10.28.2009

Impressionist cloudsI have written a little in the past on cloud computing and SaaS however as previously stated, have stayed away from doing so for many reasons the primary being that I am an information security professional as opposed to a cloud computing one.  Cloud computing is all the rage in business today, so I thought I would write a little more on it :) .  Its impact is undeniable as are the debates which rage with respect to what defines or constitutes a “cloud”.  In my view of the world, cloud computing is in many respects like modern art; an appreciation of the abstract is necessary in order to derive a sense of meaning otherwise you are just faking it to impress someone.   I for one have little appreciation for modern art and readily admit it (to the chagrin of my brother-in-law who is an artist and lover of modern art) though I do like impressionism and nature scenes :) .  However, that doesn’t mean that I don’t use or apply abstract thought to concepts which require it (it just means I like pictures and paintings which more often than not look like something though I am evolving in this area too).

Now back to the cloud.   I think cloud computing is in many senses like modern art.  To begin with there is no definite shape, size, context, hue, flow, or tone associated with it – in other words no standards, rules by which to be judged against, or measured up to.  The asymmetrical is accepted alongside the symmetrical; there is no right or wrong way just different ways.   This, I think, will not change until formal standardization occurs in that space.  When will this occur?  Who is to say.  Though “cloudies” and security strategists’ alike pontificate on the implications associated with cloud environments, no one seems to have a solid model for standardization.   I maintain that much of the ‘cloud’ services or infrastructures already exist in one form or another as ‘clouds’ in data and telecommunications environments are not new.   Cloud computing is not my forte as I have pointed out before – information security is.  As such, I default to people such as Chris Hoff (all hail the Hoff!) in areas related to the cloud or Nick Selby as they have both written voluminous amounts on the topic.

My personal feelings are that cloud based solutions, like any infrastructural solution, need to meet minimum criteria from an information security perspective that compliments business need and performance rather than hinders them.  Tall order?  Perhaps.  Impossible?  I think not.  Service Level Agreement (SLA) nightmare?  Maybe, just maybe.   Many people quip and wax ecstatic about cloud computing services without taking the time to digest what they mean to a business  and its data.   Whether or not they are qualified to speak in depth and at length are debatable but nonetheless, many folks are out there doing just that.   In some respects, it does not matter so long as there is an audience willing to listen.  It is for those instances and audiences specifically, which I have constructed today’s piece, so enjoy!

demotivational,regrets,star,wars,storm,trooper-cce03c19fb3a032ab6d96de17de13d64_mClouds are nebulous.  Some of them take on a cumulus form, drifting throughout the skies in comfortably billowing capacities.   However, these are not the clouds we are looking for (I apologize in advance for the awesome opportunity to inject Star Wars humor).   Our clouds are earth bound (let us not introduce the role of satellite communication into this post thank you), and as such, terrestrial and man-made.   Are there challenges associated with cloud computing?  Yes, I believe there are and would go as far as to say that even the most astute “cloudies” would agree that it is not all champagne wishes and caviar dreams in the land of cloud computing services.  Of course there are challenges, to assert otherwise would be intellectually dishonest and would likely brandish the party asserting there were not challenges as a neophyte who should not be trusted (you know who you are and you know we’re watching you!).  Some of the challenges associated with cloud-based services are realistic than others.   Examples of these areas of concern stem from the following:

Having said all that, I have no trouble at all believing that services will continue to be stood up in haphazard fashion while some will take the time to properly design their environments to provide the most optimal environments for their customer bases.   The future should prove interesting with respect to cloud-based solutions, let us just hope there remains always a silver lining.

Tags: , Filed Under Cloud Computing, SaaS | 1 Comment 

10.27.2009

tclogoQuick note on Toorcon 11 San Diego 2009.  We are thankful for having been invited to speak at Toorcon 11 San Diego 2009.    We had a very good audience turn out and given the period, we had in which to deliver our message we feel it was received well.  We will be making our slides available for review here on www.cassandrasecurity.com soon in .pdf format.   Should you have any questions regarding the content please feel free to contact either John or I.  Once again, thanks to the staff and team at Toorcon, we look forward to working with you in the future.

ToorCon 2009 WG_JP_Final

Note: Correction made to Slide 18 which erroneously credited Palantir Technology for the information pertaining to Ghost Net.  The Information WarFare Monitor wrote the definitive work on that particular threat.  We wanted to ensure that appropriate credit was given to the team at Information Warfare Monitor once this was brought to our attention.

Cassandra Security

Tags: Filed Under Uncategorized | 1 Comment 

10.23.2009

Picture 19I will be giving a talk on Sunday evening at ToorCon 11 in San Diego with Will Gragido.  We will be talking about “Cyber Criminals Don’t Sleep, So Why Does Our Industry?”.  The focus of the discussion will address APT’s.  The Advanced Persistent Threat is nothing new but seems to be overlooked or not really talked about.  What is our security industry doing to uncover the threat? What vendors are really taking the challenge one step further?  I would encourage you to check out our presentation live at ToorCon on Sunday evening.  After the conference, I will post the entire presentation on Cassandra with the speaker notes in detail.  Stay tuned…

Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Cyber Terrorism, Cyber Warfare, Next Generation Threats, Risk, Vulnerabilities & Threat Research | Leave a Comment 

10.22.2009

Cyber-Warfare Revisted

by Will Gragido

cyber_warfare_2Apologies for the lack of posts over the last few days, things have been very busy around Cassandra Security lately.   This morning, while conducting some research (aren’t we always researching something?), I came across two things which struck me as being timely and important.  Important enough to write a new entry about.   The first item that caught my attention was a response to an article that I wrote in response to a piece which appeared in the ISSA Journal (August 2009, Volume 7 Issue 8), by Maj. David Wilson.  An active duty legal officer who specializes in providing legal consul and guidance to the United States Army in the areas of cyber and international law, Maj.Wilson brought a sound view as to whether or not an international approach to the threats we face today is warranted and necessary.  You can read my responses to Maj. Wilson’s article at the link above while also finding his article in the August 2009 edition of the Journal itself.

Cyber-defense is not new, neither is what is conversationally known as ‘Cyber-Warfare’.  Not by a long shot.   In years past, it was the role and responsibility of DoD Communication Security / Signal Intelligence & Intelligence agencies groups (still the case),  working in conjunction with traditional Intelligence organizations and agencies to address these threats.  The goal being overt awareness of all threats (physical, logical etc.), coupled with the ability to proactively address (through exhaustive qualification and investigation), threats by way of rigorous training and preparation.   It was and remains a responsibility not to be taken lightly and should be given the proper consideration it warrants when discussed in major or minor forums.   The ability to separate the chaff from the wheat, focusing attention on the salient events and items of interest as they are defined by appropriate command elements and agencies remains (and I would assert will only continue to be), at the forefront of national defense and the preservation of what we hold dear as Americans, our way of life.

In an effort to prevent being accused of sponsoring xenophobic / superiority ideology, let me clarify my last point.   I am an American citizen and a former United States Marine.  I, like all Americans, have a stake in the preservation, safety and sanctity of my country and compatriots and have willingly proven my loyalty through duty and service with no apology.  My allegiance and dedication remains firm and intact to this day.  Does this mean that I harbor an intolerant or unenlightened attitude with respect to role and relevance of the rest of the countries in our world in matters such as those being discussed here today?  Certainly not!

We live in complex times, yet despite the complexities associated with these times certain principles are as valid today as they were in years and centuries past:

In fact at this year’s Hack in the Box 2009 conference, Ed Skoudis (a former colleague of mine and someone I hold in personal and professional high regard), gave a wonderful keynote on this subject titled “The Bad Guys Are Winning – Now What”.  Ed identified some points, which have, within deep security circles, the DoD, and Intel communities been percolating for a great deal of time.  Within his keynote, he stressed the importance of his message to three distinct communities:

If you have not read it, or did not see it, I suggest looking it up.   Ed, like many of us, concludes that we as a profession (and world), can either embrace the changes we’re facing as an industry or fight them…quite possibly (and I believe this to be the case), in vein.  In 2008, Marcus Ranum gave the keynote talk at Hack in the Box 2008.  Marcus’ perspective on this topic is different, yet interesting all the same.   Marcus’ keynote was titled “Cyberwar is Bullh*t”.  Opinions as we all know, are well…everywhere and to that end, we’re all entitled to them however, as I am a truth addict and believe that all too often in our industry (and world), oversimplification occurs I feel it necessary to explore and promote Marcus’ point of view as well.

I personally believe that one must ask oneself the following question when discussing cyber-fare:  What has the potential to do more damage in the 21st century or impose a greater threat: bombs, bullets, or bits? Having been uniquely situated in a role which, at times, included all three of the aforementioned I cannot help but ask myself and others this daily.  I believe that here in the 21st century, in a world where conventional warfare is largely (thank God), localized and sub-national activities (though still clear and present dangers) sporadic, that bits are the most dangerous.  Am I suggesting that bombs are not dangerous (nuclear, biological, chemical)?  Certainly not! Am I suggesting that bullets are not deadly?  That would be absurd.  No, what I’m suggesting is that given the world in which we live, the rapid adoption and flattening of the world via expansive globalization and market infusion & creation, that bits have – when wielded by those with malicious intent, the potential to cause cataclysmic damage.

This year the European Commission published a communication which spoke to protecting Europe from large-scale assaults.  Within the report, the commission shared concerns on the ability of member nations’ ability to defend themselves against cyber attacks.   You’ll note they didn’t mention nuclear or conventional threats but cyber threats.     In the UK, the Lords (as in House of), EU Sub-Committee on Home Affairs has made it known they wish to look into the recommendations suggested in this report in order to determine whether or not they are realistic and / or appropriate in light of current international standards and systems.   The EU has charter criteria for its members that will no doubt be reviewed as a part of this exercise, but what struck me most was the timeliness of this issuance.   Some of the areas that the EU has previously cited as warranting enhancement include but are not limited to:

The Lords EU Sub-committee has also requested that specific evidence on how vulnerable (be careful what you wish for you may just get it); systems really are be provided to them.  Additionally, they have also requested to know which bodies are responsible for response and (here is what struck me, thematically as being most interesting and relevant to the thread between Maj.Wilson and I), whether or not a more global approach is required.   The committee is asking that all responses be submitted by Friday November 13, 2009.

Whether or not an international approach is required, necessary or possible, the reality is that the war is on, that concerned individuals, businesses, military, and government bodies need to give serious thought to it.

Tags: Filed Under Advanced Persistent Threats (APT), Cyber Defense, Cyber Terrorism, Cyber Warfare, Information Security Philosophy | Leave a Comment 

10.15.2009

tornado_and_lightingClouds are mysterious.   They come in a variety of shapes, sizes, consistencies and architectures.  I like clouds however, I am not sure I want my data floating about in one any more than is necessary.  Cloud Computing is not my forte however; security is.  I believe that cloud architectures warrant the same directional approach as other architectures, after all carriers have been securing ‘clouds’ for years.  I made a point of not commenting on cloud computing or SaaS (Security as a Service), environments principally because I thought that there were others out there (some very astute and knowledgeable folks), commenting ad nausea on the topic, however I felt that the time had come for me to add my input  to this topic.    Why you might ask, have I decided to change my opinion on this?  Well to begin with I feel there is a great deal of “cloudy” (please forgive the pun), thought and messaging being disseminated in the industry today.  Many industry experts whose kung fu is stronger than mine specifically in the realm of cloud architectures, would have us all believing that cloud architectures are new and subsequently superior to that which we have come to know and embrace as the standard in infrastructure today, let alone securing them.   Perhaps they are right.  Then again, perhaps they are not.   Much has been made of the cloud.  Many suggest that the cloud is both the next generation of computing, as we know it and as such a complete shift in paradigm.

I, for one, do not believe this to be true.   Yes, the advent of cloud computing is popular and as a result, worthy of note. But new?  I think not.    As an idea and concept, as I mentioned earlier in this post, the carriers and others (ASPs, MSSPs, and hosting entities – not to mention third party outsourcing entities), have been providing cloud services for decades.   One might argue that these are not the same type of clouds and that as such the argument is moot.   Well, until someone defines and articulates a standard with respect to clouds, I will maintain my postion.   In particular, SaaS services strike me as being derivative and familiar.  Ask anyone who has worked extensively with Managed Security Service Providers (MSSPs), what their thoughts are regarding SaaS and you will get a number of different responses and more than a fair share of eye rolling.

In fact, one of my former employers offered both comprehensive traditional MSSP services in addition to two distinct “cloud driven” solutions – one provided by a third party vendor now owned by Symantec, built around secure messaging and web transactions and the other built around advanced vulnerability management and compliance.  The arguments and justifications used in identifying and selecting these services are shockingly similar (or not so shockingly), to those used when identifying and selecting MSSP services.   Just ask anyone who has either written an RFI / RFP / RFQ for these types of services or anyone whose job it was to answer them in their entirety without pulling their hair out.   You will note from my photo that I shave my head; I gave up :) .  So why are organizations embracing these services?  To a degree, I believe it has to do with cultural tolerance, profitability, the availability of staff (experienced staff), and the businesses interpretation of the importance of information security as a business enabler however, I believe there is more than meets the eye here.  My experience in the MSSP space demonstrated that that there were certain considerations and realities that led to both the introduction of such services and, at times, the displacement of an incumbent provider.   Here is a short list:

  1. Need or desire to reduce costs as they relate to capital or budgetary expenditures :
    1. Eliminates / minimizes the need for new capital expenditure on equipment (potentially)
    2. Eliminates associated maintenance & support costs for said equipment (potentially)
    3. Enables operational security staff to focus on other, more compelling security driven initiatives on behalf of the business (this is how I used to pitch it)
  2. Complexity of threats and / or evolution of challenges being presented to enterprise security teams  by internal business clients, partners or external clientele continue challenge and strain pre-existent teams:
    1. Expertise is neither easy to come by nor always geographically available; these services can be used to counter act those realities
    2. The ability to correlate, normalize and analyze data from disparate network and host elements enables these teams to provide salient detail pertaining to the enterprise and / or its initiatives and user community.  This is obviously important and of value to external clientele as well
  3. The inability to achieve a realistic risk posture, one which reflects the environments physical, logical and procedural state while providing meaningful artifacts and evidence necessary in appeasing internal audit and risk management entities in addition to external auditors and regulatory bodies.
  4. Transference of risk:
    1. Often times, though not spoken (although at times it was spoken of), the transference of risk was the primary driver though typically it was associated with one or all of the above
  5. All of the above:
    1. Rare but at times the case

My concerns with respect to cloud computing and SaaS provider’s stem from the assurances or lack thereof being made to potential clients when considering these solutions.   I understand that heated debates are going on (probably on a forum near you!) with respect to this very topic and as such I feel it vital to discuss what I feel is solid criteria for initial vetting of these providers.   The first rule however is that we shall not discuss pricing.   Why is the first rule?  Mainly because price varies as does the quality of the services being rendered however, they are not always mutually exclusive.  We will however discuss the forms in which these service offerings are presented in and as it merits, discuss deal or offering structure.   I believe it is necessary for enterprises considering the adoption of such services and architectures to consider how their data is treated as it enters the cloud, what occurs during transmission, what occurs at rest and what occurs during egress.   Put plainly, what occurs from the perspective of confidentiality, integrity, availability and assurance?   One should always inspect what one expects scenarios such as this are no exception.

I believe that those organizations providing cloud driven security or SaaS services should follow the example (minimally), set by MSSPs or at least those that I have worked with and competed against, with respect to data preservation and security.    In my experience, there is no excuse for short cuts with respect to data integrity and preservation, as such, I have worked with and represented organizations that espoused the same ideological stance on the matter of handling other people’s data.  A minimum criterion in my mind includes but is not limited to the following:

  1. Attainment of accreditation and certification relevant to secured carrier or cloud environments
    1. SAS70-II
    2. SafeHarbor
    3. SysTrust
    4. Regular internal & external security assessment and audits performed and delivered by qualified internal employees as well as trusted, third parties:
      1. Penetration Testing
      2. Social engineering
      3. Application assessment
      4. Customer premise ingress (if possible)
      5. Concise, meaningful documentation of the environment and the ability to produce report deliverables, accreditations, and artifacts upon request

Beauty, after all, is in the eye of the auditor and his or her interpretation of the standard against which one is being audited is, paramount in attaining or maintaining status.

cloudsWith respect to the monetary value associated with such services, there is no question in my mind that savings can be achieved via the selection and adoption of such services.   The value represented in dollars in sense can be arrived at when negotiating initial pricing as these contracts are typically written for specific durations; sometimes month to month however it is more often the case where these services are delivered on a term basis (12, 24, 36, 60, 72 months etc.).  The more mature the offering and provider; the easier (typically), it will be to estimate initial (capital) signings costs and subsequent savings over time.   Numbers do not lie; people do, so inspect what you expect.   Again, a familiar model should one look beneath the covers.  You might be saying to yourself, “Wait, wait what if it is a service that is software driven and predicated on a subscription model?,”; my assertion is that fundamentally the numbers will either demonstrate value over time or prove to be cost prohibitive so again, inspect what you expect.   In many respect this is no different from any time an enterprise engages in a long-term contract with a third party for the delivery of a service.   Whether its telecomm, call center or SaaS, I believe fundamentally that they are analogous to one another.

Organizational security posture may also play into the immediate revelation of value realized by the organization upon engaging in this type of service agreement.   Depending on the condition of the enterprise in question, the needs of its user community and its overall risk posture costs may vary (most providers will offer various levels of service all of which will have or should have, differing degrees of service level agreements each with its own merits and penalties to be paid to the enterprise client should the provider miss an SLA), in order to enable and empower the enterprise in realizing their goal: protection of their data, their user community and brand, all while minimizing and transferring risk.  No decision of this sort should be made in a vacuum and as such, decision makers, influencers, recommenders, stakeholders (departmental and within the various and sundry elements representing the business units which make up the enterprise), should investigate all options available and arrive at a decision which best suits their needs while providing the most value to the business.  In doing so, they will effectively enable the business to do what it does best to generate revenue while fostering a culture of cooperation and partnership.   The net effect of which could lead to a fundamental change in comprehension, attitude and application of information security within the enterprise as a whole.  In closing, clouds can be beautiful; amazingly striking things or, depending on the conditions ominous forbearers of storms to come.   In choosing wisely you might just be able to remain in Kansas Toto ;)

Tags: , Filed Under Cloud Computing, Cyber Defense, Information Security Philosophy, SaaS, compliance | Leave a Comment 

10.13.2009

declaration-of-independence-john-hancock-signatureFor years the debate has raged on regarding the validity of signature based solutions — regardless of where they lie within an enterprise environments ecosystem, versus those of a signatureless order.  Questions around the effectiveness of the signatures, the time to market, the ongoing resource consumption concerns all have been and will likely continue to rage on.   Can signature based solutions, regardless of how automated they become, truly provide enough value to warrant continued spend given the nature of the threats we face today or has their day come and gone?  Are we holding onto them, thereby forcing their relevance in order to satisfy audit control requirements such as those presented by the PCI DSS?  In a time when malicious code and content is more intelligently, and voluminously developed than ever before — endowed with various means by which to detect, identify and bypass mitigation technologies, one must ask whether or not we as an industry, are jousting windmills with ineffective solutions hoping for victory.

Now, to be clear, I want to get something straight right out of the gate: I am not saying there is no need for signature based technologies at all within our enterprises or homes.   What I’m suggesting here is that the role in which they have been traditionally positioned by vendors, service providers and others has, for several years in my opinion, warranted preemptive solutions rather than reactive ones.   Our world and its demands have changed.  It’s that simple.  Due to this change, we need to espouse and endorse a more mature form of thought; one which takes into consideration the threats we face, the likelihood of these threats to achieve (successfully) the exploitation of identified vulnerabilities and the subsequent risk this perfect storm of circumstance represents.   We need to ask ourselves, our peers and our industry to reconsider its position on these ideas while at the same time achieving a state which allows us to repurpose these signature based solutions where they can do the most good within our environments.  lock

You wouldn’t utilize a 22 year old engine in to compete against modern, more ergonomically designed and better optimized for purpose modern ones in an automobile race would you?   Similarly, you wouldn’t ask fighter pilots to engage modern jet aircraft in P51 Mustangs either.   So why would you task your staffs, your peers, and yourself with combating emerging, evolving threats with tools which are dependent upon the knowledge of a threat (e.g. patient “0″), as opposed to retooling yourselves and your environments.  The technology is there; it has been for some time.    Could it be improved?  Well, nothing is perfect however even in its imperfection it has been my experience that modern signatureless solutions as first line of defense solutions are more effective than their signature based counterparts.

Tags: Filed Under Information Security Philosophy, Malicious Code, Malicious Content, Uncategorized | Leave a Comment 

10.12.2009

financial marketsIntroduction

To begin, we need to define what an economic ecosystem is.   Economics is the study of the production, distribution, and consumptions of goods and services.  If you investigate the etymology of the word, you will discover the English word ‘economics’ comes from the ancient Greek word oikonmia which means “management of a household or administration”.   Economists strive to explain how economies work, what influences them and what agents are present within said economies that influence change while interacting with one another by drawing distinctions in the management and administration of markets, goods, services and commodities sold and requested and at given rates.

Often economists will spend a great deal of time (rightly so), describing in verbose detail the differences which exist in regards to the scope of economics (e.g. positive and normative economics), the differences between the theoretical and practical or applied economics as they pertain to mainstream economics while taking into consideration the relevance of heterodox economic theories in course.   For the most part however, economists will separate and segregate economic discussions into contextual terms thereby grouping them in either microeconomic or macroeconomic categories; little and big for the lay economist.  In doing so, economists are free to address issues such as inflation, unemployment, monetary and / or monetary fiscal policy as they pertain to an economy in its entirety.

A Word on Microeconomics

Microeconomics focuses on the interactions, which exist between individual markets as they relate to scarcity of goods or services and government regulation.   Markets exist for all manner of things as mentioned above; some good some not, but all marketable.  Microeconomic theory takes into consideration aggregates of quantities demanded by buyers and quantities supplied by sellers at each possible price per unit or denomination sold.   It strives to define the symmetry between price and quantity while (potentially) pointing out response to market changes over time.

So why would this be of importance let alone interest in the context of a blog post called “Bombs, Bullets, or Bits: Cybercrime, You and the 21st Century Part III? Simply stated having a fundamental understanding of microeconomics enables us to identify and study supply and demand while applying appropriate levels of analysis to what drives, influences, creates, sustains or destroys a market. Market structures (e.g. perfect competition theory, monopoly, trust etc.), are all examined and taken into account as to their implications pertaining to behavior and economic efficiency.  The goods and services that we will be reviewing over the course of subsequent blog postings, and their respective markets; all of which are driven by supply and demand, are just as subject to laws and principles of economics as are the markets that support the automotive or entertainment industry.  The differences lie in whether or not these markets are seen or unseen.

Markets

Markets exist to display products and services for sale to meet the demand presented by a given set of consumers.  Many factors influence the rise and fall of markets but ultimately demand drives the cycle.   The suitability of a product or service for exchange or sale is predicated on its demand (whether locally or globally), and the ability of a manufacturer / provider to meet the demand via its own supply or ability to acquire supply some form of supply chain.  Simple enough right. For the purposes of this blog entry we will not delve into the realms of economic theory as it pertains to production cost modeling, opportunity cost modeling and the true economic cost of the production of a give good or service.  Nor shall we delve into the dark waters of specialization and their impact on the production of a good or service via the specialization of a people or country.   However, it is important to note that these principles are at work in all markets, great and small; seen and unseen.

Economic Ecosystems

economicsAs we have discussed so far, many factors influence the development of an economic ecosystem.  It is no coincidence that the laws and principles that govern economics as a discipline find themselves applicable to all market systems; they are universal and must be understood in order to determine the motives of both suppliers and consumers.  Our industry is no different from any other.   These laws are applicable to those aspects of our world and the markets that are served, both seen and unseen.   As such, it is critical that we as information security professionals tasked with the responsibility of safeguarding and protecting our nations, corporations, and personal interests (as well as the personal interests of those who cannot protect themselves), are fluent and comfortable in our understanding and knowledge of these economic truths.

In the next installment of this series, we will delve deeper into that which has influenced the evolution and emergence of new, and largely unseen markets focused on addressing the market demands of cybercriminals by cybercriminals throughout cyberspace.

Filed Under Cyber Crime, Cyber Defense, Information Security Philosophy | Leave a Comment 

10.09.2009

frontBackDoorsI would remiss if I did not mention the roll of the backdoor within the context of this discussion. Backdoors are well known within the information security world. They come in a variety of flavors however can be traditionally categorized as either symmetric or asymmetric (today their study is commonly referred to as cryptovirology).    Adam Young and Moti Yung spoke about this back in 1996 defining the terminology and use cases.  Backdoors are used (in authorized or unauthorized manners) largely for bypassing normal or traditional authentication mechanisms.   The reality is that they are used to gain secure remote access to these systems with the endgame being the obtaining access to plain-text data in some form of privilege escalated state.   All while remaining or attempting to remain undetected by administrators.

Backdoors can be independent applications or programs.  They can also be the result of a modification made to an existing application, program or even hardware devices (e.g BIOS backdoor passwords etc). The possibilities are quite broad; limited only by the imagination of the designer and the weaknesses, flaws and vulnerabilities identified in the target application, program or device in question design. Examples of this type of activity are abundant.  In November of 2003 just such a threat was identified and addressed in the common Linux Kernel. A two-line addition to a development copy of the source code made to look like a harmless error-checking feature was identified. At first glance, it appeared to be quite harmless; benign in both function and intent.   Why such a serious matter then?   The answer stems from what the code was truly architected to do: if it identified an invalid combination of flag pairings, it would grant the process root privileges, turning the seemingly innocuous wait4 () into backdoor allowing for complete control of any machine found susceptible to it.   rkhunter-scan-backdoor-exploits-security

Many other such examples of this type of threat can be seen historically, some associated with worms such as MyDoom for example, and others manifesting as cleverly marketed DRM styled protection mechanisms such as the SONY/BMG Rootkit I discussed in my last post.  It’s important to bear in mind that all of them play a role in today’s threat landscape and have not gone the way of the dinosaur as some researchers and vendors would have you believe.  Their uses and application are limited only by the intent and imaginations of those wielding them.   Their role in the rise of Advanced Persistent Threats and Designer Malware is irrefutable and must not be dismissed as ideal held over from the antiquity of computing.

Filed Under Advanced Persistent Threats (APT), Backdoors, Cyber Crime, Malicious Code, Malicious Content, Next Generation Threats, Rootkits, Trojans | Leave a Comment 

10.07.2009

rootsYesterday I wrote a quick blog entry regarding new trends associated with Trojan’s, particularly those involving ‘Command and Control’ functionality.   It is something that I will be expanding upon in detail in a later post.   Today however, I wanted to discuss another of my favorite malware related topics, one which I enjoy conducting analysis on in detail (within the safety and sanctity of my environment), and that is the realm of the root kit.  As we have discussed previously, there are scores of ways in which malware (any malware, not root kits or Trojans in particular), can be introduced into an environment.  Some of which are more effective than others are, and yet in this brave new world of high-speed broadband connectivity to homes throughout the land (not to mention the world), one must conclude that the likelihood or probability of introduction, compromise and infection has grown (and likely will continue to do so), in an exponential manner.   Still, one of the most effective threat vector lies with the human factor as discussed in yesterday’s post.  In order to avoid beating a dead horse I will simply say this: much can (not all but much), be avoided if end users (whether they are ‘corporate’ end users ‘private’ citizens such as my mom), are properly and thoroughly educated with respect to the dangers associated with malware such as root kits.

This education and awareness needs to be ongoing and should never fall to the wayside; it should be at the forefront given the continued popularity and adoption of advanced technologies.   OK back to root kits, root kits are not new (sound familiar?), in fact, they are quite mature and some might even say “old school”.

For arguments, sake let suppose you do not know what defines a root kit.   Quite simply, root kits are software systems which often contain one or more programs used in order to prevent anyone (end users, administrators etc.), from discovering that a system has been compromised.   They come in a variety of forms including:

They do not necessarily grant a user administrative permissions or privileges however they are often times leveraged by attackers to replace system files (e.g. executables etc.) which may then be used to hide processes and files the attacker has installed in addition to obfuscating the presence of the root kit itself (this is most often accomplished via subversion or evasion of traditional OS security and monitoring mechanisms such as Anti-virus and / or Anti-Spyware technologies).  In effect, their mission is simple: compromise the host and subsequently seize control of the operating system.

In many cases, they are Trojans as well and just as we discussed yesterday they attempt to convey a sense of benignity and usefulness to the user in order to convince the user in question they are safe in executing them on their system.  Additionally, many root kits implement backdoors into the systems they have compromised by corrupting or replacing the legitimate login mechanism with one designed by the attacker (e.g. /bin/login).  No one is entirely certain of their origin however there are some who feel it is reasonable to believe they were originally designed to perform similar functions provided by utilities such as VNC for remote command and control of an unresponsive or failing machine.  Whatever the case with respect to their origins, their use and popularity continue to grow; manifesting in some of the most unlikely places.   In the last three years for example, we have seen some rather profound instances of use (at least those which have been publicly reported after having been disclosed), and proliferation of root kits.

sony rootkit Take for example the Sony Root Kit.  In 2005, Sony began distributing their XCP (Extended Copy Protection), software in some of their products.  In effect, XCP was a digital rights management program, which employed techniques (e.g. cloaking), normally associated with malicious root kit developers which was a security risk.  As a result, in addition to a loss of face, credibility and some branding, Sony was forced to recall millions of CDs.  What makes this case unique is that Sony knowingly distributed XCP to their customer base and in effect acted in the same manner as those who traditionally operate for malicious ends.   The net effect was a public relations disaster for Sony, which has yet to fade in the minds of the information security community much less the world at large.

2008 saw two interesting examples of root kit activity the first being the Pandex Trojan.  The Pandex Trojan was interesting in that it would identify the presence of a root kit, remove the incumbent’s hooks into system calls and subsequently stop the first root kit.   Upon stopping the incumbent, Pandex would install its own root kit.   Similar ‘turf’ wars had been seen during the heyday of worms but this was unique amongst root kits.   Sebastian Muniz, a security researcher with Core Security Technologies, developed the next example of interest, which caught my eye.   Muniz developed a root kit for the Cisco IOS, which he debuted at EUSecWest in London.   Muniz’s root kit work increased the already present scrutiny associated with routers due to Mike Lynn’s presentation in 2005.   Muniz’s root kit (which runs in the router’s flash memory –which contains the first IOS commands used for system boot), though reliant upon an alternate means of introduction to the host in question, would, once present allow for obfuscated monitoring and command & control of the device.   The impact of such an event occurring on a massive scale is simply staggering.

Intel chipThis year in March, we saw the SMM (System Management Mode) root kit (which uses an Intel CPU caching vulnerability) identified by Joanna Rutkowska and Loic Duflot.   The attack in question allows the root kit to hide in the SMM space and subsequently secure control of the system in question. The second example was that which was discovered by Alfredo Ortega and Anibal Sacco from Core Security Technologies.  They identified what proved to be a dangerous, pre-installed root kit (Computrace LoJack for Laptops — which was estimated to be present on 60 percent of all new laptops), that resides in BIOS, and  periodically calls home to a central authority for instructions.  This call functionality allows the central authority to wipe the system in the event the device is stolen or it is unable to track the location of the device in question.   What makes this truly dangerous is the potential for exploitation of the call home process.   Should a hacker compromise this function he or she has access to a great deal of information.   One might ask how it is possible that an authorized and unauthorized party might both be able to leverage that mechanism and according to the authors, it was due to the technologies dependency on a configuration method that contains the IP address, port and URL all hard-coded in the OPTION-ROM…where is my Excedrin.

As you can see these are just a few examples of what root kits are and how they are leveraged.   This topic truly warrants a greater degree of time and perhaps one day soon, I will have the time to write something a bit more formal, but in the meantime bear in mind their presence and the dangers associated with them.  They were once thought to be out of style yet clearly the evidence suggests otherwise.

Filed Under Advanced Persistent Threats (APT), Malicious Code, Malicious Content, Next Generation Threats, Rootkits, Trojans | Leave a Comment 

10.06.2009

trojan_horse_400px In an earlier post, I introduced the concept of “Advanced Persistent Threats” & “Designer Malware” at a very high level, the ‘101′ if you will.   You may recall my reference to the article which Business Week ran in 2008 which addressed, briefly, the concept of Advanced Persistent Threats (APTs).   No one knows for certain the true reach of such threats but it can safely be assumed based on both historical and current information, that instances of such threats continue to grow with many going unreported to authorities or information security professionals for fear of the consequences associated with having been found first vulnerable and second compromised.  Though there are many means by which a given threat might be introduced into an organization, some work better than others.  Some of the most successful in fact, still rely upon the most obvious and oldest of all threat vectors, human nature.  Human nature is wondrous thing; complex, multi-faceted, representative of all that we are: good and bad.  It aides in defining us however it is not what defines us.

In June of 2006, Mike Bond and George Danezis of the University of Cambridge Computer Laboratory released a paper which posed an interesting question regarding the role in which human nature plays with respect to exploitation and compromise of both systems and people.    In fact, in their abstract Bond and Danezis stated the following “We study malware propagation strategies which exploit not the incompetence or naivety of users, but instead their own greed, malice and short-sightedness. We demonstrate that interactive propagation strategies, for example bribery and black-mail of computer users, are effective mechanisms for malware to survive and en-trench, and present an example employing these techniques. We argue that in terms of propagation, there exists a continuum between legitimate applications and pure malware, rather than a quantised scale.” I loved this paper from the first time I read and have had conversations with its authors regarding their views, I highly recommend it to anyone in our field as its relevance is indisputable as its timeliness.

It is key to recognize and emphasize the importance of malware propagation strategies being diverse.   The vehicle for delivery can take many forms and require many variables be present and available.  Attempting to compromise both systems and personnel requires that a discretionary mode thought be employed in order to choose the most simplistic yet effective means for accomplishing the goal.  In short, adherence to the principle identified and immortalized by William of Ockham “entia non sunt multiplicanda praeter necessitatem”, (“when you have two competing theories that make exactly the same predictions, the simpler one is the better.”), also known as Occam’s Razor.

With respect to Advanced Persistent Threats I’d like to focus the remainder of this entry on the reinvention of the Trojan.   I am going to focus on Trojans today as of late, I’ve been dealing a lot with them and find the evolution revolution taking place with respect to them quite interesting.  Like all malicious programs, Trojans rely upon obfuscation in order to avoid being identified, detected, shut down and / or removed by a user or administrator.   This reliance upon obfuscation is paramount in the successful introduction and installation of Trojans as they typically attempt to convey a sense of benignity and / or usefulness to the user or environment they are being targeted toward or via the application or mechanism being used for this purpose.   Often times this pseudo-benignity creates a false sense of security in the target and ideally finds the target susceptible and willing to install the Trojan without knowing exactly or truly what it does.

Many factors influence the manner in which the payload will operate and to what degree and what schedule but ultimately, the goal is to infiltrate, install and subsequently deliver the payload (again as defined by the author), within the host environment.  Trojans themselves fall into the category of malware which lacks the native capability to self-propagate (a la viruses) or replicate (a la worms) which requires them to leverage an alternate mechanism for distribution.  As mentioned above, the path of least resistance is often the best and depending who and what is identified as being the target of opportunity the choice of distribution method may vary with the net effect being the same.   Popular means of distribution involve either exploitation of vulnerable systems via direct targeting, randomized exploitation via malicious websites and domains (a la ‘drive by infections’), peer-to-peer file sharing and /or the ever popular ’sneaker net’ via compromised USB.

As of late, it’s become more and more popular amongst malware authors in the underground to implement command and control mechanisms within Trojans enabling greater degrees of administrative response in addition to creating an environment which responds bidirectionally to the botmaster in question.   Clampi, Monkif, Grups Trojan, and URLZone Trojan are great examples of this.   It is  important to note that the rate of change being noted is great and that the subsequent re-engineering of malware samples of this type more common.   Changes such as these imply that the traditional use cases for such malware (though still applicable), are in fact also shifting.   As a result, the need for greater degrees of awareness, beginning with solidly architected security programs & education / awareness campaigns be employed and coupled with both technical and procedural controls.

In my next post we’ll discuss the rampant growth and resurgence of rootkits and backdoors as they pertain to APTs and Designer malware and what potential impact they are having today and may have in the future.

Filed Under Advanced Persistent Threats (APT), Bot Nets, Malicious Code, Malicious Content, Rootkits, Trojans | 2 Comments