About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Tuesday, December 21, 2010

I'll Be Pwned For Christmas

I'll be pwned for Christmas
You can count on me
Please have bots and viruses
And exploits for me

When talking to people about viruses and infections, I've found that many people are confused about how virus infections happen.  By now most people realize that files you download can be viruses, but hackers have found ways to circumvent people's caution.  First, the virus can be disguised as something else - such as an update to Flash Player - to trick people into trusting it.  Second, a malicious website can utilize a vulnerability in your browser to secretly download and execute the virus.  This is called a drive-by download, and some believe these types of attacks are responsible for most virus infections.  This is one of several reasons why it's important to keep your computer up to date with the latest patches.  Your browser, operating system, PDF viewer (usually Acrobat), Flash player, and Java (if you have it) all need to be kept up to date because each of them can contain vulnerabilities that can be exploited to gain control (pwn) your computer.

There are several goals a hacker might have for infecting your computer, but fundamentally a computer is a resource to exploit.  Modern malware, particularly botnets, are becoming very sophisticated.  If Zeus (Zbot) infects your system, it can modify webpages you visit to post it's own ads, intercept website credentials (including bank accounts) and send them to the hackers, steal documents, send spam email, turn off your antivirus, install additional viruses, track your keystrokes, and grant full control over your computer ... all from a file as small as 270 kb. 

With millions of dollars per year at stake, it's no wonder that virus authors will do whatever they can in order to infect you.  Among other techniques, one method is by referencing current events in their spam, or building sites which are specifically designed to appear at the top of search results for key topics of the moment.  This time of year, that includes using holiday greetings to infect you and using websites that appear at the top of searches for holiday terms.

What can I do about it?

Get good antivirus protection.  Use an up-to-date browser.  Not only are modern browsers more secure, newer versions include protection against malicious links.  Use good spam protection.  Keep your OS updated, and if you're still running Windows XP it's time to move up.  Always, always think before you click.

Monday, December 13, 2010

Tracking cyber criminals

Whenever there's a cyber attack, one of the most natural questions is "who is behind it"?  That's a critical question to answer so that you can determine the reason for the attack and the damage that's done.  For example, if your intellectual property is stolen by a competitor, the risks are much greater than if they were stolen by an amateur hacker just poking around.  Both are dangerous, of course, but one is much more dangerous than the other.

Not all cyber attacks are equal, some are relatively straightforward to attribute, some are far more difficult and may be impossible.  For example, take a standard Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack, such as the ongoing attack by Wikileaks supporters against organizations that they percieve as censoring Wikileaks.  They have been using a free utility called Low-Orbit Ion Cannon (LOIC), which is a tool designed for stress-testing websites (seeing how they perform under load).  Since LOIC is intended as a testing - not criminal - tool, it does not have anonymization features built in.  That means if the user does not take action to disguise themselves, it is trivial to track them down.  A couple people associated with these attacks have already been arrested for this exact reason.

To understand how this happens, let me explain a little about how the Internet works.  Over the years, there's been significant discussion about IP addresses.  IP addresses are part of the internet protocol and they function to direct traffic to and from their destination.  When you type a URL into your browser's address bar and hit enter, your computer contacts a Domain Name Server (DNS) to translate the human-friendly domain name into the server's IP address.  It contacts that server to initiate a TCP/IP connection, and if that's successful it sends the request for the webpage.  All communication from your computer to computers on local networks or the internet is sent as packets, which contain information such as the destination IP address, your IP address (so the computer knows who to send the replies to), the item (such as a webpage) requested, and other information not relevant to this discussion.  If you're using your home computer your IP address is provided by your ISP and if your IP address is implicated in a crime then law enforcement can contact your ISP to get your information.

Now, for a DoS attack, there are several options that criminals can use to cover their tracks.  If they use a cybercafe or open wireless access point, they can launch their attacks from there.  Then, the return IP address will be the one belonging to the business they're using.  However, this isn't perfect.  If the business records the names of their internet users, then it's no more anonymous than using your home computer.  Still, a wireless access point will record information about your computer (computer name and the MAC address of your network card) in order to successfully route the webpages back to your computer.  That may allow tracking you back to your computer.

However, that just catches the ignorant criminals.  Skilled criminals will build or rent a botnet to commit a DDoS attack.  These attacks utilize computers that the hackers take over with viruses that the victims unintentionally downloaded.  Skilled law enforcement officials can sometimes track down the hackers involved.  I don't know the methods involved, but since most successful investigations I've heard about were with hackers in Western nations, I expect it relies on cooperative ISPs.  Other criminals will utilize anonymization services to commit a DDoS attack, such as TOR.  One interesting DoS method I've heard of involves forging your IP address.  Since an attacker in a DoS attack doesn't actually need the webpage directed back to him, he can change his IP address to someone else's.  For example, in a reflected DDoS attack, an attacker will send an "Echo" request to a network broadcast address.  Essentially, this is asking every computer on a network to reply with an "Echo" packet, used to test connectivity.  However, if you forge IP on the "Echo" request to your victim's IP address, the entire network will be sending their replies to your victim computer.  This particular attack has been around for a while, so most networks have changed their configuration to prevent it.  Still, it's an excellent example of how attackers will try and cover their tracks.

Botnets pose significant issues for determining the origins of an attack, as the computers that are actively attacking are under the control of assorted "Command and Control" servers, which are likely not even directly owned by the hackers.  The control servers can be IRC bots, Twitter accounts, blogs, webmail accounts and/or Google groups.  It can even be a rented "virtual computer" on a system like Amazon's EC2 cloud servers.  Modern botnets have multiple redundant control servers, so when the primary set are taken down, secondary servers pop up.  Many of these avenues can be set up anonymously, making it difficult or impossible to trace back to the original hackers.  "Shadows in the Cloud" is an excellent example of a detailed analysis of a botnet.  Even though the security researchers took the place of a command and control server and accessed the hacker's email addresses, they were only able to pin down the location of the servers to a particular location in China.  This only provides circumstantial evidence of who is responsible for the attack.  If the Chinese government and/or ISPs were to cooperate with Western law enforcement, it's possible that we might be able to prove who was responsible, but that cooperation seems exceedingly unlikely.

Determining who is responsible for an attack is a complex and thorny issue, but I've tried to briefly outline some of the complexities.  If you'd like to know more about particular elements or take issue with some of my claims, post to the comments.

Tuesday, December 7, 2010

How "Cablegate" Happened and What It Can Teach Us About Information Security

A lot of digital ink has been spilled about Bradley Manning's disclosure of Iraq War memos and now the classified diplomatic cables known as "Cablegate".  Much of it has focused on Wikileaks - the site Manning chose to disclose the information to - or the content of the leaked information.  However, much more interesting in my opinion, is the unusual policies that allowed this to happen.

Gary Warner, the author of the excellent blog "CyberCrime & Doing Time" recently wrote an excellent article about the flaws inherent in allowing Manning unfettered and unlogged access to virtually everything that he was cleared for.  Essentially, this is one major reason that organizations should restrict access only to those who have a legitimate need for access.  Not only does it limit the amount of damage that a disgruntled employee can do, but it also limits the amount of damage that can be done if an account is hijacked by a hacker or malware.

This is an inherent difficulty in information security: how do you draw the line between too restrictive and too generous permissions?  Manning was an intelligence analyst in Iraq, so he needed access to a wide range of information in order to do his job.  In addition to reports from Iraq itself, there might be Iraq-related discussion coming out of Afghanistan, or from diplomatic discussions between the US and Iraq, or from the US and other countries.  These are just a few examples of why Manning might have had a need for access to a wide variety of data. 

Despite the possible justification for access, it makes me wonder why the US Government allowed Manning to access virtually everything.  I have no evidence (at the time of this writing), but I strongly suspect it's due to the events of September 11, 2001 and the recommendations of the National Commission on Terrorist Attacks Upon the United States (aka "the 9/11 Commision").  Among other issues, the Commission criticized the lack of connection between individual intelligence agents and national priorities and the lack of communication between intelligence agencies, including the military intelligence agencies.  It's possible the government's response to the Commission's report included removing all significant "need to know" restrictions, while leaving in place the basic "classification" restrictions.

(UPDATE: This suspicion has now been confirmed by the Washington Post)

It's not my place to determine whether or not that decision was justified, but it's certain that allowing Manning access to everything drastically increased the damage caused by his breach.  Access policies are just one aspect of information security, the other aspect is auditing (logging).  Wired.com quotes Manning as writing:
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”


“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
Manning directly admits that weak (or absent) logging procedures directly contributed to his ability to remove information.  Logging could have generated a digital trail of his activities (both accessing data and burning it to disk).  A good SIEM software could have managed the logs and automatically alerted the appropriate manager or authority that Manning was doing something he shouldn't have been.

Just like I talked about in my blog about airport security, effective prevention, tracking and mitigation efforts all need to be combined into a coherent policy to handle damaging attacks like the US Government has recently suffered at the hands of Bradley Manning.

Monday, November 29, 2010

What computer security and airport security have in common

Like many others out there, my wife and I took a plane to visit family for Thanksgiving.  In fact, due to a work travel obligation I had to take four flights in the past two weeks, which is about what I usually fly in a year.  That means four trips through airport security, although I managed to avoid the x-ray naked body scanners each time.  My wife had to opt-out on our return from Thanksgiving (luckily, the screeners we encountered were professional), although others have not been so fortunate.  You can request a private room to prevent that sort of abuse.

There are potential health risks.  In particular, I want to know what safeguards there are for misconfigured backscatter machines.  TSA claims that when the machines function normally there is minimal risk, but sometimes machines malfunction or are misconfigured due to poor training and TSA is already known to have poor training standards.  There are the obvious privacy losses associated with naked pictures being taken of travellers.  TSA assures us that the images will never be saved or made public, but that promise has been broken once already by the US Marshalls.  I for one don't trust that it won't happen again.

 However, these issues are specific to airport security and the naked scanners in particular.  The bigger problem in my mind is that this continues to provide a static defense against a particular type of problem.  Like the French Maginot line, TSA checkpoints have become an elaborate but static defense designed to prevent the types of invasions that have come in the recent past.  Like the Maginot line, the attackers see that we're currently obsessed with one particular avenue of approach and are starting to switch tactics to bypass them.  Bruce Schneier recently wrote a consice summary of the airport problem: 

A short history of airport security: We screen for guns and bombs, so the terrorists use box cutters. We confiscate box cutters and corkscrews, so they put explosives in their sneakers. We screen footwear, so they try to use liquids. We confiscate liquids, so they put PETN bombs in their underwear. We roll out full-body scanners, even though they wouldn’t have caught the Underwear Bomber, so they put a bomb in a printer cartridge. We ban printer cartridges over 16 ounces — the level of magical thinking here is amazing — and they’re going to do something else.


This is a stupid game, and we should stop playing it.
The same problem exists in modern computer security.  So much attention both on the corporate and personal level is focused on the firewall, trying to block people from entering the network.  It's the same situation as on an airplane, just replace luggage searches with packet inspection and no-fly lists with port blocking.  As long as airport and computer security is entirely focused on preventing intrusions at the border, it will fail.  When we realize we need to also have measures in place to respond to intrusions, we can begin to detect attackers early and prevent damage from being done.  This is how both Richard Reid and Umar Farouk Abdulmutallab were stopped after TSA failed.  Note, no Air Marshalls were on their flights, these attackers were stopped by the random passengers that were nearby.

That's stopping people at the last minute, though.  Like any crime, there's a process of deciding to attack, identifying a target, reconnaissance, positioning, attacking, and response.  That link refers mostly to violent crime, but with some modifications it applies to burglary or hacking as well.  Having an adaptable security procedures and a responsive law enforcement presence that is able to take proactive measures to disrupt criminal or terrorist gangs will massively improve safety, far more than naked body scanners ever could hope to.

But that brings me to the final common element between computer and airport security.  Safety is not something you HAVE.  It's something you WORK TOWARDS.  There's no way to be perfectly safe/secure.  There's no way to stop every attack.  Hacker-proof, burglar-proof or terrorist-proof only exists for politicians and salespeople, in the real world there is always risk.  All we can do is prevent what we can and minimize the damage from what we can't.

Agree with my post?  Disagree completely?  Share your thoughts, post a comment.

Tuesday, October 19, 2010

Facebook's most recent privacy controversy

I was listening to the radio this morning and heard an interesting discussion of Facebook's most recent privacy issue (first reported by the Wall Street Journal).  I follow Graham Cluley's blog so I was completely not surprised to learn that the source of this privacy leak (it's nowhere near big enough to be a "breach") was Facebook applications.  However, I was surprised to learn that they weren't talking about the genuinely malicious applications out there.  Instead, this is what the WSJ was concerned about:
The information being transmitted is one of Facebook's basic building blocks: the unique "Facebook ID" number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private
Ok, so what's the concern here?  It's just the number that uniquely identifies your Facebook profile, plus the information you've marked Public and the information that you specifically authorize the application to collect.  If you don't read that page that comes up every time you try and add an app, you should.

This is really nothing new.  It's amazing to me that people look at these free apps and don't bother thinking about what what the app developer stands to gain from this.  It all goes back to what our parents should have taught us back in elementary school, nothing in life is free.  The best modern phrasing I've seen about this is "If you are not paying for it, you're not the customer; you're the product being sold." - Blue Beetle.  Facebook (and their apps) and Google both buy our personal information with fun toys and features.  They purchase our information because it's valuable to advertisers.


If you're aware of this, you can make an intelligent decision about whether or not you really want to play MafiaWars or FarmVille.  Is that toy adequate payment for the information they're asking for in exchange?  If so, go right ahead and play that game knowing what you're exchanging.  If not, then don't.


The much bigger issue, in my opinion, are the genuinely malicious Facebook apps, the ones that post spam to your wall, or persuade you to fill out surveys for them.  They're fundamentally dishonest about what they're doing, and impersonating the user to spread their spam.

Thursday, October 7, 2010

Computer security is everyone's responsibility

Computer security is like physical security.  If any of us create a vulnerability, we're all vulnerable.  It's like the college dorms, if you prop the door open or leave a window open, someone can use that vulnerability to steal from me.  The same is true with computers, although the situation is massively amplified because someone can use your computer plus several thousand or million others in a botnet to attack my computer or company.  As a result, we're all in the security game together.  I may have better security than you, and the NSA may have much better security than me, but you can help keep us all a little safer by improving your computer's security.

There are lots of sites out there that have good advice for aspects of computer security.  Many of them are targeted for techies or highly computer-savvy people.  However, I've just found a site called Securing Our eCity which provides advice and presentations for both families and businesses about computer security basics and current topics like some of the recent social networking viruses and online bullying.  If you have an interest in computer security (and if you're reading this blog, you probably do), take a look and see what you think.  Share it with your friends to let them know how they can stay safe online.  If we all help each other, we can make the internet a safer place.

Tuesday, October 5, 2010

Cybercrime and law enforcement priorities

With all of the stories in the news these days about Stuxnet, the ZeuS botnet, spam, identity theft, cyberwar, the US Cyber Command, and hackers, it's easy to believe that cybercrime and computer security is a high priority for the US government.

However, a new analysis from Gary Warner with the CyberCrime & Doing Time blog claims that although cyber crime should be a high priority for US law enforcement, it's not.  He points out that despite the fact that cyber crimes are escalating dramatically, the FBI's budget is only increasing by 4%, creating only 347 new agent positions over the 2010 fiscal year.  There's only a 5.5% increase for the US Attorney's offices, which would of course be responsible for prosecuting the criminals that the FBI catches.

Officially, cyber crime is the FBI's third priority, behind terrorism and counterintelligence.  However, Mr. Warner points out that 51% of the FBI's budget is for counterterrorism.  Coming in at a distant second is major thefts/violent crime at 14.8% and third is "combat public and corporate corruption, fraud, economic crime, and cybercrime".  Obviously, the FBI's budgetary priorities don't match their stated goals.

The 2011 FY budget (October 2010-September 2011) shows some steps in the right direction.  They requested an increase of 163 positions for Computer Intrusions (63 agents and 46 analysts) and only 90 new positions for National Security Threats.  This isn't to say that national security issues are unimportant ... far from it!  It's that cybercrime isn't given a big enough balance of the FBI's attention, and this will work towards correcting that imbalance.  After all, the FBI claims that in Fiscal Year 2008 (2009 was not complete when the report came out), out of 3,974 computer intrusion cases received, there were only 31 "priority" investigations successfully "satisfied" (the FBI's term, I don't know how they define them), resulting in 126 convictions/pre-trial diversion.  Granted, some of these cases will be unable to result in convictions because many hackers reside outside the country, but this week's arrests of computer fraudsters in the US, Russia, the UK and Ukraine show that with good international cooperation these thieves can be brought to justice.

Although these arrests are excellent progress, it's sobering to note that the 2010 Verizon/Secret Service Data Breach Investigations report shows that in 2009, the Secret Service added another 84 cases from 2009, for a total of 4,058 computer intrusion cases that got the attention of federal law enforcement (although it's possible that some of the FBI's cases are also in the Secret Service's report, I'm being optimistic).  Also in 2009, the Internet Crime Complaint Center reported that 336,655 internet crime complaints and only half of them were referred to law enforcement for action.  Obviously, we have no way of knowing how many breaches there were total, as many are never reported or even discovered.  Also, the FBI statistic refers to only computer intrusions and the Secret Service statistic refers only to data breaches, so they're not equivalent figures.  Still, it seems clear that the FBI is under-equipped to deal with the vast amount of cybercrime out there today.

The FBI's cyber division and other federal cyber law enforcement agencies do excellent work fighting cybercrime, but without better support and budgets, they can't really cut down the amount of theft going on out there.  Far more people are victims of cyber crime than terrorism, yet terrorism always gets the media and political attention and the budgets that go along with it.  I feel we need to better support the FBI's cyber division to fight back against these hackers.  What do you say, readers?  What's your opinion on the topic?

Full disclosure: I have applied for the FBI and would like to work in their cyber division.

Sunday, September 26, 2010

Cyberwar, revisited

When I started this blog just two months ago, the news was all about "cyberwar" and the threats of it.  I posted my take on the issue, which was essentially that although espionage happened, there wasn't really much that would be considered "war".

That was before the worm called Stuxnet hit the news (although after the main infection hit).  Stuxnet (officially W32.Stuxnet) is a type of malware that is unique for a number of reasons, not the least in that it's the first known malware to infect SCADA systems.  It's rather versatile as well, possessing the ability to exfiltrate data (send confidential info back to the hackers), hide itself in the Windows operating system, and insert new code into the systems so that the hacker can change the operations of the system.  Interestingly, it injects the code in such a way that the new code is hidden from people who examine the infected system.  Stuxnet exploits several different zero-day vulnerabilities, which in itself is quite unusual.  A vulnerability is most effective before it's discovered and patched, so to "waste" four vulnerabilities on one virus is quite uncommon.  On top of that, the hackers who wrote the virus stole two digital certificates and used them to sign the virus, so that Windows would trust that the virus came from a legitimate company.  The virus contacted two command and control servers to obtain updates and instructions, but it also had a peer-to-peer (p2p) update scheme as a backup.

All of this leads several leading virus researchers to believe this was created by an organization with a large degree of technical skill, time, and money.  Many believe it was created by a government intelligence agency.  The fact that in the first couple days 59% of infections were in Iran further encourages the belief that it was an intelligence operation against a particular industrial facility in that country, perhaps the Bushehr nuclear reactor or perhaps the Natanz nuclear enrichment facility.  The Natanz facility was built 8 meters underground and protected by reinforced concrete, likely to protect it against threatened airstrikes.  Since the facility is very difficult to attack by conventional means, it's tempting to believe that this was the target of Stuxnet, and it's tempting to believe that Stuxnet may have been an Israeli intelligence operation.  However, we'll likely never know for sure.  Even if the perpetrators step forward and admit what they were doing (and the odds of that are nil), we'd have no way to verify it.

Either way, the fact that Stuxnet exists is proof that cyber sabotage is indeed possible.  Two months after the beginning of the attack, we still no proof as to who was responsible for it, only guesses.  To me, that's the more frightening part.  With all conventional weapons, it's relatively easy to determine who is responsible for an attack.  Even in the case of terrorism, with some investigation it's possible to prove who should be held accountable for their actions.  With viruses, sometimes it's possible but much of the time it's not.  Obviously, only time will tell if the creators of Stuxnet will be held accountable for their actions, but if they're never identified then I don't think there can be an effective arms control for "cyberwar"

What do you think?

Monday, September 13, 2010

On trust

Computer security is a complex and continually changing field, but there are a few elements that keep cropping up.  One in particular is that with increasing security measures in software, hackers and virus writers are increasingly using psychology to convince a system's user to bypass security for them.  Much like an old-fashioned con-man or fraudster will persuade a user to give them access to their home or bank account, many modern viruses and hacking attempts utilize social engineering to spread viruses.  By either impersonating someone you may know or stealing and using their account, hackers may try to get you to open a file or click on a link they send you.  This gives them control of your computer for their nefarious ends and allows them to use your accounts (email, facebook, twitter, and others) to infect your friends.  There are numerous examples of this in the wild right now, and in particular one of my friends recently fell victim to some variation of one of these.  No matter where you are, always be careful of what you click, always run an up-to-date antivirus software, keep your software up to date (particularly Windows and Adobe Acrobat), and always pay attention to possible warning signs of infection (not being able to go to certain websites, antivirus being disabled).

It's not just your friends that hackers and scammers impersonate to get you to trust them.  Particularly if you work on sensitive material (such as military or other government matters), there are quite a few attacks out there impersonating government officials to spread viruses or steal money.  The FBI's "E-Scams and Warnings" page currently has a long list of attacks impersonating government officials.

The only way to protect yourself against these sorts of attacks is to be suspicious of any email that comes into your inbox and any page you view on the internet.  Just because something claims to be from a particular source doesn't mean that's really where it comes from.  Learn to identify malicious email and stay safe out there.  Don't worry, if you've fallen for one of these scams, here is some advice of how to recover.  Also, I strongly urge everyone to report these scams to the Internet Crime Complaint Center (http://www.ic3.gov).

The Internet is a dangerous place, but we can all do our part to keep it a bit safer.

Monday, August 30, 2010

On protectionism, security, and international politics

In the news recently, there's been quite a bit of fear about hacking and data theft sponsored by foreign governments (usually China, but there's been some fear about North Korea and other nations as well).  Here's an example that may or may not have been connected to a foreign intelligence agency, and here is a more recent information stealing attack on government targets.  There's legitimate fear here, governments have wide resources that they can (and likely do employ) for electronic espionage.  Foreign and domestic companies are also known to employ industrial espionage (electronic and old-fashioned) to steal valuable data from their competitors.  As a result, governments and corporations are beginning to take foreign threats seriously and look at the ways they're vulnerable to foreign threats.

Unfortunately, the major espionage fear (corporate and government) is the same country that provides so much of our hardware and has significant government control over their corporations ... China.  We don't know what they might be putting into the hardware that we buy from them, which is a serious threat.

Although that's perfectly true, China buys lots of software (security software included) from the US.  Given that the US and China are global competitors, they have as much to fear from US espionage as we have to fear from theirs.  As a result, it was inevitable that China would take action to prevent foreign security software from being used to secure their critical infrastructure.  It's perfectly reasonable, and I think this exact concern would prevent Chinese-programmed security software from being widely used in the West.

At the same time, there are some claims of protectionism and fear that China is trying to shut foreign competition out of a major Chinese market.  This is also true, favoring local companies clearly goes against "free trade" principles and certainly the Chinese computer security market would hugely benefit from forcing foreign companies out or forcing them to work alongside local Chinese companies.

There's really no easy answer to this one, but really there never seems to be.  To keep free trade, you need to allow foreign companies in.  To keep security, you need to keep untrusted companies out.  China's trying to draw a line here by only banning foreign computer security products from critical infrastructure.  They're just as afraid of the US hacking their electrical grid as we are of them hacking ours.

I'm most interested in the parallel reaction to the same threat by our countries.  Information security seems to be shaping up into the great leveler of nations.  It doesn't matter if your military budget is $880 billion (US), $78 billion (PRC) or the much smaller budget of any other country.  To the hacker, we're all vulnerable.

But that's just my opinion, I could be wrong.  What do you think, is China overreacting?  Do you think the situation with China is fundamentally different than the situation in the US?

Thursday, August 26, 2010

On the intersection between politics, law, and computer security

One major annoyance on the internet is spam.  Much of the spam that's out there are either phishing emails (attempts to get users to divulge sensitive information), viruses, or pharmaceutical advertisements.  Now, the White House is calling a meeting with the top internet domain registrars (the companies that sell domain names (such as http://www.google.com) to companies.  If Obama can get the major registrars to stop selling domain names to criminal organizations like these rogue pharma companies (which sell fake drugs for cheap), it would do much to cut down on their profits and thus the amount of spam they can pay people to send on their behalf.  This would cut down the amount of spam sent and the amount of hacking being done in order to subvert mail servers to send out spam.

Based on the email that Brian Krebs posted, it seems that they're only talking about voluntary measures so far.  Obviously, voluntary measures are only effective when everyone ignores the money that can be gained by violating them.  For a current example, see how effective the voluntary safety inspections at egg farms are.  These rogue pharma operations seem to be able to toss around a decent amount of money, so I doubt voluntary measures would do more than raise the price of the domain names they register for their illegal businesses.

Still, having such a high-level meeting at all and getting political attention to internet security issues like this one is a major first step.  Hopefully it'll eventually lead to global regulations that are effectively enforced with significant punishments for violation.  Until then, don't buy drugs advertised in misspelled emails.  Seriously, why would anyone buy something advertised like that ... and then swallow it?


And yet, people do.  As I'm writing this post, I stumbled across an FBI press release about a Canadian, Hazim Gaber, sentenced to 33 months in prison for selling fake drugs to cancer patients.  Although he is Canadian, he was arrested in Germany.  The international nature of these internet crimes makes enforcement quite difficult.  Interestingly, the press release mentions specifics about his crime.  Apparently he was advertising DCA, and experimental cancer drug.  He was charging $45.52 for 20 grams, but actually shipping a white powder containing starch and sugars (dextrose or lactose).  Absolutely medically useless, and his 65 known victims are incredibly lucky they didn't get something toxic.  Good job, FBI.

Tuesday, August 24, 2010

On the difficulty of preventing identity theft

A week ago, I was moving to a new house and helping my in-laws move their stuff too.  They've run various businesses in the past, which of course creates LOTS of paperwork, including personally identifiable information (PII).  Since the business in question has ended, it was time to destroy the data.  In the chaos and stress of moving, it would have been easy to accidentally throw the private information out with the regular garbage/recycling.  That sort of mistake happens often, and it's one way personal information gets stolen.  Information security isn't just a matter of high-tech software and log files, it's also about making sure documents are destroyed properly and people can't look over your shoulder when you're accessing confidential stuff.  Preventing loss of data due to dumpster-diving isn't cool, but it's important.

If you're a business (regardless of the size of the business), you're going to generate paperwork.  The way you prevent this sort of problem from arising is by creating a clear document policy.  Take a page from the government and assign your documents to clear, simple categories.  For example, "not private", "internal use only", "secret", etc.  Clearly define who can have access to what document type, and make sure anything secret isn't in a location where untrusted people like visitors, janitors or contractors can wander across it.

For any kind of PII, intellectual property or trade secrets, establish how long you need to store it and securely destroy it (shred, incinerate, etc) when it's past the expiration date.  If you keep up with your document destruction duties, it won't become an overwhelming pile that you need to destroy right now!  That's how mistakes happen and a file/database of bank accounts ends up in the dumpster for some opportunistic thief to steal.

Everyone should have a shredder for this sort of task, but if you're a business you may be better off using a document destruction service.  Typically, they leave some sort of locking container for you to place your confidential information into, and collect it at regular intervals.

Tuesday, August 3, 2010

On the Security Psychology and Ethics

Good security people, whether physical or cyber, share a common mindset that makes us distinct from most people.  Living in society, most people follow the rules of what's considered acceptable behavior and they expect everyone else to do so as well.  As a result, much of the time people don't even think about other ways even being possible.  It's that blind spot that creates vulnerabilities for criminals to exploit.  Good security people are able to look at the rules and assumptions people have about what other people do and say "That's how they're expecting people to act.  What if I do this instead?".  This allows us to find these vulnerabilities, hopefully before criminals do, and encourage people to close them.  Bruce Schneier wrote an excellent article on the subject.

At the California Cyber Challenge camp this year, I was watching a discussion between security people which erupted in an interesting way.  One side was arguing in favor of leniency towards criminal hackers, arguing that as long as their crime is motivated by curiosity rather than profit or malice, they can still be turned back to be a productive member of society.  The other side was arguing that it's still a crime and they should be punished for their infractions.  This is, of course, an old argument that crops up not just in the computer security field, but in the criminal justice system at large.  Watching it play out, I realized that there's not just one security mindset, but at least two.

On one side we have the penetration testers, vulnerability researchers, cryptanalysts, and other "offensive security" types.  They're good at seeing the vulnerabilities in systems and figuring out how to exploit them, so that other people can fix the vulnerabilities.  The people arguing for leniency for "non-malicious" cyber criminals were from this category.

On the other side we have the system administrators, security researchers, intrusion detectors, incident response people, and other "defensive security" types.  They're good at detecting and blocking attackers and implementing and enforcing security policy.  Forensics people have some of both talents, able to detect and analyze attacks, but also cracking passwords and reverse engineering malware.  However, in terms of mindset and ethics, they seem to be more closely aligned with the "defensive" types.  The people arguing against the category of "non-malicious" cyber criminals were from this category.

My interests and talents lie on the "defensive" side of the spectrum.  Although I can understand how the offensive people may have dabbled in criminal behavior in their youth, fundamentally security positions are powerful.  We hold the keys to the integrity of the network.  We stand between the criminals and secret data. We need to have very strong ethics and personal integrity, because organized crime is getting involved and may try to corrupt us.  In my opinion, once someone starts justifying and using the darker aspects of security, it makes them vulnerable to corruption.

But that's just my opinion, and I'm interested to know what others think.

Wednesday, July 28, 2010

On the US Cyber Challenge and up-and-coming IT security workers

Last week, I was one of the fortunate 22 winners of the California Cyber Challenge selected to attend a week-long training camp at Cal Poly Pomona.  We had four days of intensive SANS training on exploit writing, Linux security, incident response/penetration testing, and digital forensics.  We also had panels on ethics and education, and a job/scholarship mixer.  The final day hosted a "capture the flag" event.

All in all, the event was wonderful.  Events ran from 9-9, and great conversations with fellow "campers" and the instructors frequently ran until 1 or 2 am.  The classes were so intense and packed with information that we frequently came out of them with headaches from the information overload, and more material on our DVDs and in our books to go over in our own time.

One of the really great things about information security in general and the camp in particular is that there are many different specialties a person can get involved in.  Penetration testing (testing a company's security), vulnerability research (testing a program's security), reverse-engineering malware (taking apart a virus or other malicious software to see how it works), intrusion detection (watching a system for signs of hacking), and digital forensics (retrieving evidence from computer systems) all require different skill sets and personalities, and that's not even a complete list.  I'm still new to computer security and until this camp I wasn't really sure what all the different fields were, what I would enjoy and what I was good at.  A varied training camp like the USCC camps introduces the attendees to a variety of different disciplines and the methods required, which lets us discover what we're good at and what we enjoy, while also giving us a better background in the parts that aren't our preference.  Learning how to write exploits is useful for determining how a virus works, or tracking down what happened on a system.  For me, one of the great virtues of the camp learning for certain that I enjoy computer forensics.  Now I can study it in more detail and get work experience for a career.

One aspect of events like the camp and similar security training events that is frequently underestimated is the social networking opportunities.  I'm talking about the old-fashioned face-to-face kind, which can be supplemented by the Web 2.0 kind.  Not only did I learn a lot from my outside-of-class discussions, but I also made connections that has resulted in me getting some volunteer experience and a team to enter the DC3 forensics challenge.

All in all, the Cyber Challenge camp is a wonderful kick-start for my career, and I'm incredibly grateful I had the opportunity to be a part of the first one.

Tuesday, July 13, 2010

On "Cyberwar" - Part 2: Cyberattacks and the damage they can do

Although cyberespionage is a very real threat, it's not exactly the kind of nightmare that you see in Hollywood movies, news articles or defense contract applications.  The real question is, what kind of physical damage can a "cyberwar" or "cyberterrorism" do?

Website defacement is a very common cyber "attack", sometimes including using the server to host viruses and malware.  Denial-of-service (DoS) attacks can take a website down for a period of time.  Both can cause serious damage to a victimized business, but they're not exactly militarily effective.  Security expert Bruce Schneier vividly described the threat of DoS attacks like this:
A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn't renew their licenses. If that's what war looks like in the 21st century, we have little to fear.
In 2007, Estonia's government systems were hit by a major DoS attack.  While reporters widely reported it as the first cyberwar, in retrospect this seems to have been hyperbole.

There have been a number of cases of "cyberattack" reported in the media over the past few years, but it's been difficult to tell what's really going on.  Computers don't explode or fire bullets, they're just used to control other systems, so any malfunction in any system might possibly be a computer problem ... or deliberate digital sabotage.

For example, The Economist recently reported that in 1982, the CIA tampered with Soviet software to cause a gas pipeline explosion.  If true, this would be an excellent example of the physical damage a computer attack could cause (although whether it would be an act of war or an act of sabotage is a matter of opinion).  The question is, did that really happen?  It's difficult to know for sure.  In 2007, Brazil suffered a massive blackout that 60 Minutes ascribed to hackers, but it seems that it was mundane poor maintenance.

This doesn't prove or disprove the possibility of destructive hacking attacks, of course, but it does show that unlike conventional war, in the case of a cyberattack, it's difficult to even determine if you've been attacked, much less who is responsible.  This spring, Howard Schmidt was in an interview with Wired Magazine  and quite frankly said "There is no cyberwar." and "As for getting into the power grid, I can't see that that's realistic."

At present, the evidence seems to point against computer attacks causing physical damage.  However, it seems prudent that we engineer critical systems (such as powerplants) to be resistant to hacking attacks.  That way, we can keep this sort of "cyberwar" squarely in Hollywood.

Thanks to Bruce Schneier for extensive discussion of "cyberwar".  His analysis and research form much of the basis of my understanding of the concept and underlies these posts.

Wednesday, July 7, 2010

On "Cyberwar" - Part 1: War and espionage

Lately, the news has been hyped up about "cyberwar", both offensive and defensive. Many articles have been written about the concept, if it's likely (or not), and even whether or not the term "cyberwar" makes any sense at all.

I'm not a "cyberwar" expert, but all the rhetoric and essays being slung about the topic have convinced me that there really aren't any "experts" in this. Indeed, depending on whose article I read, different people have different opinions on what "cyberwar" is. When it comes to hacking and computer systems, where's the line between espionage, sabotage, and war? It certainly doesn't help that in modern politics and society, the line between the three concepts is being increasingly blurred even before you add in the complication of when it takes place on the Internet.

Traditionally speaking, "war" was considered to be declared combat operations between two (or more) countries, both fielding uniformed armies. Legally, soldiers needed to be uniformed, making it certain whose nation they were acting for (example, Geneva Conventions Articles 37-39, 46, 66 among others). Non-uniformed combatants taking part in war were typically considered spies, mercenaries or illegal combatants. Thus, traditional law establishes that in order to be acting in legal war, combatants on both sides must be positively attributable to the government they're acting for. "Cyberwar" obviously can't fit this definition, as positive attribution is very difficult if not impossible. A "war on terrorism" (or even war on a particular terrorist group) also doesn't fit this definition of war, which leads to further confusion but it beyond the scope of this blog.

Espionage, sabotage and piracy are traditionally considered to be actions taken against a government which may or may not be on behalf of another government. There's a degree of secrecy and deception that's not present in the modern legal definition of war. Espionage is typically considered to be non-violent, stealing information. Cyber-espionage is a real threat, with several clear examples of data stolen from both government and non-government ("corporate espionage") sources. Although this sort of attack would be incredibly useful for government and military uses, the fact that there's no destruction or potential loss of life makes me believe that it is more properly considered a type of espionage.

The real grey area comes when we consider sabotage, attacks that cause interference or damage to data or systems. This is a complex issue, so I'll cover that in it's own post.

Sunday, July 4, 2010

Who I am, and what I mean by Renaissance security professional

The "Renaissance man" is an ideal that's fallen out of favor in modern times. These days, people are expected to be specialists instead of having skill in a range of disciplines. In my opinion, the modern ideal is short-sighted. No person can be effective unless they have skill in several areas, intellectual and social. The people who achieve the most in their lives are those who have diverse skills and interests, such as Ben Franklin.

Although I've always had a diverse set of interests, it was JJ Thompson of Rook Consulting who really showed me how valuable it is to have a broad range of skill for a computer security career, and who coined the term "Renaissance security professional". Computer security needs to be more than just about technology. There is no "magic box" (hardware or software) that will make our networks impenetrable. Computer security professionals need to have an understanding of business so that we can converse with people outside our fields to show them why we're trying to make whatever change we're doing, rather than just trying to use fear, uncertainty and doubt (FUD) to make our arguments. We need to understand psychology and human behavior so that our security policies are realistic, rather than trying to demand people remember impossibly complex passwords without writing them down. An understanding of military history can inform better strategies for network defense. Besides these examples, a broad-based skill set makes one better prepared for whatever comes in life, and makes for a better person.

This is what I intend to do, and this blog will be part of that effort.