03.26.2010

Introduction:

Just when you thought it could not get any weirder we bring you yet another installment of Bombs, Bullets, and Bits!  In fact this is Episode V and of the ongoing series and today’s installment focuses on the wonderment of open market promotion, marketing, and salesmanship within the sub-economic ecosystems of the underground.  Before we get going though I feel it is important to address a few key areas of economic theory in order to set the stage accordingly.

Adam Smith and Underground Sub-Economic Ecosystem of the Internet:

Adam Smith is revered the world over by economists and non-economists alike.  Smith (b.1723 – d.1790), wrote what is considered to be by many as one of the most important texts in economics and philosophy, The Wealth of Nations.  He is credited with coining the phrase and concept of the “invisible hand of the market” which, when allowed to move of its own volition, influences and churns economic cycles, conditions and markets in a natural manner reflecting basic and complex principles of conditions such as supply and demand.  If you’ve not studies Smith’s works I would suggest picking up his The Wealth of Nations, as it is timeless.  In the event you have not but are interested in understanding the basic premises of Smith’s philosophy (and if you intend on reading the remainder of this installment while being able to tie it all together), here is a short synopsis of the salient points contained therein:

Relevance to the Underground and You:

Ok, at this point you may be thinking “thanks for the economic philosophy lesson, but what does this have to do with the underground, malware, hackers etc.”, I’m glad you asked.  As we established above, every good and or service has what Smith called a “natural price”.  This “natural price” is determined by a variety of factors including at a high level:

As one might expect availability, efficacy or desired effect (what it does vs. what it does not do), and application are all capitalized upon by the seller when targeting potential buyers and consumers.  This is true in all markets to and including the various ‘sub-ecosystems’ of the underground.  In conducting research on botnets I recently ran across quite a bit of ‘marketing’ and solicitation, the likes of which would’ve made any professional sales team proud.   Want access to source code for a botnet to do with what you will? DDoS? SPAM? Malicious Code Infection? No problem, you can do it all with the right package.  In fact, in one case, the case of the ‘Blazebot’ botnet which I originally began tracking around a year ago, the author offered the following features to the highest bidder in the botnet’s final form factor:

Figure 1: Examples of Marketed Features In the Underground

Installation:
Service Startup
ActiveX Startup
Anti Debugger thread
Anti Dumping Mechanism
File Protection (can be seen on video)
Two types of process protection
Windows Firewall exception
Shared memory between service and userland app (ring 3)
User impersonation (Service steals a token from userland App to steal their data)
Pure API sockets (no ocx, csocketmaster or whatever)
Ring3 API unhooking
Commands: Update
-Allows users to update the bots with a newer version
Dump

-This will cover the retrieving of:
Windows serial keys
Antivirus/Firewall name
Basic Info
MSN passwords
Internet explorer passwords
Serial keys
Poison Ivy
-This command will download the preset shell code of Poison Ivy to memory to connect back to you for full control.
Download
-Downloads a file to HDD. Can also auto-execute and load DLL’s and EXE on request.
Execute
-This will run a specific executable file.
Nickname
-With this you can give specific bots commands
Exit
-Terminate your own process (does NOT uninstall)
Melt
-Program will uninstall itself
Unhook
-Bots will unhook themselves from API hooks in ring3
Self Patching
-You can let the bots patch their settings to connect to other hosts
DDOS
-This is basically a big bandwidth flood to take down hosts
Delete files
-self explanatory
Kill Processes
- self explanatory
Msn Spamming
This will spam anything you want into the ongoing msn chats without hooking anything.

In this case the author decided to take his project to the open market and solicit private bids.  Bids (which were rejected by the author), ranged from $50 USD to $400 Euros.  In the end the author sold the entire source code package to a private party who wished to remain anonymous for an undisclosed amount.  As part of the author’s campaign for a purchaser, he engaged in competitive marketing initiatives specifically targeting the ZeuS Botnet and community.  A key selling point made by the author was that unlike ZeuS he was selling the entire source code package not simply binaries thusly enabling the buyer to establish their footprint in the Botnet world in any number of ways all of which were at the command of the new owner.  Additionally, the author demonstrated the ability of the code to bypass detection of some 22 Anti-Malware engines.

Up On Olympus:

ZeuS is another wonderful example of this.  Currently, active orders are being solicited for 1.4.x.x of ZeuS with prices ranging from $4000 USD to $8000 USD depending on which modules are desired for specific functionality.  ZeuS is an interesting case in that older versions of the Botnet are easily had in the wild and can be used effectively though newer, more easily obfuscated versions of the code are available.  ZeuS is in extremely high demand, selling on a pre-order basis.   A testimony to its popularity and continued success for its authors, sellers and suppliers is its continued effectiveness in bypassing detection and delivering extremely high success rates in compromising hosts, impregnating them with malicious code & content packages with the end game being the establishment of participation within the greater command & control fabric.  These examples are certainly not representative of all examples of activity within the underground however they provide a clear and concise view of just how supply and demand are working on a routine basis.

Tags: , Filed Under Bot Nets, Cyber Crime, Cyber Defense, Malicious Code, Malicious Content, Next Generation Threats | 1 Comment 

03.26.2010

When I think of information security in the broadest sense, I immediately think of managing and mitigating risk.   I know of no more appropriate way in which to view our discipline and have for years and years (largely due to my diverse background in both research and consultancy organizations), struggled to understand why there is opposition to this point of view.  Risk management is a widely accepted discipline within other industries, namely finance, but also within enterprise operational business models (often referred to as ‘enterprise risk management’ or ‘fiduciary risk management’).    It pains me to know end that today, in the year 2010, there is still such an egregious misunderstanding of risk management within business.  It worries me that there is so much opposition to asking and answering three very simple, yet insightful questions about one’s enterprise environment.

It troubles me deeply that there are so many misgivings with respect to the benefits associated and derived from proper management of risk and the establishment of a solid, comprehensive risk posture from which a security program and framework can be derived to meet the needs of the organization as a whole and on individual levels amongst business units and individual contributors.    Recently I engaged in a thought provoking conversation with the talented and engaging Mr. Dan J. Molina during which a substantial amount of time was dedicated to discussing this very matter.  During the conversation we discussed in no specific order many of the points, which are debated (some with greater degrees of merit than others), within our industry regarding risk management:

  1. Risk is inherent in all things; nothing worth doing (or not doing) can be said to be devoid of risk
  2. To understand risk one must embrace, not run from it
  3. Risk can be empowering if one takes the time to explore it or devastating if one ignores it
  4. Neither men or organizations of men (in business, government, or life), can eliminate risk; they can only work to manage it via mitigation with the hope of minimizing impact
  5. Too many people mistakenly equate risk management with compliance – the two are not mutually exclusive however they are by no means the same thing
  6. Risk management is hard and as a result of it being hard it is undesirable by many, as it requires. EFFORT!
  7. Risk management is an impossible or unrealistic ideal – Ranum / Schneier debate…it’s rubbish
  8. The practice of managing risk does not require the invocation of a ‘new school of thought’; there is nothing wrong with the schools of thought present and accounted for today or yesterday; adoption is a not dependent on the cohesive nature of the school of thought
  9. It is both irresponsible and fool hardy to operate as though risk does not require managing or that it is not present in all things

10. There is no way to force risk management into effect regardless of how compelling the data supporting it (actuarial data, circumstantial data etc.) is or might be

The discussion of these points gave way to another discussion on whether or not there was merit in simply ‘feeling secure’ as opposed to being secure and having to demonstrate a state of security vis a vis evidence of a mature risk posture.


We then discussed the importance of feeling secure as it relates to the demonstration of security vis a vis evidence of risk posture as they relate to the state of being secure.  For many ‘feeling secure’ as Bruce Schneier has pointed out in the past, is as or more important than actually demonstrating security via hard fact and unilaterally. I tend to agree with Schneier on this point that many would be comfortable operating under the belief that they are secure (regardless of whether or not it had been substantiated via qualitative and quantitative means), by virtue of how they feel as opposed to actually knowing they are secure.   In essence the argument boils down to a collective delusion, which finds everyone sharing the same experience; the same reality regardless of its accuracy.  This of course is dangerous at best and potentially cataclysmic at worst.

So how do we change the perceptions of risk management within our industry?  That is the question!  There are many ways to begin, though none are trivial.  The process requires us to view, as industry professionals, the subject of risk management as a legitimate discipline or not.  This is something, which cannot be legislated, nor can it be faked.   One either believes or sees the realities associated with being able to manage risk in qualitative and quantitative terms or they do not.   It is as simple as that.  Risk management exercises (provided they are under taken), are unique to the individual organizations endeavoring to learn from the process.  These organizations rely on transparency and accuracy of data otherwise their yield is worthless as it neither reflects fact nor sustains it.   Open, honest discourse related to the data brought to bear is essential to this process.   Should this be found to be lacking, then the entirety of the process must be called into question with any and all data points being held under close scrutiny.  This blog posting is not, in any way, meant to trivialize the process of risk management or over simplify the challenges associated with it.   By no means is it!   It is however, meant to be a catalyst for thought; a morsel for consideration which hopefully will (ideally), lead to more mature discussions and (God willing), help remedy the madness which clouds and obstructs our collective vision.

Tags: , , Filed Under Risk, Security Philosophy, compliance, risk management | Leave a Comment 

03.23.2010

Yesterday  I read a blog post at securosis.com which inspired me to think about innovation and our industry.  Rich asserted in his post that there is no market for security innovation.  Whether you believe this to be the case or not is irrelevant as my intention is not to debate this (personally I believe that there should always be a pragmatic side to innovation; that innovation should not only address preexisting deficiencies within available solutions but raise the bar in terms of effectiveness and applicability while offering potentially amazing peripheral benefits), point but rather to foster further discussions having to do with information security and the markets which are impacted as a result.  To begin with, Rich’s post gave me cause to consider the value we place on innovation as individuals and collectives and how said values impact innovation.   I believe this varies and, as Rich alluded to in his post, there is a spectrum associated with innovation in our industry. One end of that spectrum is expressed by that which lacks pragmatic value but is valuable in academic circles.  It is easy to discount this type of innovation as being purely academic and as a result, less valid than other more practical forms of innovation however, it is often through the most convoluted, esoteric innovation which new, massively applicable forms of innovation occur.  On the other end of the spectrum is the painfully practical; the ‘hammer and nails’ practical innovation which may or may not be terribly innovative (I’m willing to wager and on the latter), at all but really representative of the status quo.  If it isn’t broken don’t fix it…or improve upon it for that matter.  Then there is the happy medium; the gray area which I feel represents the best of everything the spectrum has to offer.  Here we see an ‘enlightened’ innovation coming to fruition.   This is the ideal and for what it is worth, what I strive for in my own work.   I believe here, we find that healthy blend of the practical and pragmatic and the truly mysterious; the realm of the dreamer where one is limited only by his or her creativity and ability to conceive and conceptualize.   To me, this is a beautiful thing.

After much meditation on Rich’s blog post, I arrived at a conclusion where I have found myself at many times before:

  1. Innovation is not dead
  2. Innovation is not non-existent
  3. Innovation does not require the creation of new markets though often times this is what occurs (I have reason to believe that this occurs not always due to impracticality but to bad marketing and a lack of clarity & vision on the part of the organizations in question)
  4. Innovation will always occur — whether in the basements, garages or livings of the United States of the formal research & development labs

As Thomas Edison said, ‘discontent is the first necessity of progress’.  Edison, like so many other men of action, knew the value of owning one’s dissatisfaction with situations and circumstance.  He knew that in doing so, a man (when properly motivated and given the room to do so), will work towards advancing and innovating in the present to ensure the future.   It is the same today as it was yesterday.  Innovation is neither dead nor unaccounted for.  Innovation is not for the weak, faint of heart, or lazy.  No.  In fact, innovation is (though some would have you think otherwise), is quite challenging.  It takes vision.  And vision is not something rooted in the sweet waters of the lazy or of those who are ‘busy for busy’s sake’.    Edison knew this.  He said “ Being busy does not always mean real work.  The object of all work is production or accomplishment and to either of these ends there must be forethought, system, planning, intelligence, and honest purpose, as well as perspiration.  Seeming to do is not doing”.  In the post I read yesterday, the author challenged the readers to consider whether or not innovation occurs organically and in response to new challenges or if it is dreamt up by academics with no practical or pragmatic application in mind.   I personally believe that innovation, as did Edison, occurs with one’s recognition of discontent in a something and would go beyond that to suggest that it is also the result of dreaming powerful, world changing dreams.  Whether it is a product, service, or combination of both; the recognition of the cycle of discontent and  progress via innovation is alive and well.

In our industry, we’re often faced with a veritable dead sea of mediocrity.  Large vendors (and some smaller ones) push the mediocre (at times with new and creative campaigns), as opposed those which are arguably more insightful.  The result is that innovative solutions are often overlooked due to their being new, innovative, or the product of a ’start up’.  The author of the blog wrote that innovation often forces the creation of a market rather than attacking a pre-existing one.  There may be some truth to that though I’d argue that this is not necessarily bad.  In my humble opinion innovation will continue as long as there are those willing and able to look at the world around them and say unequivocally that the status is quo is both unacceptable and illogical.   It will continue so long as there are those with vision who are unwilling to accept the mundane and mediocre being force fed to the masses by large, bloated vendors whose vision extends only as far as their balance sheets.

Tags: , Filed Under Information Security Philosophy | 2 Comments 

03.19.2010

This post is very timely as we now have a use case that scratches the surface on exploiting Telematics.  For those of you that have never heard of Telematics, Wikipedia provides a great definition: “The integrated use of telecommunications and informatics, also known as ICT (Information and Communications Technology). More specifically it is the science of sending, receiving and storing information via telecommunication devices”. In most new cars today, you have the option of purchasing Telematics to provide integrated GPS, Wifi, Bluetooth, 3G and GSM.  These innovations are great as it keeps us connected and on track to our destination.  Furthermore, OnStar has been incredible to determine if you’ve been in an accident and with GPS can send first responders to your location…even helps if you lock your keys in the car ;-)  I just recently purchased a jeep and enjoy the benefits of Telematics as most consumers of these technologies.  However, at RSA San Francisco, I had an interesting conversation with my close friend and colleague Will Gragido on Telematics.  We discussed the dark-side/security risks associated with Telematics.  We went down the path of eavesdropping on conversations via Bluetooth, which can be done but difficult to pull off as you need to be in close proximity.  We also went down the path of hijacking the car’s wifi to see if we could get access to the GPS data and the fun we could have with that content.  We decided to table the discussion for a while but kept it on our list of emerging threats/exploitable technology  that could provide a new avenue for cyber actors to exploit.

Sadly, in my hometown of Austin, Texas someone pulled off a nefarious act of exploiting telematics.  Wired actually ran the story this week.  They did an incredible job in the article and for more information you can check it out: http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/ .  In short, a 20-year-old Omar Ramos-Lopez was accused of bricking cars through a service provided by Webtech Plus.  This gives the auto dealer the capability of trigger the car horn and disabling the car’s ignition remotely through the web.  Omar, choose to trigger the horn of a reported 100 cars.  Let’s step back and put our Blackhat on…just imagine the order of magnitude that can be delivered from a key board in disabling the ignition of all car’s that are connected to Webtech Plus.  Not playing armchair quarter back…but I will….this is classic insider threat/dis-gruntled employee and could have been avoided.  Let’s get to the basic building blocks of Information Security.  When someone leaves an organization, passwords and access must be changed, especially if they deal with the capability of controlling the ignition of car.  Although, Omar committed a nefarious act and should be punished according to the law if found guilty.  However,  the company should have done due diligence and this is probably a wake-up call in changing procedures when one leaves the company.

As this is a wake-up call to the auto industry, we as security professionals need to keep this threat vector on our radar and if we serve this business vertical, we should press the issue and making sure access to this type of information is tightly controlled.  Perhaps their are frameworks around this specific threat and I’m looking for it.  Until then, keep secure and keep educating.  Your thoughts on Telematics?

Filed Under Cyber Crime, Next Generation Threats, Uncategorized, risk management | 7 Comments 

03.16.2010

Cyber-crime: Evolutionary End or A New Beginning?

At times it can be very difficult to focus on the facts in a world where one is barraged by information in ways that the greatest of science fiction writers could never have dreamed.   Media figures along with industry pundits tend to spout facts and figures often in the absence of knowledge and authority.   Many times this leads to outcries amongst the information security intelligentsia who seek to ensure as little flawed logic and FUD (fear, uncertainty, and doubt) is interjected on a daily basis as possible.   Opposition from within the ranks of the intelligentsia is a good thing though many might suggest it is elitist and at times breaks from the tradition of all things ‘hacker’ in the sense that it establishes a clear ‘us’ and ‘them’.   The truth however is that not all members of this informal fraternity are “experts” on cyber-crime nor do they all have more than a working knowledge of it as it relates to their day – to – day roles and responsibilities.   No.  In fact, many if not most are engaged in other noteworthy endeavors with the hope being that those who do possess an acute understanding of this subject matter shall use it to the benefit of us all.  For many the overt goal is the sanctity of fact, preservation of information and its dissemination for the common good.  There is not one thing wrong with this attitude and in fact I would go so far as to suggest that we not only wish it to be the case but need it to be so.  The IC3 released its Annual 2009 report on cyber crime late last week and with it came a number of things:

The IC3 stated that the total dollar loss from all referred cases (that is cases which were referred to and studied by their team), was approximately $559.7 million dollars (US) with a median or average dollar loss per instance being reported.  The significance is quite noteworthy in that it demonstrates that from the year 2008 (which saw a total of $264.8 million dollars (US) in losses) to 2009, the IC3 saw an increase in losses of approximately $295.1 million dollars (US).  This growth represents a little more than two times what had occurred in the previous year.  One need not look too much further in order to see patterns emerging if they ever doubted they had existed.  That statistic alone should alleviate any doubt that cyber-crime is swiftly becoming (and will likely supersede) the most sought after element of modern criminal activity.

For many years, empirical evidence has been amassed and studied in order that trends could be determined via the careful application of analytics.  Through deep analysis an analyst begins to note trends and pattern development.   Similarly, an analyst would begin to note points of adaptation, deviation and evolution as they relate to the trends and patterns.  Many factors influence these patterns of development.  In the past I’ve found it both necessary and helpful to create impact lists of items that either influence or aid my topic of study.  The following list, though detailed, is by no means complete.  It demonstrates some of the more prominent elements at work (some of which the sub-economic environment shares with the traditional economic environment):

Who’s To Blame?

We could easily begin finger pointing and assigning blame to corporations and individuals alike however it is my assessment that was not and will not be necessary.  Would it be convenient to blame Microsoft for every bad piece of code written using their .Net framework?  Of course it would.  It would be just as convenient and likely every bit as easy to blame IBM for it’s rationale framework and in the same breath begin addressing the failures of individuals and organizations’ internal code developing.  It would also be intellectually dishonest and morally suspect.  I believe there is plenty of blame to go around and it is not entirely any one organization, or disciplines fault. It is all of our faults in the sense that we failed to communicate the value proposition of the importance of securing properly to avoid securing dangerously.  We speak of evolution, adaptation and sophistication as though they were the norm; part of the meme if you will of our industry though the evidence shows that there is significant disparity between idealistic states and those anchored in reality.   We talk of sophistication in attacks and exploits yet in many cases ‘sophistication’ isn’t even a consideration as many recently occur using unsophisticated means (Ghostnet).  We use terminology such as ‘elegance’ to describe the state that is arrived at upon being owned (and being made aware of said owning), by those with questionable or nefarious intent if a level of sophistication was demonstrated.  In reality, some of the more notable attacks of the last 18 months were not terribly sophisticated yet still quite effective.

First Steps

So who is to blame?  My answer is that we all have an ownership stake in this as I mentioned earlier.  We live in a world driven by deadlines and meeting/exceeding customer expectations.  There is nothing wrong with that.  Managing against deadlines is both noteworthy and sensible from a business management perspective.  I do however believe that sacrificing quality in order to meet deadlines introduces problems sooner or later.   As my father is fond of saying, you can’t cheat death and I think (at least in spirit), the same sentiment can be echoed with respect to doing poor work: you can’t cheat quality.  Often in my career I’ve worked with clients who simply could not afford to not meet deadlines (internal or external customer facing deadlines).

Recently my friend Josh Corman and I were discussing the basis for what became the Rugged Software initiative.  During that conversation we discussed many of the arguments – pro and con, (most of which are quite old it should be noted) related to SDLC (software design life cycle) and the challenges which seem to manifest into reality all too often in development houses.  My belief is that until SDLC is communicated in a manner to which demonstrates the value of the bits to the boardroom it will be an uphill battle.  That doesn’t mean it isn’t worth fighting but rather that until it resonates with the stakeholders, the business unit owners who set and oversee (and who are overseen by the board for example), it will likely fall on deaf ears.

My suggestion is that organizations and those charged within them for managing risk within and as it relates to them should begin by evaluating the organizational risk posture.  In doing so, provided the exercises are followed through upon, it will become clear what level of exposure the organization is incurring, what has been defined (formally or informally), as an acceptable level of risk and whether or not that needs to be re-addressed in order to align with the expectations set forth by the risk management team in preparing the organization for cyber threats such as those associated with ‘cyber-crime’.

Tags: , Filed Under Crime and Punishment, Cyber Crime, Cyber Defense, Cyber Fraud, risk management | Leave a Comment 

03.03.2010

John Pirc and I presented yesterday at Security BSides San Francisco 2010 and it was a wonderful experience.  I’d like to thank a few folks for aiding us and making that happen:

It was a great opportunity and many fine folks spoke and more still are planned to take the stage today.   Having said that, I’d like to encourage you all to check out BSides and support your local events.  If you don’t have one, reach out to the folks responsible for one and inquire about setting one up in a city near you.  These conferences are key in aiding continued growth and development in thought and action within our industry; without them and others like them, we risk much more than some might think.  RSA is going smashingly thus far.  It’s been a great opportunity to reconnect with old friends and colleagues, meet new ones and create opportunities.   Look for more updates on Twitter!

Tags: , Filed Under Uncategorized | Leave a Comment