Category Archives: Links

Comments on Comment Crew

Posted on 2013-02-21 | Leave a comment

Everyone paying any attention to security this week noted Mandiant’s report on the Comment Crew. If you haven’t, go read it first. I’ll wait.

Why You Make Groundless Accusations?Although I work for a competitor[1], I believe Mandiant did the right thing here. Others may disagree to an extent for good reasons, while others simply went too far in their assumptions and criticisms. (And some folks just need to take off the tinfoil hats). I don’t really care that much about what makes the sekrit skwirl cabal happy, and in fact it tickles me when they get frustrated by “outsiders” (inasmuch as Mandiant is one, anyway) not playing by their rules. In any case, healthy skepticism regarding someone else’s conclusions keeps them honest, but don’t miss the big picture out of myopia. The relative prevalence of espionage and APT relative to regular criminal activity remains an open research question and a valid area of debate, but I’ve seen some really smart people this week falling into the cliché of missing the forest for the trees.

Instead, this means the adversary can’t dictate the pace and terms of the conflict, whether or not they completely retool. By driving up the cost to the attacker over time, you start to make headway. That works both ways, of course, and at the moment that balance leans decidedly in their favor. Releasing the IOCs will also allow defenders to discover additional compromises. Remember that opponents make mistakes, and so we can capitalize on the opportunity for ongoing intel gathering as they transition to new infrastructure (assuming they even bother).

Sharing information has more than just tactical value. In my view (obviously not one shared by Congress), this points out that we don’t need the government to get in the way with CISPA or other information-sharing that stays behind walls of overclassification or possibly creates additional privacy and civil rights issues. We can do this the right way and improve things. Partisan politics lies way outside the scope of this blog, but I certainly see this as “we’re from the government and we’re here to help” territory.

[1]: As usual, these represent my opinions only. And that’s only good for today anyway because I may change my mind as new facts come to light or I think about topics more thoroughly.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , ,

PDD21 FUD from Stiennon

Posted on 2013-02-14 | Leave a comment

With the release this week of President Obama’s executive order on Improving Critical Infrastructure Cybersecurity and the accompanying detail in Presidential Policy Directive 21, lots of people have commented on the implications. Jack Whitsitt appears to have some solid commentary coming.

However, a piece by Richard Stiennon on Forbes caught my eye, not because of the information in it, but because of the FUD it contains.

sparrow-oooh

First, he attacks the concept of risk management:

But risk management does not work in unpredictable environments. Risk management is the framework that most banks, hedge funds and trading desks use when addressing financial risks like those present in the real estate, commodities or derivatives markets. We know how well that worked. Management consultants and bureaucrats love risk management. It foists responsibility away from individuals and onto a process.

Here’s a hint: yes, it does work in “unpredictable environments”, when performed properly by responsible managers. (Whether the DHS can provide this is a separate question, and one on which I suspect Stiennon and I would likely agree.) This stems from the concept of uncertainty from statistics and related sciences. And simply saying ‘risk management is bad because bankers’ (obviously a paraphrase) isn’t wry sniping, as Stiennon later commented, but FUD.

How will an uber-map of critical infrastructure be kept out of the hands of the very threat actors that are targeting these systems? PPD 21 will, in effect, create yet another critical information asset that will end up at the top of the list of critical vulnerable assets.

I don’t know what this means. By this logic, we shouldn’t ever create an inventory of our assets. Does he not keep financial records? Would he have counseled the government during the Cold War not to keep track of nuclear launch sites? Yes, of course the documents detailing these things require appropriate controls, but to conclude that the government should not analyze and sort critical infrastructure because adversaries would love to have this information doesn’t make any sense.

Centralized information collection and dissemination is a natural requirement for risk management. It is akin to the economic data collection and analysis that command economies resort to in place of free markets.

Yes, he basically just said that centralized databases are communism. I have nothing to add here because it speaks for itself.

Stiennon concludes this way:

PPD 21 makes previous unfunded mandates seem simple by comparison. Its breath and scope is a giant overlay on top of the existing system of Federal agencies that, if executed as directed, will turn what was a of collection of connected puddles of government regulatory bodies into a single giant quagmire. It is a top down solution that expresses the frustration of good intentions to “do something.” Even if all the hurdles of implementing an over arching risk management framework were overcome there would still be the errant tree branch or targeted malware that could shut down the power grid.

Yes, bad things will still happen. That is not an excuse to do nothing. Stiennon proposes no alternatives here, other than the implied idea of leaving a “collection of connected puddles of government regulatory bodies” as they are. The current system doesn’t work that well, and whereas I’m not convinced right now that PDD 21 will actually do anything, I also believe that we as professionals and citizens should find ways to improve things rather than simply shoot down anything that isn’t perfect ‘because reasons’.

→ Leave a comment

Posted in Links

Tagged , , , , , ,

Chinese government attacking American journalism?

Posted on 2013-02-02 | Leave a comment

What a week: disclosure of compromises at the New York Times, Wall Street Journal, and Washington Post. A Java update released on a Friday evening 18 days early due to active exploitation. Twitter compromised affecting 250k users, including me. I may have more to say about the Twitter compromise later.

Journalists in China

If they don’t respect them there, they won’t respect them here.

I’ve assumed for some time that state-sponsored attackers have long targeted major media outlets, especially those who regularly report on national security issues. While we don’t need to start putting on tinfoil hats, the ill-fated Wikileaks partnership with the NYT should have provided a pretty obvious starting point for people to think about these issues. Even more obviously, at least to me, journalists have had to take OPSEC seriously for a very long time, whether due to drug cartels or US presidents unhappy with political and legal revelations. I wouldn’t characterize these incidents as an assault on our way of life, exactly, because the Fourth Estate has always had conflicts with power. We should become far more suspicious when governments don’t concern themselves with the press, because that says something about their relationships with it or, perhaps, their views of popular opinion.

An extraordinary claim requires extraordinary proof.

Others have criticized the reporting and the completeness of the stories. For what it’s worth, as noted above, I certainly don’t think claiming that governments have tried to attack journalists really presents an extraordinary claim. And I have seen enough evidence first-hand to believe that Chinese-based actors actively exploit networks around the world. Combining the two, we know how the Chinese government regards free speech and a free press.

But if you want us to believe that this represents the greatest transfer of wealth in history and all the other hyperbole that surrounds discussion of “the APT” and “China” and “cyberwar”, you need to present evidence. Declassify it, make it public, show it to the American people. If you’re a news outlet dedicated to informing the public, give us the facts. When the government wants to make a case for war, it discusses specific incidents and presents intelligence. If we face such a great threat, don’t just assert the threat, prove it. (Note: I don’t actually expect any of this to happen.)

Whether the intelligence will amount to proof, however, remains to be seen.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

ERMAGERD GUISE WE R NUCULAR WEPINZ NAO

Posted on 2013-01-26 | Leave a comment

My cluebat - let me show you itSenator John Kerry, now the nominee for Secretary of State, had some attention-getting statements about ‘hackers’. According to the report, he compared the threat of ‘foreign hackers’ to “modern-day, 21st century nuclear weapons”. He also said, more or less correctly, “Every day while we sit here right now certain countries are attacking our systems. They are trying to hack into classified information to various agencies of our government.”

I don’t really have a beef with the second piece there. But let’s be realistic here: in the 20th century, the United States actually did face an existential threat, and it wasn’t terrorists or hackers or child pornographers or some other country buying all our land and debt. The aptly named doctrine of Mutually Assured Destruction ensured that the whole world, and in particular the USA and USSR, knew that the other side threatened them with actual extinction. While nuclear weapons still exist in large numbers and have proliferated to at least eight (well, nine) different countries. So we can’t really suggest that nuclear weapons no longer pose a threat in 2013, though not in the same way as they did in 1962.

Certainly, the threat of cyberespionage that Senator Kerry describes exists. We can easily name a number of states at this moment (not just the typical three or four, either) that engage in this to varying levels of activity and we shouldn’t ignore it. That threat, however, doesn’t begin to compare to the destruction of the human race and possibly Earth’s viability as an environment for living things.

Apparently he also thinks diplomacy will work against this threat. Maybe that will work against some specific threat actors, in concert with other efforts as always required for diplomatic success. I also prefer a policy of talking about issues rather than threatening “kinetic response”, at least in general terms. (How many people have actually died to “cyberattack” thus far?) But espionage, whether online or offline, frequently accompanies and supports diplomacy rather than the other way around. That’s not likely to change anytime soon, and in fact the US would be duplicitous to suggest that the threat only occurs against it, or that Westphalian notions of sovereign nation-states hold the same relevancy for this conflict as they did in the Cold War.

(For a similar take, see Bill Brenner’s article.)

→ Leave a comment

Posted in Links

Tagged , ,

Violent Python: A cookbook for hackers

Posted on 2012-12-25 | 1 Comment

Python is pretty readable

A lot of security folks have little to no development experience, complicating their jobs when they want to do something that’s slightly different from what existing tools can do. Python provides a particularly useful tool for them because of its innate readability, support for multiple programming paradigms, and tremendous library of existing modules that we can adapt and connect to do new and interesting things. And for those of us with more extensive programming backgrounds in addition to our security skill sets, Python provides an excellent workbench for nearly any relevant task.

This book

Violent Python does not pretend in any way to teach readers how to program. In fact, when kicking off the brief section introducing the language itself, it flat-out refers to the reader “as an experienced programmer” (p. 6). However, a motivated hacker with limited exposure to Python can still follow along and pick things up relatively quickly, as VP doesn’t really use any particularly esoteric language features.

That said, it also does not necessarily require the reader to cover it linearly from page 1 to the end. The subtitle of the book, after all, calls it a “cookbook for hackers”, and it handles its end of the bargain. VP does not go into great detail for these projects but illustrates how to accomplish them relatively simply, primarily as inspiration for the reader who can then use the ideas and code as building blocks for self-driven projects.

I rarely like getting technology books in electronic format, and so I have the paperback copy. Given the complete lack of diagrams in this book, however, it wouldn’t matter as much in this case. The paper and printing quality seems relatively high; the papers have a smooth, creamy texture, and the book has wide margins that lend themselves very well to note taking and similar marginalia. While I’m not particularly a fan of the particular typeface used for code in the book, I didn’t find it so distracting as to make it impossible to work. As has become sadly common these days, the book contains a number of typographical errors and I really wish the publisher had put it through one more review iteration to catch them. Perhaps the companion site will eventually contain appropriate errata.

Contents

Chapter 2, “Penetration Testing with Python”, provides examples of how to perform a port scan (first using the socket API and then with nmap integration), brute forcing, using weaknesses in SSH key generation, injecting malicious IFRAMEs, interacting with Metasploit, and sending custom buffer overflow code over the network.

Chapter 3, “Forensic Investigations with Python”, discusses analyzing the history of wireless access points in the Windows registry (including geolocation), investigation of the Recycle Bin, examining metadata in various document types, and using application artifacts like SQLite databases in Firefox and Skype or iTunes Mobile.

Chapter 4, “Network Traffic Analysis with Python”, gets into better geolocation, packet parsing using dpkt and Scapy, KML generation, and analyzing various types of traffic like the LOIC DDOS tool, varying TTLs from spoofed port scans, and DNS fast-flux, and TCP sequence prediction. It also briefly covers generating packets to match IDS signatures.

Chapter 5, “Wireless Mayhem with Python”, reviews mining WiFi traffic for personal information like payment cards and authentication credentials, analyzing 802.11 probes and beacons, intercepting and hijacking UAV command traffic, detecting Firesheep use, and manipulate Bluetooth networks.

Chapter 6, “Web Recon with Python”, explains the Mechanize and BeautifulSoup libraries as well as using the Google and Twitter APIs, plus a small section on spear phishing.

Chapter 7, “Antivirus Evasion with Python”, covers how to use Pyinstaller to obfuscate a Metasploit payload from antivirus as well as how to check your code automatically against AV scanners.

→ 1 Comment

Posted in Links

Tagged , ,

Cyberwords on cyberwar

Posted on 2012-12-08 | Leave a comment

united-states-logistics-evolution-agency

Few things frustrate me as much as muddled thinking, depending on logical fallacies, or misinterpreting data. To my (long) list of examples of some of these things, I can add Dennis Fisher‘s post U.S. Cyberwar Doctrine Would Not Matter Without International Agreement. To be fair, you should read his article first before my critique of it.
Continue reading

→ Leave a comment

Posted in Links

Tagged , , , , , , ,

An open response to Dave Aitel on the EFF

Posted on 2012-08-09 | 2 Comments

Dave Aitel recently posted regarding the Electronic Frontier Foundation and exploit sales to the eponymous Daily Dave mailing list. I’ve snipped out stuff that doesn’t have anything to do with this particular issue:

Lately the EFF has been posting things that seem to want to restrict exploit sales ( https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate ) as if this somehow increases security for the Internet as a whole. Aside from regulation being an ineffective tool here, I don’t think the EFF should have the particular worldview that giving up freedom for security here is an acceptable trade-off. And when Charlie Miller and I talked to an EFF representative at DefCon, she agreed with us.

However, the current EFF stated opinion is this:
“If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal.”

Calling for the government to regulate what kind of code you write sounds counter-productive to the EFF mission, and is definitely counter to the opinions of people on this list and in this community. Until the EFF changes their position, I recommend not donating to them or buying the strangely decorated shirts at DefCon.

Marcia Hoffman then responded via Twitter:

She (and I) are not the only ones to disagree with the premise of his post:

I responded to part of his post, but for whatever reason it has not been posted back to the list. So I’m posting it here, partly because I think he’s wrong and partly because Marcia Hoffman requested a link. I’ve also fleshed it out a little.

I don’t read the EFF’s statement the same way Dave does. That is, you’re still free as far as I can tell to write whatever code you want to write. The next sentence of the post he cited states the EFF’s real goal:

“Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology — and its users — vulnerable to attack.”

So, taking the statement as a whole, the EFF advocates taking the vulnerabilities and exploits purchased for offensive operations and using them also for defensive operations. Subject to OPSEC concerns, I think this is more or less reasonable and correct: if we know of a bug, we know it has a limited shelf life (especially once it’s used against a sophisticated adversary). It makes sense to then transition to fixing the same problem in our systems. And along the way, perhaps some critical systems can have mitigation applied, whether that’s a patch or something else. After all, if smart hackers on one side can find it, smart hackers on another side can too.

Regarding the last bit of his post: even if I misunderstand the EFF’s position, or a supporter disagrees with it even so, we must then decide whether the rest of the things they do outweigh this portion of their policy proposals. After all, they work on a lot more (and bigger) issues than just this. So for now I’m happy to continue buying schwag, sending them money, and volunteering for projects within my domain of expertise.

(Disclosure: I’m a rank-and-file member of the EFF but with no special knowledge or access or anything similar to their policy statements.)

→ 2 Comments

Posted in Links

Tagged , , , ,

We are all cyber warriors now

Posted on 2012-07-06 | Leave a comment

Two recent articles have me thinking about the wide disparity of what people mean with the term “cyberwar”. I don’t like this term and don’t usually consider myself as working in or around cyberwar, as I don’t have anything to do with things like Stuxnet. You could make the case that we’re using “war” here in the sense of “war on drugs” (an apt comparison in more than one way), I suppose. Generally speaking, however, it’s less of a war and more about espionage or crime, depending on the actors and their motives.

Espionage EVERYWHERE

So when the excellent blog Sources and Methods ran an article a few days ago entitled Top 5 Things Only Spies Used To Do (But Everyone Does Now), it grabbed my attention because the activities listed all pertain to our more-or-less normal lives online. We don’t necessarily live in an age of “too many secrets” anymore, because the volume of open data has grown so rapidly that we have difficulty quantifying it. Instead, analysis and transparency have become our watchwords.

In Wheaton’s list of 5 things, a few really stood out to me. #4 “Shake a tail” stems from the idea that we all use various methods of countersurveillance now (using incognito mode or NoScript in our browser, for example). I do a lot of this, but it seems to me like we could turn this comparison around. Surveillance methods that might have seemed purely indicative of police states and the Warsaw Pact 50 years ago have become standard business practice today, to say nothing of the issues around government surveillance here in the West. I’m not sure that #3 is completely a new thing, as most password usage now has much more in common with the millennia-old use of locks and keys rather that Prohibition-era speakeasies. But the widespread use of encryption technology is an interesting comparison.

I take a little issue with #2 on the use of an “agent network”, in the sense that our usage easily surpasses the idea of “a group of humans who we have vetted and recruited to help us get the information we want”. That’s just a subset of our agent network now; tools like Paper.li and The Tweeted Times help us filter through large amounts of these data, not to mention Google Alerts and other intelligent agents that scour the Internet on our behalf with nothing more than an algorithm and parameters we’ve given it. Ironically, a lot of the countersurveillance privacy notions we may use in #4 above directly combats people using their own agent network against us.

While stating that our use of satellites now includes capabilities “that were not even dreamed of by the most sophisticated of international spies a mere decade ago” includes a bit of hyperbole, certainly many of the things we might consider normal in a few years would have seemed like pure science fiction not too long ago.

Cyberwar in Syria

Right next to Wheaton’s article, my browser had a tab open to US Training Syrian Opposition In Cyber Warfare, Online Security. I might quibble with Wheaton on a few insignificant details, but this article on Syria missed the mark in ways that disappointed me greatly.

First, the article essentially equates “PC encryption mechanisms, government firewall workarounds, and the safe use of mobile phones” to cyberwar. This is highly inaccurate, particularly given the parallels with the intelligence techniques we just discussed. While claims that the CIA provides logistical support (tech, weapons, and training) to the Syrian opposition are in line with the traditional roles of that agency, I don’t think that helping dissident groups in China or Syria is “warfare” in any meaningful sense of the word. While drug dealers definitely do use disposable cell phones, that’s because the use case is essentially the same. In fact, from the point of view of a government, the users themselves are pretty much the same: people doing illegal things that someone might construe as a threat to their national security. US government sponsorship of Tor may be the most ironic thing I’ve read all day, actually, but this only highlights the idea that any given tech itself isn’t ethical or unethical. Our usage of it certainly can imply ethical concerns, but even then that depends on your own framework.

Either way, for all our discussion about cyberwar and defending assets, it strikes me that involvement with some of these projects could go a lot further in the service of someone’s ideals than simply publishing exploits on Full Disclosure.

→ Leave a comment

Posted in Links

Tagged , , ,

Sapho: threat intelligence tool

Posted on 2012-05-15 | 1 Comment
Dunecat

We all need Sapho juice sometimes.

Poking around GitHub one night for interesting projects, I ran across Sapho. I dug into it more and found that my fellow tweep Scott Roberts had written it, which only heightened my interest.

Sapho was built as an off hours project to manage intelligence developed from computer network defense activities and third party sources. Building up on the considerable resources of DokuWiki Sapho automatically generates a framework of wiki resources for capturing and analyzing cyber threat intelligence and responding.

Sapho as I understand it consists solely of a template generator for DokuWiki to help you track intrusion campaigns, adversaries & groups, and targeted malware. Unlike Collective Intelligence Framework and other tools, Sapho primarily exists as a way for humans to review the intelligence rather than other systems. If I tell another analyst that a given intrusion appears tied to group alpha, for example, then he can easily review what we know about them specifically. Of course, intelligence groups with even basic competence do this to some degree already, but Sapho allows you to create a common structure for these data.

Given the tool’s simplicity, then, we could extend it in a lot of useful ways. Scott outlines a few other potentially-related tools on the project site, like log2timeline, Cuckoo Sandbox, and Maltego / Casefile. For example, Sapho could automatically ingest the reports from these and reformat them into DokuWiki syntax. I can imagine an output plugin for CIF that does something similar for its data.

Essentially, Sapho could become a tool to transform analytical output into a common human-readable format. Taking it a step further, it could recognize certain indicator types like a hash, IP address, or similar, and automatically create wiki pages for them as a sort of correlation method.

The approach here does not really scale to large databases – but I don’t think it should. This sort of intelligence analysis works best when looking at the operational level rather than a very large scope like that of ThreatExpert. And since the tool uses the Simplified BSD license, you can take the idea and even the basic code and turn it into whatever works for you.

→ 1 Comment

Posted in Links

Tagged , , ,

Everyone codes. No one quits.

Posted on 2012-04-28 | Leave a comment

Chewbacca fighting Nazis on a giant squirrel.So FreeCause has an initiative to make all its employees learn how to code. Not that everyone will join in developing production code, but they have to learn the fundamentals. In their case, they use Codecademy which teaches JavaScript. Despite some of the bellyaching on Hacker News, this makes sense to me for a number of reasons.

  • This can help people understand the tools that could assist them with their normal day jobs as hey gain the confidence to look into writing scripts and macros. IT staff in particular frequently lack any coding (scripting) skills unless they are developers or Unix sysadmins.
  • They will have a better understanding of the web technologies they run across in their daily lives. This applies especially well to Codecademy users who learn JavaScript.
  • Learning to code teaches you to break a problem into parts and think analytically. We can probably all agree that our society could use more people with good critical thinking skills.
  • Everyone in an enterprise should have a core understanding of the elements of major functions. Yes, this means programmers should understand the very basics of finance and human resources and probably other areas that don’t occur to me at the moment.

There are two kinds of elitism: One is the belief that only the most informed and qualified individuals should make the decisions for a group. The other is the belief that those who do not belong to the “elite” have no business even dabbling in affairs beyond their supposed comprehension. The latter isn’t healthy to any organization, much less broader society, but walking a mile in your neighbor’s (or co-worker’s) shoes can have lots of positive effects.

→ Leave a comment

Posted in Links

Tagged , , ,