Tag Archives: Hacktivism

Brain dump of DFIR and network security research ideas

Posted on 2013-03-03 | Leave a comment
Maybe I could get more of these done with this.

Maybe I could get more of these done with this.

I’ve seen several people talk about lacking ideas for research projects, often around DFIR or network security. Personally, I have the opposite problem: endless ideas for projects, often with the barest hint of a start, but not enough time to pursue them all. So I thought I’d publish a bit of a brain dump. I actually have made good progress on a few of these, and I have concrete plans around others (beyond just “wouldn’t it be cool if…”), but in any case I’d love to see other people pick them up and run with them.

If you do happen to get interested in any of the following, I wouldn’t mind a quick note to touch base to see about possibilities for collaboration or at least an acknowledgement in whatever you publish. Don’t interpret that as any sort of requirement, though; ideas have no value without execution, so all the hard work hasn’t even begun.

  • Malware
    • Classification across a large corpus
    • Automated IOC extraction and publication
  • Threat Actors
    • Profiling systems, particularly based on OSINT
    • Underanalyzed crime groups (e.g. drug cartels involvement in malware, spam, and fraud)
    • Hacktivism motivations and methods
  • Passwords
    • Cracking lab setups
    • Useful entropy calculations
  • Quantitative analysis of incidents
    • DDOS attacks (hard to get numbers on these)
    • Defacements and low-level leaks
  • Active Defense
    • Honeypots and honeyclients
    • Vocabulary or taxonomy on various methods
    • Callback Trojans in documents
    • C2 / RAT vulnerability research

→ Leave a comment

Posted in Notes

Tagged , , , , , , , ,

On Aaron Swartz and hacktivism

Posted on 2013-01-12 | 2 Comments

With enough coffee, anything is possible

By now, nearly everybody who would read this blog has probably heard about Aaron Swartz’s suicide. I didn’t know Aaron, though I wish I could have. Many people whom I respect and admire have written eloquently about his life and legacy: Philip Greenspun, Lawrence Lessig, and Tim Berners-Lee. This has left me a lot to think about, from depression (a subject with which I have more personal and intimate familiarity than almost anyone knows) to programming to prosecutorial discretion.

I’ve been thinking for some time on “hacktivism 3.0″, which is a somewhat-misleading term because none of this has truly developed linearly. But if hacktivism has (d)evolved from cDc’s original declaration to Anonymous-style DDOS, it has also grown into full-blown activism “using our powers for good”, changing the world through code and a deep understanding of the technologies that now connect us and define so much of our lives (and not just in the First World). That might mean anything from volunteering at the computer lab at your local library or school to moderating online support communities to running a Tor relay to working with organizations like Citizen Lab.

The need for us – and by us, I mean all hackers – to get involved in making the world a better place is not directly political nor religious and certainly not partisan. I have a deeply ingrained belief that everyone should use their talents, skills, and abilities to try to help people around them. For some, that could mean getting involved in politics or religion, certainly, but for others, it could mean something else.

So don’t wait. Brew a pot of coffee and get to work. If you’ve been considering getting involved with a project, do it. If you already have a cause that matters to you, start doing something you can do. The world needs us right now.

→ 2 Comments

Posted in Manifesto

Tagged , , , , , , , , ,

Semantic change: APT, Cyberwar, and Hacking

Posted on 2012-04-12 | 1 Comment

“It’s just semantics!”

I hate that phrase. Words mean things – and “semantics” is the study of those meanings. Most words can push emotional buttons for us, even when we really just use different words to describe the same thing. Think about the range of words that all essentially mean “fecal matter”, running the entire way from baby talk to medical terminology to vulgarity.

And, over time, the meaning of a word can evolve through semantic change. I’d suppose this happens even more frequently with jargon. So I’ve started to change my tune on a few specific bits of jargon that I encounter daily.

First, one of the most common (and controversial) phrases in 2011: “advanced persistent threat” (APT). From my understanding, this term originated with the US Air Force in 2006 to refer to either “any sophisticated adversary engaged in information warfare in support of long-term strategic goals” or, well, China. I do not like this term at all, because we have much better terms now when discussing general classes of attackers. And now that the US government has publicly discussed the ongoing campaign of intrusions from China, rather than just in classified environments, we no longer need to treat the subject so gingerly. My stance has evolved to the point of eschewing the term completely. If you mean “nation-state actors” in general, say that. If you mean China (or Russia, or Israel, or the US), then say that. If you mean adversaries with significant capability, I suppose “APT” is the marketing buzzword these days, but this usually leads to so much FUD that I’d prefer other terms that don’t carry the same baggage.

This year, I still hear “cyberwar” – maybe with even more frequency than in 2011. In my view, individuals and organizations with specific agendas have fanned the flames here to suit their own purposes. I don’t really like this term, because I believe that we should reserve the term “war” for the sort of large-scale “kinetic” conflict traditionally associated with it. General Robert E. Lee said at the Battle of Fredericksburg that “it is well that war is so terrible, otherwise we should grow too fond of it”. By using the word “war” for something that doesn’t result in the broken lives and bodies we see in places like Afghanistan, Somalia, and Uganda, we desensitize ourselves to that harsh reality. (I speak here in general terms: certainly, there are individuals who use terms like “cyberwar” have an all-too-horrible familiarity with the reality of war in a way I do not.) With all that said, I’ve come to accept this term grudgingly. Certainly, conflict exists between nations and other organizations, and some of those conflicts extend to networks and other digital systems. At one time, this primarily took the form of a secret war, and the vast majority of the public knew nothing about it beyond what they saw in movies. Nobody denies that these conflicts exist now; we just disagree on who does what, what we should call what they do, and of course what will happen in the future. But if I see this term, I will assume you mean the type of serious conflict that leads to things like Titan Rain and Stuxnet – and that you know a thing or two about it, rather than parroting what you heard in a vendor webinar.

Finally: I refuse to give up the word “hacker”. My last CSO once said in a security meeting that “we don’t hire hackers” – only to have several of us cough politely and catch his eye. (“Well, you know what I mean.”) The term certainly has considerable nuance, but I will almost always use it to refer to a particular subculture of geeks and programmers: Linus Torvalds, Richard Stallman, Grace Hopper, Steve Wozniak – not Albert Gonzalez and Kevin Mitnick. Portmanteaus like “hacktivism” grate on me, but at the moment I don’t know of better alternate terms.

I’d like for us to think of something, though.

→ 1 Comment

Posted in Manifesto

Tagged , , ,

Richard Clarke: The Year of the Hack

Posted on 2011-10-11 | Leave a comment

NB: These are my notes of Richard Clarke‘s talk at MIRcon 2011 and don’t necessarily represent my own views.

People are beginning to call this the “Year of the Hack”. No need to go into the details, but he believes that we should look separately at the various attackers’ identities and policy solutions. He uses the abbreviation CHEW.

1: Crime

“Cybergang” money rivals some drug cartels, billions of USD. Foreign law enforcement (e.g. eastern Europe) frequently on the take, so that the real ‘bad guys’ operate from “cybersanctuaries”. We can get the mules sometimes, but that doesn’t solve the issue. Policy solution looks like what’s been done about money laundering, so that the crime doesn’t pay. Grow the Budapest Convention into an organization with teeth, otherwise the costs will increase for banks. And while it’s fine for the banks to get screwed, they pass on the costs to us anyway.

2: Hacktivism

Personified by Wikileaks and other similar groups. Hacking because they believe in cybersecurity is like shooting people because you believe in gun control.

The other group believes that there should be no secrets (unless it’s their own secrets). Overclassification is a real problem, but the Foreign Service has done a good job. The cables aren’t revealing nefarious stuff like if this had happened in the 1970s. The cables should never have been revealed, and the Army should never have allowed a private with a questionable background to have access to these data. The DoD facility where he sat had technology to detect and prevent this stuff but it wasn’t installed and operational.

3: Espionage

A cancer that is destroying our economy. We do it, too, but against foreign governments to protect ourselves. The US doesn’t spy on private corporations and research labs to steal proprietary information for competitive business advantage. The WTO should have written rules about what can and cannot be done via espionage. There are rules about intellectual property, albeit often disregarded. China (primarily) has hacked its way into every corporation it can find in the US, Asia, and Europe, sucking out petabytes of data. Even if data isn’t secret research stuff, they will auction off the data (e.g. transactional data and business plans to international competitors).

The attacks are frequently successful and not noticed, so companies believe they haven’t been hit. In the meantime, a factory in China looks just like theirs and produces stuff just like theirs. And the Predator drone plans were stolen years ago, so the Chinese have the “Flying Dragon” drone that is just like it. In a nation with high labor costs, the only way to compete is through knowledge and innovation. Take that away and we can’t compete.

The technology and systems need to catch up. We need a plan to deal with the “cyber-rape” of our time. The Chinese will never stop until we penalize them somehow, either overtly (sanctions, etc.) or covertly. We’re not doing either.

4: War (cyberwar)

Something we’ve never had yet. It’s not hype; if it weren’t real, we wouldn’t have a 4-star general running Cyber Command and the Navy’s 10th Fleet that has no ships.

We’re talking about blowing up the same things in society that we traditionally blow up with missiles: telco facilities, power generators, all communications. We can also do it from data centers in Nevada and Maryland, like the Russians DDOSing Estonia or Georgia.

Then there’s Stuxnet. (China’s not the only company stealing digital certificates.) It looked for very specific sorts of SCADA operating systems, and when it found it, it looked very closely at which particular version and deployment it found. 1000 of the Iranian nuclear centrifuges were physically damaged so badly that they had to be removed and replaced, but without using B2 bombers.

The code is available now, as it didn’t actually wipe itself. People can modify and redeploy it to attack other SCADA systems, including inside the US. Someday, someone will attack us this way. It doesn’t even have to be a nation state like Iran. It could be some “nutcase group” that gets its hands on attack software. Cyber Command defends .mil and .gov but not .com. DHS can offer assistance, but companies have to defend themselves.

This is like asking every company in the Cold War to mount their own anti-air defenses against Soviet bombers. But Washington thinks any new government regulation of any sort is a bad thing. Until regulations require ISPs to filter packets and SCADA systems to disconnect from the Internet, none of these things will happen.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , ,