Monday, August 31, 2015

Is Cyber Protectionism on the Rise?

Cyber cold war is clearly heating up. Nation economies may start trending inward for IT and cyber support as fears about state-sponsored hacking are on the rise. High-profile technology vendors are being exposed as arms-length extensions of their motherlands state security apparatus.  Examples include an expose' claiming Kaspersky is working closely with FSB (link), the Snowden leak suggesting clear and possibly extra-legal cooperation between the NSA and Facebook, Google, and Apple.  Consider the silent implications of U.S. security companies that publish threat intelligence who are notoriously silent when it comes to threat groups that tie back to the U.S. government. And Chinese telecom giants like Huawei have already been suppressed in U.S. markets due to security concerns. Conversely, China has exactly the same concerns regarding imported technology.  Government agencies in all nations are notorious for mistrusting outside technology.  For example, in the U.S. government you won't find Israeli technology deployed anywhere.  The State already practices cyber protectionism. As more high-profile vendors continue to be exposed, will the civilian market respond in kind?  Will governments take extra steps to regulate the import of potentially untrusted technology?  Can a free market continue when the buyers can't be trusted to understand the implications of cybersecurity?

Wednesday, June 17, 2015

Creepy Dystopian Reality mirrors Cyber Fiction

Somewhere downstream from the economic churn of the cyber affluent, layers of humans pry and burn minerals and the occasional component from e-Waste to live on less than $100 USD a month.
A man smelts cadmium-laden circuit boards for steel
A massive alluvial fan of e-Waste is spreading across Asia at an alarming rate. Illegal [unlicensed] 'kabadi wallahs' call for scrap on their daily runs through the alleyways.  Buying and selling here has the feel of an illegal drug deal [or something decidedly cyber from Neil Stephenson].
e-Waste deal going down in a Delhi alley
Circuit boards and plastic are smashed to extract components in Ghana
Ripping wires to salvage metals in South China
Dealers make trades and sell extracted components to others who smelt them or resell them.  Some stuff just ends up back in cyberspace - posted by weight on eBay.

picture found on eBay search for e-Waste
52 lb load of medium-high grade circuit boards posted for $110 USD on eBay
Crushing and stripping have their place, but the preferred method of extraction is burning. Metric tons of plastic and hyper toxic materials are converted to gasses for our atmospheric pleasure.
"Cooking Off" motherboards
Burning is the preferred way to recover copper
e-Waste is a poison generated on the crest of economic progress.  As usual, the fallout settles in the lower economic strata affecting the poorest counties and people the most.  These images give me a feeling that the dystopian future imagined by cyber fiction writers has already arrived.


note: the images were obtained from a Google Image search, the sources of the images are marked in the alt text.

Sunday, April 19, 2015

Silk Road for Zero Day

I had to be amused after hearing about the TheRealDeal, a Silk Road for 0-day. First, that there really isn't anything illegal about selling a zero day - but I can understand the concerns about liability. Back in 2002 I had proposed starting a site called ZeroBay that would auction working 0day, but the possible liability scared me off the project. But for a few years afterward I privately worked with many 0day and I have to say, these RealDeal guys have a load of problems to deal with.

First, there are the 0day researchers who won't trust the site operators enough to hand over the goods for verification prior to a sale. Without third party verification and escrow the whole model will break down.

Next, most of the exploits will only work on a certain VM and only when the moon is full. They will inevitably broker a deal where the buyer can't get it to work and the seller vanishes or becomes unresponsive after stating "Works for me!".

Also, the sellers are going to sell it to multiple parties. I see Internet Explorer client side exploits listed at $17,000 - this is about 1/4 of what an 0day like that is worth, so they must be uninformed or planning on selling to multiple parties. Or, it's not theirs to begin with and it's already being shared in closely knit circles. 

Here is a big gotcha - some of the people selling bugs are going to be actual employees of the vendor, possibly working in the QA lab - so they are 100% insider threats and a huge amount of liability is backpacking on those exploits.

Be aware that finding a crash bug is a heck of a lot easier than writing reliable shellcode - and I wonder how many sellers on the site have the skills, procedures, or willpower to craft reliable payloads?  The number of people that can find bugs outnumbers the number who can make reliable exploits by several orders of magnitude.

Let me suggest something - if you want to make an 0day deal work, first you enter into a legal contract with the seller that absolves you of liability if the seller is breaking any laws or contracts (i.e., non disclosure, employee intellectual property agreements, etc). Second, you broker the deal so the seller receives a portion of the total payment per month as long as the 0day remains an 0day - if any disclosure or patch occurs, the payments stop early. This keeps sellers financially motivated to stay honest. Finally, don't ever pay up front for something that hasn't been vetted -- under no circumstance trust some video of the guy running it against a VM - you will end up with broken unreliable code.

0day sales have been around a long time and it's a trust-based business - it doesn't really need some weird blacknet site on Tor to work - it's silly. Start a legitimate above-the-line business doing the same thing and it would work better and provide contractual legal protection to all parties. My conclusion is this: trust is hard to come by - making a darknet anonymized brokerage is just making a hard problem harder.

Tuesday, April 14, 2015

The network perimeter has been turned inside out

The CISO needs to understand that modern cyberspace is turning the perimeter model inside out. Cloud and social applications have accelerated adoption in the Enterprise, but their protocols are effectively sealed at the perimeter. Think layered, custom, and encrypted. This has rendered network appliances and proxies nearly useless. In effect, the logical perimeter has been forced out onto the endpoint device itself. This has huge implications with regard to the monetary investments made by the Enterprise. Embrace the current state, when you say the word ‘perimeter’ you should immediately think ‘Endpoint’. The lack of this “perimeter is the endpoint” thinking, combined with an ever-increasing sophistication of attacks, is putting Enterprises at severe risk.

I posted a short (~5 min) video prezo about this here: The Vanishing Perimeter - YouTube

Come see me in SF next week if you have time, RSA booth #3032

Tuesday, August 27, 2013

What is Cyber?

As a term, Cyber has a broad spectrum.  It has been applied to subjects ranging from low voltage microchips to international law.  In the context of security, when does it apply? Consider a situation where an operator from hundreds of miles of away initiated events that shredded a turbine and killed 75 people.  This was not an attack, it was an accident.  But, what it a cyber accident?
Is this #cyber?
After seeing articles about SCADA and ICS security citing the Sayano accident (among others) I was compelled to ask the community a series of questions about the definition of cyber, which I tweeted over the course of a single day and tagged #whatiscyber.  What follow are those tweets.  I received some good feedback and I outline some thoughts here.

 A modern computer is attached to the Internet and communicates daily with the cloud, is this #cyber?

The most basic of definition is that cyber means computing technology, and in particular, computers that are networked.  There is no larger example than the organic Internet full of people of all intentions, and has the cyber punk aspects of a wild west, even pseudo-intelligent computer viruses.

A LAN party is disconnected from the Internet, is this #cyber?

If one accepts the previous definition, which clearly many do given the basis of the accepted Wikipedia entry, then what about smaller networks?  A LAN party involves hosting a group of people, complex computing hardware, protocols for communication, and probably more than once harbored its share of viruses.  Is this a tiny fractal of the Internet?  Is it cyber?  This introduces the concept of space – a cyberspace being a place where computing occurs.  But, what scale of space is required before it can be called cyberspace?

Is this #cyber?
You have an old 1980's-era, isolated, stand-alone computer not attached to any networks, is it #cyber?

Now we break down.  Many people are thinking this doesn't match the fantastic vision of cyberspace that spawned in science fiction.  This is boring and dusty.  But, while some say nay, some imagine the awesome complexity of that machine.  Look inside.  Systems and subsystems are dancing in electric light, data in motion.  A data bus is connecting peripheral hardware with a multitude of software entities in a field of RAM. Ask yourself how two modules communicating over a bus are different than two computers communicating over a CAT5 cable?  In this, scale is just a matter of abstraction.  The scale and complexity is vast if you zoom in.

Is this #cyber?
A robotic arm is remotely controlled over wires from 50 feet away, is it #cyber?

This is just a variation of isolation that introduces remote control, perhaps by a human operator.  There are obviously computers involved, and there is a cable - perhaps the CAT5 cable from my previous example.  There is a communication protocol of unknown complexity. There is also an industrial device.  But, the operators are probably confined to a warehouse, and not attached to any large network.  This is where the parallel to the Sayano disaster starts, except that with Sayano the connection was made from 500 miles away, not fifty feet. 

Is this #cyber?
You dial up to the robotic arm using a modem, and give it commands, is it #cyber?
Nearly exactly the same as the previous example except that the connection can be made from a great distance. Does distance matter? The modem is interesting, because the Internet used to run on them.  By exposing this dialup, one exposes a system to the world.  One could say that even the BBS networks that predated Internet adoption were a form of cyberspace.  Telephone networks are complex and span the globe, so they very much smell like cyberspace.  If you think a modem makes it cyber, you are in effect saying that cyber requires networking.  And, not just networking, but also networking of a certain scale.  If you define it this way, then ask where the threshold lies?

Is this #cyber?
You have a line of sight network with a homemade model airplane that carries a video camera, is it #cyber?
Modern in terms of technology, but small in terms of networking.  Not altogether different than the robotic arm example.

Is this #cyber?
The military has a fleet of remotely controlled drones over a city, is it #cyber?
The drone programs used by the military are 100% cyber if you use the media as the yardstick.  There is no better poster child flaunted by the modern, technically advanced military.  Any distinction between the small UAV's controlled by a single soldier and the big UAV's controlled by teams of soldiers seem superficial, don't they?  The context of cyber here is not the scale of networking, but the laws of warfare.  Nation states using computers for war is often called cyber, without regard to the details of the technology itself. 

A cloud computing infrastructure running millions of lines of code, but isolated in the lab and not being attacked by anyone, is it #cyber?
The isolation case is being beaten to death here, but now consider the idea of the system being attacked.  Even if a complex system is not networked, if it's being attacked by someone does that make it a cyber attack? What if it’s a criminal, not a nation state, is it still cyber?  Cyber is used in conjunction with criminal law all the time. “Cyber-crime” is widely accepted to mean non-state actors operating for personal gain, and has little to do with details of the computing technology used.  Cyber is being applied to both state and non-state computer attacks. And, hacktivism has blurred the ideological lines between warfare and crime.

The above mentioned cloud infrastructure is a server running the lastest virtual-reality MMO with over 10 million users, is it #cyber?

OK, this was a loaded question - we can all agree on a MMO that has over 10 million users.  We can probably agree that this virtual world can be called a "cyberspace".  It, after all, is the closest real representation of the fantastic imagined world of cyberspace spawned in science fiction many years ago.  An attack on this system would most assuredly be called a cyber attack in the media. 

By this definition, cyberspace is a computing environment where structure can be visualized (at least in the mind). There is some level of interaction between forms, the most basic being programs interacting with data, and evolving to programs that act as an extension to a human operator.  The MMO example is simply the evolved case of a virtual reality space.

Starting with isolation again…

There is an old, isolated, non-networked computer, but it has a USB port, is it #cyber?

All we did here was introduce a non-networked interface into the otherwise isolated computer.  If this is cyber, then so is the old 1980's-era computer from above if it has a floppy drive.

Is this #cyber?
If it's an old, isolated computer with a USB port, controlling a SIEMENS S7 PLC, is it #cyber?

Yeah.  So if old isolated computers are not cyber, then the Stuxnet attack on the Iranian nuclear plant isn't cyber either.  That is, unless cyber is defined as a malicious attack.  But if it’s only defined as attacks, that means an accident that wipes out 10 million users in that MMO isn't a cyber event, just an IT accident.  Albeit, an IT accident that just wiped out a cyberspace by most accounts. 

If cyber has to be a malicious attack, then Sayano was not cyber.  But, if cyber merely means networking of a certain scale, or remote connections, or is independent of the age of the system, then Sayano was a cyber accident.  And more importantly, a cyber accident that illustrates what could happen to a hydroelectric dam if it were under cyber attack.

A computer of any age with a backdoor installed by a foreign intelligence service, is it #cyber?

Just introducing motive and ideology - a nation state sponsored attack on a computer system would definitely be called a cyber attack by most accounts.  And, it wouldn't matter if that system were a complex computing environment, or a lowly embedded system on a security camera.

Is this #cyber?

An experimental and 100% _mechanical_ computer is backdoored by a foreign nation using sabotaged punch cards, is it #cyber?

Of course it is.


Thursday, July 25, 2013

The script kiddie is dead

SQL attacks are pervasive; the result is leakage of credentials. Millions of username/email + password pairs have been stripped out of compromised SQL servers and posted into public spaces. Thus, attackers are routed to corporate surface areas when employees use their work email when registering on 3rd party application sites. The insidious part is that corporations are exposed to attack even when their enterprise infrastructure is secure. The problem swells when employees re-use their passwords across multiple sites. Even when the corporation has adopted two-factor authentication and strong password policies – an attacker may still gain access to employee personal data. That personal information can lead to secondary attack vectors against the corporation – such as direct access to the employee’s home network, mobile computing devices, and cloud data. With such vast amounts of contextual data available, it would only be a matter of time until a focused attacker can leverage something to further access into the enterprise. Previously the stuff of spy novels, attacks such as software bugging an Android phone are now very real.

While some security consumers still think of SQL attacks as Plebeian, they should remember that in Verizon’s 2013 Data Breach Investigations Report™ (DBIR), 76% of network intrusions exploited weak or stolen credentials. Please remember that these stolen credentials are being posted by the millions into publicly shared cyberspaces, largely downstream of an SQL injection. Furthermore, it would be ludicrous to think that a foreign intelligence service doesn't have a desk devoted only to exploiting these leaked credentials – it’s free access. And beyond that, consider they may also have a budget to maintain cyber-criminal persona for directing contractors at targets or purchasing stolen information.

Credentials stolen over approx 12 month period by a single non-state actor (courtesy Veraxes)
A few years ago, some security marketing programs tried very hard to draw a bright line between cybercrime and APT – but a handful of us took the opposite stance (See Kelly’s article) and illustrated the crossover between cybercrime and APT. Other news stories followed (Krebs, et al).

Regardless of these first hand experiences of security practitioners, security buyers still bifurcate cyber threats into “APT” and “everything else”. In this case, “everything else” means Botnets, Drive-by downloads, Zeus infections, Defacements, and “Script kiddie” attacks on websites. I have heard decision makers in the security organization tell me these are just a low-threat hygiene problem. Perhaps in the past this was true, but threats evolve. [soapbox]Personally I think this is just fallout poisoning from over-aggressive marketing used to educate people about the difference between real intrusions and anti-virus solutions.[/soapbox] Regardless, the idea that malware and script-kiddies are not dangerous is dead wrong.

Before discounting SQL injection, WordPress backdoors, and Drive-by’s as the work of script kiddies or“just cybercrime”, consider that every one of these is a vector for targeted attacks. Of the thousands of credentials for Fortune-500 companies posted to the Internet in the last few months, how many have been subsequently used by hackers to access email or corporate portals?

We are witnessing accelerated exploitation economics.  Knowledge about compromises, no matter how small, will now quickly disseminate across a vast network of blackhat consumers - many of which have the means to leverage small cracks into massive breaches. I have seen a mass WordPress defacer install credential stealers that were then used for lateral movement to other servers.  I have seen an SEO scammer sell server access to an interested 3rd party.  We have to see beyond malware and look at the threat - a threat has his hands on the keyboard. So, when a drive-by download installs Citadel (a Zeus variant) on the network, the corporation is being targeted for IP theft. When a script kiddie puts a webshell on the website, the user credentials are being targeted for follow-on attack and lateral movement. When employee PII is compromised, ask who is downloading thousands of employee emails? How will this data expose your company to greater risks?

Every attack matters. The script kiddie is dead.

Thursday, June 13, 2013

On Precision and Big Data

Most true-positive threat detection is rule based. We use our powers of perception and analysis to find patterns in the data. This is effective because threat behavior is highly repetitive. One can’t say this is data intelligence in the strictest definition, but more of an expert pattern. Albeit behavior, I argue this still resides on the edge of the signature playpen. This is fine as long as it continues to work for the security marketplace (and so far, does). Regarding Big Data; In lieu of ingesting huge quantities of data in the hopes that some needle will become self-evident, I suggest continued development of rigorous expert patterns. Of particular value are patterns that can match against host-endpoint behavior (in conjunction with netflows at the perimeter). I believe this can produce highly effective, non-specific (i.e., resilient) extraction of high-fidelity threat events. With data overload being a huge issue, the role of precision becomes ever important.

-Greg Hoglund