDS! Cool, free electricity as long as you don’t let the meter reader see the meter installed upside down. Some meters had mechanisms to prevent them from running backwards, but not all. A way the utilities have come up with to combat this and other methods of fraud goes back to the sophisticated statistical modeling. If the system sees a significant change in your usage pattern, you get flagged for a live read.AUTOMATIC METER READING (AMR)
Automated Meter Reading was introduced to accomplish two primary goals; improve the accuracy of metering by getting more live reads, and reduce the work force required to gather meter data. AMR is set up to send the data back to the billing system via some communication method, be it fixed service radio, data over power line, Meter reader with a handheld device, or by a truck driving around and gathering the data over a low power radio link to the meter. AMR introduced another interesting feature: the ability to detect if someone had tampered with the meter. As the technology has advanced, and traditional mechanical meters are replaced, AMR systems have become increasingly prevalent. The major downside to an AMR system is that it is mostly a one way communication system. The meters “bubble up” the data on a periodic basis to the utility. Newer Advanced AMR systems have integrated some limited two way functionality adding features like reading meter data on demand and remote disconnect switches. “Demand Reset” is also a function sometimes provided in two-way AMR. When you track a customer’s peak demand, the meter records the maximum peak instantaneous usage over a period. At the end of that period, you need to reset the demand back to zero so you can record during the next period. In earlier days, there was a locked button or lever the meter reader would press (they had the key) when they did the readings. More modern devices can do it based on a clock. In two-way AMR you can send a demand reset command after you’ve successfully retrieved the demand value. This inevitable march of progress has led us to the latest in service metering technology, AMI.ADVANCED METER INFRASTRUCTURE (AMI)
Advanced Meter Infrastructure is where it gets cool (and spooky to some). AMI is the natural evolution of AMR technology. A full two way communication system that allows on demand reading, Time of Use (TOU) billing, remote disconnect operation, load limiting, demand response, and more. Where things get really interesting is when a Home Area Network (HAN)is integrated into the meter. Now the meter can talk to properly equipped furnaces, air conditioners, water heaters, micro generation systems, thermostats and In Home Display (IHD) devices that tell you just how much running the dishwasher will cost you to run at 3 in the afternoon vs. 3 in the morning. Past that it enables portable billing and usage of Personal Electric Vehicles (PEV) which can also be leveraged as local storage devices to help manage load spikes on the distribution system. Another interesting feature is the ability to subscribe to a service from the utility that allows them to reduce your power consumption by managing large appliances in return for a lower billing rate.Notice I said SUBSCRIBE. You have to sign up for it. This is important because for all the really interesting things AMI can do, it has also stirred up some serious political debate. While the technical concerns around security are addressed further on, let us examine the paranoia that AMI has raised. The first fear is that The Government (you know who I mean, the socialist/fascist (sic) fat cats in and around DC) is going to take control of your appliances and dictate when you can use them, and how much. This is followed rapidly by the fear that The Government will collect your usage information and somehow use it against you. None of this is helped by political pundits and demagogues who have decided to whip the masses into a frenzy using this as one of the egg beaters. Politics aside, there ARE some genuine security concerns to look at, and that is one of the things we will look at starting with the next installment, “The Risks”. There are some intermediate steps in the evolution from electro-mechanical metering to AMI, but they are outside the scope of this discussion. If you would like more information about the details, Wikipedia has some good articles.
About Our Guest Author:
Robert Former: Robert is a security engineer with 20 years experience in the IT field. Throughout his career, Robert has work in many aspects of Information Technology and has experience in the design, implementation, and operation of cabling, LAN, WAN, MAN, both traditional and IP telephony, data centers, server systems, and for the last 7 years, Information Security and Compliance. Robert currently holds the ISC(2) CISSP™, ISACA CISA™, and NSA IAM/IEM certifications. He is employed by Itron, Inc, a leading manufacturer of energy measurement systems, as the Principal Security Engineer in the R&D department. In his spare time, Robert enjoys spending time with his family as well as pursuing photography as an enthusiast and amateur radio.
Introduction:
Just when you thought it could not get any weirder we bring you yet another installment of Bombs, Bullets, and Bits! In fact this is Episode V and of the ongoing series and today’s installment focuses on the wonderment of open market promotion, marketing, and salesmanship within the sub-economic ecosystems of the underground. Before we get going though I feel it is important to address a few key areas of economic theory in order to set the stage accordingly.
Adam Smith and Underground Sub-Economic Ecosystem of the Internet:
Adam Smith is revered the world over by economists and non-economists alike. Smith (b.1723 – d.1790), wrote what is considered to be by many as one of the most important texts in economics and philosophy, The Wealth of Nations. He is credited with coining the phrase and concept of the “invisible hand of the market” which, when allowed to move of its own volition, influences and churns economic cycles, conditions and markets in a natural manner reflecting basic and complex principles of conditions such as supply and demand. If you’ve not studies Smith’s works I would suggest picking up his The Wealth of Nations, as it is timeless. In the event you have not but are interested in understanding the basic premises of Smith’s philosophy (and if you intend on reading the remainder of this installment while being able to tie it all together), here is a short synopsis of the salient points contained therein:
- Every good and / or service has a “natural price” as determined by the weight given to it by its supplier, seller and the potential buyers
- If the price for a good and / or service exceeds that natural price then more resources (sellers, suppliers etc.) will be attracted to that market seeking to make a profit
- The price will return to it’s “natural” level over time as a result of market conditions
- ‘Supply’ should be viewed as a force or condition that tents to impact the price of a good or service based on availability and demand
- “Demand” should be viewed as a force that increase the price of a good or service. Demand is also driven and influenced by supply (depending on what the good or service is)
- If the two (‘Supply’ and ‘Demand’), are in equilibrium; a state of stability in the market than they will remain in balance. Should that stability fluctuate away from equilibrium, the natural cycle associated with competition rises once more and a return to ‘normalized’ pricing occurs
- These cycles never cease; they are in effect, in a state of kinetic motion
Relevance to the Underground and You:
Ok, at this point you may be thinking “thanks for the economic philosophy lesson, but what does this have to do with the underground, malware, hackers etc.”, I’m glad you asked. As we established above, every good and or service has what Smith called a “natural price”. This “natural price” is determined by a variety of factors including at a high level:
- Supply
- Demand
As one might expect availability, efficacy or desired effect (what it does vs. what it does not do), and application are all capitalized upon by the seller when targeting potential buyers and consumers. This is true in all markets to and including the various ‘sub-ecosystems’ of the underground. In conducting research on botnets I recently ran across quite a bit of ‘marketing’ and solicitation, the likes of which would’ve made any professional sales team proud. Want access to source code for a botnet to do with what you will? DDoS? SPAM? Malicious Code Infection? No problem, you can do it all with the right package. In fact, in one case, the case of the ‘Blazebot’ botnet which I originally began tracking around a year ago, the author offered the following features to the highest bidder in the botnet’s final form factor:
Figure 1: Examples of Marketed Features In the Underground
| Installation: | |
| Service Startup ActiveX Startup Anti Debugger thread Anti Dumping Mechanism File Protection (can be seen on video) Two types of process protection Windows Firewall exception Shared memory between service and userland app (ring 3) User impersonation (Service steals a token from userland App to steal their data) Pure API sockets (no ocx, csocketmaster or whatever) Ring3 API unhooking |
|
| Commands: | Update -Allows users to update the bots with a newer version Dump -This will cover the retrieving of: |
In this case the author decided to take his project to the open market and solicit private bids. Bids (which were rejected by the author), ranged from $50 USD to $400 Euros. In the end the author sold the entire source code package to a private party who wished to remain anonymous for an undisclosed amount. As part of the author’s campaign for a purchaser, he engaged in competitive marketing initiatives specifically targeting the ZeuS Botnet and community. A key selling point made by the author was that unlike ZeuS he was selling the entire source code package not simply binaries thusly enabling the buyer to establish their footprint in the Botnet world in any number of ways all of which were at the command of the new owner. Additionally, the author demonstrated the ability of the code to bypass detection of some 22 Anti-Malware engines.
Up On Olympus:
ZeuS is another wonderful example of this. Currently, active orders are being solicited for 1.4.x.x of ZeuS with prices ranging from $4000 USD to $8000 USD depending on which modules are desired for specific functionality. ZeuS is an interesting case in that older versions of the Botnet are easily had in the wild and can be used effectively though newer, more easily obfuscated versions of the code are available. ZeuS is in extremely high demand, selling on a pre-order basis. A testimony to its popularity and continued success for its authors, sellers and suppliers is its continued effectiveness in bypassing detection and delivering extremely high success rates in compromising hosts, impregnating them with malicious code & content packages with the end game being the establishment of participation within the greater command & control fabric. These examples are certainly not representative of all examples of activity within the underground however they provide a clear and concise view of just how supply and demand are working on a routine basis.
This post is very timely as we now have a use case that scratches the surface on exploiting Telematics. For those of you that have never heard of Telematics, Wikipedia provides a great definition: “The integrated use of telecommunications and informatics, also known as ICT (Information and Communications Technology). More specifically it is the science of sending, receiving and storing information via telecommunication devices”. In most new cars today, you have the option of purchasing Telematics to provide integrated GPS, Wifi, Bluetooth, 3G and GSM. These innovations are great as it keeps us connected and on track to our destination. Furthermore, OnStar has been incredible to determine if you’ve been in an accident and with GPS can send first responders to your location…even helps if you lock your keys in the car 
I just recently purchased a jeep and enjoy the benefits of Telematics as most consumers of these technologies. However, at RSA San Francisco, I had an interesting conversation with my close friend and colleague Will Gragido on Telematics. We discussed the dark-side/security risks associated with Telematics. We went down the path of eavesdropping on conversations via Bluetooth, which can be done but difficult to pull off as you need to be in close proximity. We also went down the path of hijacking the car’s wifi to see if we could get access to the GPS data and the fun we could have with that content. We decided to table the discussion for a while but kept it on our list of emerging threats/exploitable technology that could provide a new avenue for cyber actors to exploit.
Sadly, in my hometown of Austin, Texas someone pulled off a nefarious act of exploiting telematics. Wired actually ran the story this week. They did an incredible job in the article and for more information you can check it out: http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/ . In short, a 20-year-old Omar Ramos-Lopez was accused of bricking cars through a service provided by Webtech Plus. This gives the auto dealer the capability of trigger the car horn and disabling the car’s ignition remotely through the web. Omar, choose to trigger the horn of a reported 100 cars. Let’s step back and put our Blackhat on…just imagine the order of magnitude that can be delivered from a key board in disabling the ignition of all car’s that are connected to Webtech Plus. Not playing armchair quarter back…but I will….this is classic insider threat/dis-gruntled employee and could have been avoided. Let’s get to the basic building blocks of Information Security. When someone leaves an organization, passwords and access must be changed, especially if they deal with the capability of controlling the ignition of car. Although, Omar committed a nefarious act and should be punished according to the law if found guilty. However, the company should have done due diligence and this is probably a wake-up call in changing procedures when one leaves the company.
As this is a wake-up call to the auto industry, we as security professionals need to keep this threat vector on our radar and if we serve this business vertical, we should press the issue and making sure access to this type of information is tightly controlled. Perhaps their are frameworks around this specific threat and I’m looking for it. Until then, keep secure and keep educating. Your thoughts on Telematics?
Cloud Computing and Security
This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.
Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.
My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.
By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:
1 – Confidentiality
2 – Integrity
3 – Availability
Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.
Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.
This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.
Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:
- Ensure that all data is encrypted in motion and at rest
- Ensure that your data is not hosted on the same servers as other customers (While this changes a bit if all data is encrypted, there are still many concerns about keeping containers separate that affect the confidentiality or your information)
- Ensure that no unauthorized personnel have access to any of your data (This includes the hosting company’s employees. Are they insiders in your organization? Are they authorized access to your trade secrets, intellectual property and/or customer data?)
- Ensure that you manage the encryption keys, because it is possible they could make an error and use the same public/private key pair for more than two customers
- Ensure that access can be confirmed to only come from your organization
Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.
- Ensure that no data can be manipulated outside of the application, if applicable
- Ensure that no data can be accessed or modified by other than authorized employees of your organization
- Ensure that the data can not be intercepted, read or modified while in transit either across the network or to a remote backup facility, should one exist
Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?
- What happens if you need access to information regarding a research project and the cloud service provider is experiencing an outage outside of their control?
- Are they hosting your data across multiple servers or systems? While this may help the availability issue within the cloud provider, it could violate the confidentiality and integrity principles above.
- Are you buying your processing time in “slices”? This too could affect availability.
While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.
Recent events have caused the world at large to take note of something which many – certainly not all, information security professionals have been intimately aware of for some time; the dynamic nature of the threat landscape as demonstrated by the rise in prominence of subversive multi-vector threats (SMTs). The events related to the Google vs. China attacks are exemplary of a subset of SMTs, the advanced persistent threat (APTs) first brought to our attention as a ‘term du jour’ by the fine folks at the Department of Defense (DoD). Were their other names for these threats in the years prior to the coining of this term? Yes, for many years the unexplained or anomalous were referred to as ‘events of interest’ (crafty no?) as that is exactly what they were when noticed, events of interest. Today, in a wonderfully thought provoking guest blog posting at ‘Threatpost.com’, Scott Crawford and Nick Selby reiterated that it’s the adversaries not the threats which are persistent.
This correlates with the model from which I operate and understand these threats, the subversive multi-vector threat model, regardless of their points of origin (nation state, sub-national entity – criminal, terrorist, mercenary or otherwise). Again, this comes as no surprise to those who have an intimate familiarity and understanding of what motivates, drives and ultimately emerges as an exploitation resulting in data exfiltration and weakening of risk postures (literal, figurative and psychological) in public and private sectors the world over. Experience is the best teacher. This has proven to my colleagues and me here at Cassandra Security and at other affiliated organizations such as Trident Risk Management many times over. What is old is often vigorously repeated as many times people become complacent, forgetting what led them to take note of an event of interest to begin with.
There is a familiarity associated with this idea that echoes the sentiment that Solomon suggested in his writing of the Book of Ecclesiastes “…there is nothing new under the sun…”. We need to ask ourselves why? Why are we surprised by this rationale? Why are we taken aback by the emergence and manifestation of activity, which is not new, but rather the result of creativity, innovation in thought, action and deed in addition to the willingness of those responsible to accept greater degrees of risk than we ourselves are – in both offense and defense? And perhaps why our industry slumbers like a sleeping giant as was suggested by members of this organization last year at Toorcon 11 in San Diego while presenting on this and related topics? Perhaps even more interesting is the attitude that Crawford and Selby noted on the part of several of the ‘Bigs’ with respect to this subject matter, which previously was not part of their vocabulary.
Regardless of what you wish to believe, the threats presented by individuals and organizations alike operating on behalf, in deference or outside of nation state sponsored activity is real. As Tom Clancy said, there is a “Clear and Present Danger” here. This is not up for discussion nor should it become the marketing hammer with which some posit less than enlightening insights regarding just what the goal of threats such as those seen in the ‘Aurora’ attacks are targeting –namely data….in the public sector with respect to defense and strategic offense it has always been about the data…data & intelligence are paramount to all things tactical, strategic and economic. To suggest otherwise is not only demonstrative of one’s own personal limits and lack of understanding with respect to the subject matter but also indicative of one of the greater problems present within our industry: sensationalism and the errant logic which some organizations use in capitalizing off of a ‘hot’ topic. This is both foolhardy and ill advised. This is the information security industry’s equivalent of ambulance chasing and should be looked upon with both a cautious, discerning eye as well as no small amount of skepticism. Regardless of what you wish to believe or may have heard recently from some rather large entities in our industry, the threats discussed in the case of Google in China and elsewhere (Ghostnet for example), are from new.
You may have read articles here at Cassandra Security previously, addressing this topic or elsewhere, perhaps at Taosecurity, Information Warfare Monitor or threatpost. Regardless of where you read or heard about them, it is important to note that these attacks and those responsible for them are not new nor are they peerless or without fault. True, they are often hiding in plain sight. That is something that those responsible for organizational security & risk posture must address for themselves and take note of should they wish to stave off current or future attacks. This is a fact is apparent in a multitude of cases historically, and will no doubt continue to be the case as I and my colleagues here and elsewhere at affiliated organizations have suggested. Equally important will be the need to develop a deeper, more robust understanding of the psyche of those behind these attacks and their motives. Agendas drive everything whether we wish to admit so or not. Cybercriminal activity in all its flavors in addition to nation state sponsored and sub-nationally sponsored activity require this now more so than ever before. The future is now and it is up to those who dare to lead and provide the light necessary to illuminate the paths we tread.
APTs, Web Browsers and Information Security
The recent event news surrounding the Google cyberattack and the fact that web browsers were exploited to facilitate these attacks come as no surprise. In fact, I recall in 2006 and 2007 when speaking at various seminars, user groups and large events such as ISACA, NASACT and ASIS, among others, I would lead in with the following question:
If I had a give away for you today and gave you the choice, would you rather have $1000 or this brand new 1GB USB thumb drive. Almost unanimously the hands would raise for the $1000 cash because people want the cash.
The whole point of this series of presentations was to point out that security had everything to do with information and viruses, worms, Trojans, bots, etc were simply mechanisms used to enable access to that information. I also pointed out that the web browser would enable these types of attacks simply because of how a web browser functions.
I submit to you today, the same thing that I would tell folks 3 years ago and more, that the web browser is the most widely used application in user land and as such, will allow and enable quite serious attacks against our infrastructure and critical information in the years to come. We do our banking via the web browser, we order pizza through a web browser, I attend conference calls and presentation via the web browser, people attend college through the web browser. You get my point. It was only a matter of time before we realized a large scale compromise that was PUBLICLY announced that was enabled by flaws in the web browser and the near ubiquitous use of the browser on every computing device a user, consumer or employee of an organization uses to go about their daily business.
I remember the first time I mentioned to an audience that the use of the web browser when taken into an information security context was like inviting a thief into your home or place of business and giving them access to your safe. I had to explain that because a web browser and plug-ins like Java, XML, Active X, VML and others “just run” once the browser is launched, it’s no different than giving someone free reign to do whatever they want in your home or office when it comes to valuables.
This series of attacks and exploits of Internet Explorer have proven that point more than ever. The opportunity was there 3 years ago and now the first of many attacks have arrived. But the one thing that we must absolutely remember is that it’s not just these attacks that are all about access to confidential information, trade secrets and intellectual property; nearly all computer attacks have been about access to confidential information, whether it be credit card information of consumers or a chemical company’s intellectual property.
Security is about protecting information pure and simple, everything else is just a by product of that.
For more information on the presentations I mentioned above please check out:
http://bit.ly/8gQfrz
http://bit.ly/74tBEM
There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations. The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter. It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value. First, APT’s have been around for a long time. Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices. What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few. These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted. Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.
APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about. Will and I recently gave a discussion on APT’s at ToorCon this past fall. Our ToorCon presentation can be found here: http://bit.ly/73tuYA . We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s. It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected. Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network. Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data. SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few. Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight. Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape. The paradigm from a silo data feed model needs to change. A vendor that’s leading this model is McAfee. Again, at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s. More to come on this topic.
