Wednesday, November 28, 2018

Crowd-sourcing and bounties for defense

A little different post than I've done in the past, but I thought it would be interesting to the larger offensive/defensive cyber communities and too long form for Linkedin or Twitter. I'm an advisor to a company called 418 Intelligence, which is run by a friend of mine named Mark Jaster. They are trying to provide a platform that allows companies to move beyond bug bounties and actually crowd sourcing threat hunting/anomaly detection. They're just now opening up the platform to the community, I think it's worth checking out as I think there's upside for the individuals and for companies and room to grow/expand. I'd love to hear what people think of their approach, and would incorporate any positive or negative feedback you have back to them.

Here's the invitation:

If you have skills in analyzing logs and pcap files here is an opportunity to join the first cyber professionals testing a new community platform, supported by DHS, designed to incentivize and crowdsource better defense and insights on what methods are working. If testing and shaping this vision sounds interesting, sign-up to participate as a tester of the alpha release of the FOURSight DEF3NSE cyber defense crowdsourcing platform from FOUR18 Intelligence. This release operates a three-round live simulation game of an intrusion where you analyze artifacts and bet points with other players on what is happening and how to defend against it. It then transitions into crowdsourcing countermeasures against a known attacker group executing the same attack playbook in the real world.  The sign up form can be found here: FOURSight DEF3NSE Pre-registration Form.

FOURSight DEF3NSE is the first online community and marketplace for cyber defenders and decision makers to directly connect and incentivize crowdsourcing better defense and network resilience against cyberattacks. The system uses a unique, gamified and incentivized "wisdom-of-the-crowd" betting experience to crowdsource fast and accurate assessments of cyber risks and countermeasures, and it is designed to pay-off participants by creating a market for this information, including what will be the first-ever bounties for breach hunting. If the vision of bounty-hunting for attackers, or of testing what you know and winning pay-offs by predicting how successfully a countermeasure will perform against an attack sounds interesting, please join others in testing the platform and helping the designers make it great.

Once you register you will receive orientation materials explaining the system further, and an update on the testing schedule, but if you have any questions you can contact the team at admin@def3nse.net.

Thursday, June 21, 2018

@War review

I finished Shane Harris' book on Cyber Warfare recently and felt obligated to write a review about it on GoodReads. Given I spent the time writing it up, thought it might be worth sharing here for those following my blog who share an interest in the cyber security/warfare communities.


A thorough introduction to the world of cyber warfare from the perspective of a journalist surveying published media from mid 2005-2015 time frame. Some sampled private discussions and insights into behind the scenes discussions and classified projects. A good read for someone new to the field to catch up quickly. 

Unfortunately the author spends a significant amount of time pontificating on concerns that have been excessively debated elsewhere and attempting to seem moderate while making clear his opinions where the concerns lie... and unfortunately basing his conclusions on rumors he heard from self-proclaimed "experts". One example is the "thousands of exploits" the NSA is hoarding. This claim appears to be based on a single unquoted individual, and appears inconsistent to the other information in his book. (Pointing to a budget of $25M to acquire exploits, and price tags of $50,000-$1,000,000 would imply a catalog of 25-500 (dozens or hundreds, not thousands)) Much hand wringing is spent on NSA surveillance, defense-industrial relations, foreign government spying, and other topics that have been extensively discussed in the media over the last decade and a half.

Speculation is rampant in the book regarding what's happening behind closed doors and allegations are made without the editorial self-control that a reputable paper would employ. As someone with two decades of experience in this community, this reviewer recalls numerous relevant events that were not included and significant portions of the book devoted to commonly discussed events from various media sources (with a few interesting exceptions). In fact, the acknowledgements section credits many of the content writers of those stories from the news sources covering cybersecurity/cyber warfare (Michael Riley, Nicole Perlroth, Kim Zetter, etc.)  who actually interviewed the original sources and wrote about the events as they happened (or as they were uncovered!)

Books such as "Countdown to Zero-Day" by Kim Zetter provide a much deeper look that is more technically accurate and better sourced and represent a good alternative for a reader looking to gain insight into the technical and political aspects of the cyber warfare complex through a single (large) operational lens. 

@War is a good option if one has no prior exposure and views it as a breathless description of the events of the last 10-15 years in the US cyber warfare community from a non-technical observer doing his best to share what he's read about and been told as an outsider.

Friday, January 19, 2018

2017-2018 Update


 Nehemiah Security Siege Technologies     

As readers of this blog (or former readers!) have noticed I have been updating the blog less and less over the years. We successfully sold Siege Technologies to Nehemiah Security back in 2016 and have been working on the integration between the firms.
Pretty exciting to see technology we've been developing for years (Now known as AtomicEye RQ) make its way into the broader commercial market and getting traction with some big (Fortune 500) customers in addition to mid size and various government groups.
 AtomicEye
It wouldn't have happened without an experienced team like the group that Nehemiah brings to the table. Hopefully once that stabilizes I'll be able to get back to blogging more often, either this year (2018) or next (2019). Hoping to get back to some technical/cyber topics but will probably also include more diverse content as well. Stay tuned!

Wednesday, April 19, 2017

Leadership lessons

Normally use this blog for longer form discussions about public news in the "cyber" field, but since I don't have another blogging forum I'm going to post this writeup here.

Getting tweens/teens to do chores can provide some lessons on leadership. I've assembled ten of them below for your enjoyment. 😀

1) Questions are OK. Sure, they're doing it to try to delay/distract/disrupt your objective as long as humanly possible. But it's OK to want to know what the objective and buy into the overall mission.
2) Be specific. If you don't know where you're going it's unlikely you'll get there. Describe what you're looking for and there's a small (OK, tiny) possibility it will happen the first time around.
3) Explain what triggers task completion and try to avoid time based metrics. If it's time, the human response is to conserve energy (see: USSR as an example of how well that works out). But if it's goal based, people will often choose to work harder to accomplish the objective quickly and do other things they value more. Like watch Netflix.
4) Positive and negative outcomes are useful and must be tailored to the individual. Some people love chocolate, others don't. Some would consider reading a punishment, others a pleasure. Personally I find beatings are consistently unpopular but you might find something else works well. 😏
5) Music and humor are great ways to make tasks more enjoyable and lighten the mood. Unless you're listening to NF's rap song about Mom dying and leaving him, in which case you want to start crying and console each other.
6) Yelling doesn't produce anything positive IMHO. Except fear/anger. Which, if you're trying to train a Sith could be useful I suppose.
7) Showing/training is important for things more complicated than "carry this from here to there". Although sometimes even that requires instructions.
8) Have reasonable expectations and don't accept poor work. The DMV is a great reminder that even adult humans are perfectly willing to work in a way that yields a terrible product/experience. Don't be United Airlines and accept that just because it's the way things are or you might end up with kicking, screaming and blood everywhere.
9) Positive feedback provided promptly to people doing great work or with a great attitude is helpful. Kind of like participation trophies, but actually earned. 🏆
10) Lead by example. Returning to my Sith Lord example, Darth Vader doesn't make his troops do all the enemy soldier killing, he's at the front of the line doing it himself (even at a distance). Showing everyone you're willing to work just as hard slaughtering enemy troops means they have someone that they can and should follow. Or get force choked.

Hardware enabled trust

Siege has been doing some work with hardware and software enabled root of trust implementations over the past few years. Specifically, looking at implementations like Trusted Platform Module (TPM), boot processes, UEFI, hypervisors and other implementations that utilize hardware "trust" functionality. Wanted to share some insight into what the research and implementation communities are doing.

To start, the major presentation that started a lot of attention for hypervisors and hardware trust was Joanna Rutkowska's 2006 Blue Pill presentation at Blackhat. That discussed injecting a hypervisor rootkit into a running operating system utilizing AMD's SVM (Secure Virtual Machine) instructions. Also discussed countermeasures, detections, and possible extensions to Intel's VT-x instructions. Also in 2006 researchers from Watson research discussed virtualizing the TPM so virtual machines could utilize TPM functionality.

In 2009 Rafal Wojtczuk, Rutkowska and Alexander Tereshkin presented several attacks  against the Intel's TXT (Trusted Execution Technology). Also in 2009 Rafal and Joanna presented an attack against System Management Mode (SMM). From the paper:
System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of "Ring -2", as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in "Ring -1".
The authors describe
how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits
In 2011 Rafal Wojtczuk and Rutkowska presented an attack against the Intel VT-d and by extension Intel's TXT (Trusted Execution Technology). Wojticzuk, Rutkowska and Tereshkin were all part of Rutkowska's Invisible Things Lab, where the Qubes OS was also developed. Some of their posts on Qubes are available here. Qubes is an interesting project as they are attempting to implement defenses against the operating system/kernel, hypervisors and hardware that they are aware of by utilizing the full functionality of the hardware and secure design principles with strong isolation to build a significantly more secure operating system environment.
There are tons of other papers out there as well, I'd love to do a more comprehensive survey on the topic at some point. Siege has been doing some really cool research in the area and we started years ago, finally got to present it at Blackhat in 2016. Breaking Hardware Enforced Security with Hypervisors has some good information on the area and approaches to subverting the TPM interactions with the kernel/boot process by leveraging other architectural features (in our case, VT-x). Hopefully we'll have an opportunity to present some of the other things we've done in the domain in the next few years.

Thursday, May 26, 2016

From public sector to private sector: A view from the trenches.

(An abridged version of this post appeared in the CipherBrief on May 15th, 2016) 

In 2009 I left a job at the Defense Advanced Research Projects Agency and started Siege Technologies. My goal was to fill the vacuum of small, innovative companies building advanced, disruptive technical solutions in offensive and defensive cyber warfare left by recent large corporate acquisitions.  The last day at DARPA I signed paperwork removing all the accesses I had received during my time there with DARPA and our numerous partners. They took my green badge, CaC card, DARPA badge, and computer. I felt a little like George Banks in Mary Poppins when the bank fires him and proceeds to destroy his umbrella and poke a hole in his hat as part of the discharge process.  I founded Siege Technologies two weeks later and slowly collected most of those resources again over time. The experience was extremely informative and provided some important lessons for anyone contemplating a move into private industry from government or into a startup from a large company.

Advantages of government experience

There are some powerful advantages that time in government provide someone making the plunge into entrepreneurship. The biggest is a perspective on what’s going on at a national or even global level. Insight into the hard problems, operational challenges and thought leaders are invaluable takeaways from government service. Additionally the friends and contacts created throughout government, industry and academia can provide valuable assistance down the road. Having worked as a contractor, government employee and corporate employee again there’s a big difference walking into your favorite government agency with a “blue badge” versus a “green badge”. Having a government badge causes government people to assign moral characteristics to you that are significantly different than the negative assumptions pinned on contractors sadly. And strangely these positive views follow you out into corporate America. Even though I was the same person throughout the experience there is a significant difference in how the people you meet while wearing the government badge perceive you, during and after government service.

Starting from scratch is hard

It is not easy to take a blank piece of paper and write a novel. Starting a company is similar, as building something from nothing requires the ability to see a future that does not yet exist, and execute to make that vision a reality. Taking a small firm and helping it break out of a small business mindset to reach its potential is equally hard (and maybe harder in some ways) because you need to reshape structures that may have hardened and take on risk that may have been previously discarded or avoided. The technical team, technology, access to customers and partners, cash, and information are never as robust as you would like and are often in a state of flux. A challenge unique to moving to a startup from government is the gossip mill of other disgruntled government/commercial individuals who allege stolen ideas, inside access, or other improprieties as the real drivers of success. Changing the mindset of the brave souls who move from the comfort of government to the excitement of a startup is imperative, as there is no checklist of procedures or higher authority to consult before getting things done. Sitting at your desk or attending meetings are not going to get a product built or customers signed up, startups are an exercise in energy exertion. I vividly remember talking to my wife in December of 2009 about whether we would have a paycheck before Christmas and estimating how many days until our final credit line was maxed. Getting my first Siege paycheck on Christmas Eve was the best Christmas Eve gift I’ve received! As Benjamin Franklin said, “Nothing ventured, nothing gained”.

Smaller is riskier

There is a big difference between a job in the government, a job at a big business and a leadership position in a startup. The government has a difficult job ever firing anyone or laying people off, although it does happen in rare occasions. Big business doesn’t usually fire people and layoffs are usually focused on culling the weaker ranked employees (although entire segments of the business can be felled in a single swipe!) And while small companies engage in layoffs and firing, they introduce a new variable into the equation: Cash. In business they say “cash is king” because without it, a business cannot conduct operations. Starting a company involves working for free, reduced pay, gaps in funding, contributing money, and wondering how to make payroll. Borrowing money from friends, banks, and signing numerous contracts as the guarantor. Even well funded VC-backed firms have to worry about cash throughout the process and keeps track of the “going out of business” point when your burn rate chews up the cash in the bank.

Smaller is faster

Making decisions in a small company is easy. The individual makes a decision and moves out. Sometimes there are managers or stakeholders to consult, but the reporting chain is much smaller and stakeholders to consult much fewer. The ability to make decisions quickly allows companies to react to changing market dynamics and technology much more quickly than larger firms competing in the same space. A great example of this is purchasing. When I worked at a large defense contractor, in the 1990's I needed to get a copy of “PC Anywhere”. Weeks went buy until I heard it was authorized. Weeks turned into months and I reached out to find where it was to discover the acquisition system had lost my order. When I explained what I needed I was assured it would be coming soon. A week or two later a different product (PC-Xware) arrived! Contrast that with a small firm with a flat management chain… if someone needs something at a small firm they ask their manager and it gets ordered on a corporate card within a day or two.

Smaller is more innovative

It’s easy to understand why small companies move faster, but where does the phrase “small companies innovate, big companies integrate” exist? Innovation is a complex topic which numerous books have been written about to describe. I believe there are a number of factors behind the wave of innovation coming from small firms:

  • Ability to attract and retain top talent. Employees like to work in nimble, more fun, better paying environments!
  • Emphasis placed on innovation. Small companies are taking on larger, often entrenched competitors and creating something new is often imperative to survival.
  • A culture that values disruption over the status quo. Big companies don’t change quickly while growth-oriented small companies are focused on how to change the game and become a big company!
  • Quicker access to resources and decision making. The lack of process and large management chains enable individuals to go and quickly buy/hire/talk/build whatever they need to do as part of their mission to get the job done, while larger organizations utilize processes to limit risk. 

Building a company is rewarding

Taking a company from nothing or small into something large enough to have some “punching power” is extremely satisfying. It means the market recognizes that you are offering something of value. That people are joining your endeavor to make a difference. The resources you accumulate as you grow mean some of the concerns from earlier days are mitigated and new opportunities begin to present themselves. A new era of entrepreneurs are rising up who are increasingly availing themselves of the opportunity to inject a conscience into their work and engage in social causes through their corporate position, products, and with the resources created by the firm. My wife and I have committed to giving the bulk our gains from Siege some day to charitable causes and view the firm as an opportunity to have a positive impact at a scale unachievable as individual contributors to those causes. Firms like Newman’s own give away their profit to philanthropic causes, and numerous clothing/jewelry/coffee businesses integrating a social cause into their corporate mission and value statement. In fact the percentage of corporate giving is inversely correlated with size, with the smallest firms giving the most generously[1],[2]

Perspectives on the cyber security startup market

The cyber security startup market has been hot. On fire is probably more accurate. The graph below shows how investment has been ramping up over the last seven years (I started Siege at the relative low point of 2009, apparently not a good year from investors perspective!)

Figure 1 Millions of Dollars invested in Cybersecurity Companies.
Spending on cybersecurity in 2015 exceeded $75 billion according to Gartner[3]. The market is over $100 billion according to Market and Markets and will grow to $170 billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent from 2015 to 2020[4]. The cyber security insurance market is expecting significant growth and should reach $7.5 billion in annual sales by 2020, up from $2.5 billion this year[5].

But in 2015 signs were showing that the valuations and dollars heading to cybersecurity companies had begun to cool. Specifically, “some are predicting a measured slow-down leaving a slew of Seed/Series A funded companies without a Series B sponsor”[6]. Median security EV/revenue multiples have declined from 5.5x in 2013, to 5x in 2014 and 4.5x in 20154.

That said the problems still remain. Enterprises large and small, government agencies and individuals are still being targeted and compromised with increasing frequency. 2015 alone saw a reported jump of 48% in compromises that were reported, and successful detected attacks have been rising at a compounded annual growth rate of 66% year over year since 2009[7]. The annual cost of these attacks range from hundreds of billions to trillions depending on your estimation methodology and sources (considering theft of IP versus just cleanup, for example). Nobody has built the silver bullet solution to solve the problem and significant opportunities exist if entrepreneurs are really providing new solutions to the problems that exist and loom over the horizon in the form of technologies or services.

Perspectives on transitioning government-funded technology

At Siege we have a number of technologies that we have developed with external funds, spanning areas as diverse as cyber quantification to custom hypervisors to software protection and software vulnerability remediation. Some were developed entirely with government funds, some with almost exclusively internal or commercial funds and most with a hybrid. Taking these capabilities from the lab to product is not easy. Numerous hurdles must be addressed, from classification to export control to publication restrictions to the myriad of intellectual property rights issues. And that’s before you address the “valley of death” that exists between research and products. An article in IEEE captures this challenge well, saying “New and innovative technologies will only make a difference if they're deployed and used. It doesn't matter how visionary a technology is unless it meets user needs and requirements and is available as a product via user-acceptable channels.  One of the cybersecurity research community's biggest ongoing challenges is transitioning technology into commercial or open source products available in the marketplace[8] and that reflects my personal experience working in research and innovation at big companies, DARPA and now a smaller firm. 

Inventors are often beholden to their creations and believe it possesses more value than they often do. There is usually a gap between the requirements targeted during development and what the market needs. And there is funding required to get the product from where it is currently to where it needs to be. Inertia fights against changing anything and turning this technology into a product, but the fight can be well worth it if the numerous obstacles are addressed with vigor head on. It is a fight that must be won in order to “change the game” and make a difference instead of allowing the solutions to important national and global problems to die an inglorious death in the lab.

Conclusion

It is impossible to affect change without taking risk. Change necessitates overcoming resistance and various obstacles to achieve a necessary goal. Starting or joining a new venture provides the opportunity to affect significant change at personal, technological, national and societal levels if success is achieved. But even if failure is an outcome, lessons are learned and character is formed through that process. The average successful entrepreneur has several failures in his or her belt (I had two false starts) and is middle aged with the median age entrepreneurs started their companies being 40[9].  Teddy Roosevelt captures the opportunity well with his famous quote: “It is not the critic who counts; not the man who points out how the strong man stumbles, or where the doer of deeds could have done them better. The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood; who strives valiantly; who errs, who comes short again and again, because there is no effort without error and shortcoming; but who does actually strive to do the deeds; who knows great enthusiasms, the great devotions; who spends himself in a worthy cause; who at the best knows in the end the triumph of high achievement, and who at the worst, if he fails, at least fails while daring greatly, so that his place shall never be with those cold and timid souls who neither know victory nor defeat.[10]




[1] CEO Force For Good, “Giving in Numbers 10TH ANNIVERSARY 2015 EDITION”, September 2015.
[2] https://philanthropy.com/article/Most-Small-Companies-Make/225215
[3] http://blogs.wsj.com/venturecapital/2016/02/17/the-daily-startup-increased-spending-in-cybersecurity-drives-funding-surge/
[4] http://www.marketsandmarkets.com/PressReleases/cyber-security.asp
[5] PwC, “Insurance 2020 & beyond: Reaping the dividends of cyber resilience”, September 2015
[6] Momentum Partners, “Cybersecurity Market Review 4Q 2015 Year End”, January 2016
[7] http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html
[8] Maughan, D., Balenson, D., Lindqvist, U., & Tudor, Z. (2013). Crossing the Valley of Death: Transitioning Cybersecurity Research into Practice. IEEE Security & Privacy, 11(2), 14-23.
[9] Ewing Marion Kauffman Foundation, “The Anatomy of an Entrepreneur”, August 2009.
[10] Theodore Roosevelt, Excerpt from the speech "Citizenship In A Republic" delivered at the Sorbonne, in Paris, France on 23 April, 1910.

Wednesday, November 12, 2014

Side channel attacks


Interesting paper came out late 2013 describing a method to use audio emanations from a CPU to determine the private key.

Since the 1990's work has gone on using timing or power analysis to accomplish the same thing (deduce secret keys). Paul Kocher pioneered much of this work, including timing attacks against RSA (paper here). Multiple attacks against RSA have used power attacks with success. There are multiple defenses against timing and power attacks, including filtering emanations, smoothing activity (adding noise), blocking the ability for someone to sense data, etc. with varying degrees of success.

The recent work can be viewed as a derivative of that prior work. But instead of measuring time between actions, or power surges directly it's using acoustic emanations to derive the same information.

Of course, the field of side channel attacks on systems is old and interesting. Some classics:
  • Tempest-style attacks intercepting video broadcasts from outside the building since the 1980's.
  • Optical tempest, where the authors analyzed the activity light on various systems and constructed a system to intercept the light from across the street of an office building and recreate a serial data stream (Pre-published version here, ACM version here.)
  • Creative attack described in 2007 to use the microphone on your system to drive input to a speech parsing engine (such as Windows Speech Recognition in Vista). MS downplayed it of course but it highlights an interesting attack vector.
  • George Hotz's PS3 hack, where he used an FPGA board to disrupt the memory bus on the PS3 and cause instruction flow to jump into regions of memory that he controlled.
  • I discussed using speakers for covert channels in an earlier post.
Another interesting side channel technique came out in 2014 from researchers at Ben Gurion university. They showed that you can use FM receivers in mobile phones to collect specially encoded data from nearby video displays to create a cooperative TEMPEST exfiltration channel. Not really an attack per se, as it involves cooperative systems but it's certainly useful to enable broader attacks. (Just like ASLR bypasses aren't attacks per se, they are information leaks that can be utilized to enable complex attacks/exploits.) Also not new, as it's building on the Tempest work from before but doing it from a cell phone is novel.

Using RFID to access systems or propagate code has been discussed since at least 2006. Vulnerabilities in optical character recognition systems (which take pictures, and analyze them in an attempt to convert into digitally represented text) were published in 2007.  Attacks using QR codes were deployed in the wild in 2012.

Those attacks rely on analog systems that are looking for digital input in the analog medium provided by an adversary. Denial of service attacks that are purely analog (such as pointing a light at a camera, or EMP disables the function of systems quite nicely) have been well documented. But what about hacking a passive sensor such as a wireless IDS? (there are hundreds of vulnerabilities in just two popular passive, inline sensors: Wireshark (285, 22 enable RCE) and Snort. (10, 2 enable RCE)) And what would you call it if you took advantage of a feature extractor (such as a facial or gait recognition engine in a camera) to crash or even exploit a device? 

It's my opinion that as computing devices become more ubiquitous and embedded in everything you'll see these types of attacks in more and more interesting locations (Police car license plate scanners anyone? Border security systems. NFC is getting owned all over the place lately. The list goes on). Attacks will move beyond information leaks and disruption to include remote access via non-anticipated "side channels" or subsystems that people don't realize create risk. (Your Antivirus software, your networked coffee pot, your tire pressure monitors!)