About Me

My photo
Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Tuesday, December 21, 2010

I'll Be Pwned For Christmas

I'll be pwned for Christmas
You can count on me
Please have bots and viruses
And exploits for me

When talking to people about viruses and infections, I've found that many people are confused about how virus infections happen.  By now most people realize that files you download can be viruses, but hackers have found ways to circumvent people's caution.  First, the virus can be disguised as something else - such as an update to Flash Player - to trick people into trusting it.  Second, a malicious website can utilize a vulnerability in your browser to secretly download and execute the virus.  This is called a drive-by download, and some believe these types of attacks are responsible for most virus infections.  This is one of several reasons why it's important to keep your computer up to date with the latest patches.  Your browser, operating system, PDF viewer (usually Acrobat), Flash player, and Java (if you have it) all need to be kept up to date because each of them can contain vulnerabilities that can be exploited to gain control (pwn) your computer.

There are several goals a hacker might have for infecting your computer, but fundamentally a computer is a resource to exploit.  Modern malware, particularly botnets, are becoming very sophisticated.  If Zeus (Zbot) infects your system, it can modify webpages you visit to post it's own ads, intercept website credentials (including bank accounts) and send them to the hackers, steal documents, send spam email, turn off your antivirus, install additional viruses, track your keystrokes, and grant full control over your computer ... all from a file as small as 270 kb. 

With millions of dollars per year at stake, it's no wonder that virus authors will do whatever they can in order to infect you.  Among other techniques, one method is by referencing current events in their spam, or building sites which are specifically designed to appear at the top of search results for key topics of the moment.  This time of year, that includes using holiday greetings to infect you and using websites that appear at the top of searches for holiday terms.

What can I do about it?

Get good antivirus protection.  Use an up-to-date browser.  Not only are modern browsers more secure, newer versions include protection against malicious links.  Use good spam protection.  Keep your OS updated, and if you're still running Windows XP it's time to move up.  Always, always think before you click.

Monday, December 13, 2010

Tracking cyber criminals

Whenever there's a cyber attack, one of the most natural questions is "who is behind it"?  That's a critical question to answer so that you can determine the reason for the attack and the damage that's done.  For example, if your intellectual property is stolen by a competitor, the risks are much greater than if they were stolen by an amateur hacker just poking around.  Both are dangerous, of course, but one is much more dangerous than the other.

Not all cyber attacks are equal, some are relatively straightforward to attribute, some are far more difficult and may be impossible.  For example, take a standard Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack, such as the ongoing attack by Wikileaks supporters against organizations that they percieve as censoring Wikileaks.  They have been using a free utility called Low-Orbit Ion Cannon (LOIC), which is a tool designed for stress-testing websites (seeing how they perform under load).  Since LOIC is intended as a testing - not criminal - tool, it does not have anonymization features built in.  That means if the user does not take action to disguise themselves, it is trivial to track them down.  A couple people associated with these attacks have already been arrested for this exact reason.

To understand how this happens, let me explain a little about how the Internet works.  Over the years, there's been significant discussion about IP addresses.  IP addresses are part of the internet protocol and they function to direct traffic to and from their destination.  When you type a URL into your browser's address bar and hit enter, your computer contacts a Domain Name Server (DNS) to translate the human-friendly domain name into the server's IP address.  It contacts that server to initiate a TCP/IP connection, and if that's successful it sends the request for the webpage.  All communication from your computer to computers on local networks or the internet is sent as packets, which contain information such as the destination IP address, your IP address (so the computer knows who to send the replies to), the item (such as a webpage) requested, and other information not relevant to this discussion.  If you're using your home computer your IP address is provided by your ISP and if your IP address is implicated in a crime then law enforcement can contact your ISP to get your information.

Now, for a DoS attack, there are several options that criminals can use to cover their tracks.  If they use a cybercafe or open wireless access point, they can launch their attacks from there.  Then, the return IP address will be the one belonging to the business they're using.  However, this isn't perfect.  If the business records the names of their internet users, then it's no more anonymous than using your home computer.  Still, a wireless access point will record information about your computer (computer name and the MAC address of your network card) in order to successfully route the webpages back to your computer.  That may allow tracking you back to your computer.

However, that just catches the ignorant criminals.  Skilled criminals will build or rent a botnet to commit a DDoS attack.  These attacks utilize computers that the hackers take over with viruses that the victims unintentionally downloaded.  Skilled law enforcement officials can sometimes track down the hackers involved.  I don't know the methods involved, but since most successful investigations I've heard about were with hackers in Western nations, I expect it relies on cooperative ISPs.  Other criminals will utilize anonymization services to commit a DDoS attack, such as TOR.  One interesting DoS method I've heard of involves forging your IP address.  Since an attacker in a DoS attack doesn't actually need the webpage directed back to him, he can change his IP address to someone else's.  For example, in a reflected DDoS attack, an attacker will send an "Echo" request to a network broadcast address.  Essentially, this is asking every computer on a network to reply with an "Echo" packet, used to test connectivity.  However, if you forge IP on the "Echo" request to your victim's IP address, the entire network will be sending their replies to your victim computer.  This particular attack has been around for a while, so most networks have changed their configuration to prevent it.  Still, it's an excellent example of how attackers will try and cover their tracks.

Botnets pose significant issues for determining the origins of an attack, as the computers that are actively attacking are under the control of assorted "Command and Control" servers, which are likely not even directly owned by the hackers.  The control servers can be IRC bots, Twitter accounts, blogs, webmail accounts and/or Google groups.  It can even be a rented "virtual computer" on a system like Amazon's EC2 cloud servers.  Modern botnets have multiple redundant control servers, so when the primary set are taken down, secondary servers pop up.  Many of these avenues can be set up anonymously, making it difficult or impossible to trace back to the original hackers.  "Shadows in the Cloud" is an excellent example of a detailed analysis of a botnet.  Even though the security researchers took the place of a command and control server and accessed the hacker's email addresses, they were only able to pin down the location of the servers to a particular location in China.  This only provides circumstantial evidence of who is responsible for the attack.  If the Chinese government and/or ISPs were to cooperate with Western law enforcement, it's possible that we might be able to prove who was responsible, but that cooperation seems exceedingly unlikely.

Determining who is responsible for an attack is a complex and thorny issue, but I've tried to briefly outline some of the complexities.  If you'd like to know more about particular elements or take issue with some of my claims, post to the comments.

Tuesday, December 7, 2010

How "Cablegate" Happened and What It Can Teach Us About Information Security

A lot of digital ink has been spilled about Bradley Manning's disclosure of Iraq War memos and now the classified diplomatic cables known as "Cablegate".  Much of it has focused on Wikileaks - the site Manning chose to disclose the information to - or the content of the leaked information.  However, much more interesting in my opinion, is the unusual policies that allowed this to happen.

Gary Warner, the author of the excellent blog "CyberCrime & Doing Time" recently wrote an excellent article about the flaws inherent in allowing Manning unfettered and unlogged access to virtually everything that he was cleared for.  Essentially, this is one major reason that organizations should restrict access only to those who have a legitimate need for access.  Not only does it limit the amount of damage that a disgruntled employee can do, but it also limits the amount of damage that can be done if an account is hijacked by a hacker or malware.

This is an inherent difficulty in information security: how do you draw the line between too restrictive and too generous permissions?  Manning was an intelligence analyst in Iraq, so he needed access to a wide range of information in order to do his job.  In addition to reports from Iraq itself, there might be Iraq-related discussion coming out of Afghanistan, or from diplomatic discussions between the US and Iraq, or from the US and other countries.  These are just a few examples of why Manning might have had a need for access to a wide variety of data. 

Despite the possible justification for access, it makes me wonder why the US Government allowed Manning to access virtually everything.  I have no evidence (at the time of this writing), but I strongly suspect it's due to the events of September 11, 2001 and the recommendations of the National Commission on Terrorist Attacks Upon the United States (aka "the 9/11 Commision").  Among other issues, the Commission criticized the lack of connection between individual intelligence agents and national priorities and the lack of communication between intelligence agencies, including the military intelligence agencies.  It's possible the government's response to the Commission's report included removing all significant "need to know" restrictions, while leaving in place the basic "classification" restrictions.

(UPDATE: This suspicion has now been confirmed by the Washington Post)

It's not my place to determine whether or not that decision was justified, but it's certain that allowing Manning access to everything drastically increased the damage caused by his breach.  Access policies are just one aspect of information security, the other aspect is auditing (logging).  Wired.com quotes Manning as writing:
“I would come in with music on a CD-RW labeled with something like ‘Lady Gaga,’ erase the music then write a compressed split file,” he wrote. “No one suspected a thing and, odds are, they never will.”


“[I] listened and lip-synced to Lady Gaga’s ‘Telephone’ while exfiltrating possibly the largest data spillage in American history,” he added later. ”Weak servers, weak logging, weak physical security, weak counter-intelligence, inattentive signal analysis … a perfect storm.”
Manning directly admits that weak (or absent) logging procedures directly contributed to his ability to remove information.  Logging could have generated a digital trail of his activities (both accessing data and burning it to disk).  A good SIEM software could have managed the logs and automatically alerted the appropriate manager or authority that Manning was doing something he shouldn't have been.

Just like I talked about in my blog about airport security, effective prevention, tracking and mitigation efforts all need to be combined into a coherent policy to handle damaging attacks like the US Government has recently suffered at the hands of Bradley Manning.