Monday, October 17, 2011

Nation state activity

Wanted to write about the increasing pace of "hacking" or "cyber-attack/exploitation" activities associated with nation-state actors. I'm not going to discuss the "hacktivist" activities or web page defacement that have been lingering for a while, only concerted theft of data or attacks (rather than annoyances)

Here are a couple of good articles and publicized nation-state attacks. Of course, it's important to note that it's much more fun for companies/people to claim it's a nation-state as it sounds more exciting and Hollywood ready. It's also wonderful for companies, because it removes the obligation to defend themselves ("how could we, they were a nation-state!") That said, just because every claim isn't automatically true doesn't mean that nations really aren't involved.

There is an overwhelming body of data showing that foreign activity to indicating that some nations (see, China) are actively involved in acquiring military and economic advantage by compromising foreign entities at a rapid rate. Short article on Wikipedia has some more information on that topic. There's a good article at the Economist discussing the topic as well, which reflects the increasing recognition by the main stream media about what's happening. Lots of material here, but strongly encourage you to take a look if you aren't already familiar with that data set.

Shady Rat (Multiple corporate compromises for IP, China)
McAfee writeup
Vanity fair article

SecurID compromise (?, presumably China)
Attacks on RSA

Attack on Iranian Nuclear Centrifuges (Israel)
See Stuxnet writeup here.

International Monetary Fund Attack (?)
Multiple articles, here's one.

DigiNotar Attack (Iran)
Iranian certificate attack post-mortem

United States/Iraq
Contemplated US attack

Writeup on possible past, future

North/South Activity

Russian attack on Estonia
NANOG presentation

Writeup on some of their activities

Would be interesting to expand these and track activities/capabilities by nation. Too much work for me unfortunately, but if anyone knows of something like that that's published I'd love to reference it.

Bottom line is it's clear that movement is on a significant uptick and the trend doesn't appear to be abating any time soon. Would recommend increased investment/attention by the defensive community and look at how to secure the user, supply chain, and remote attacks through training, technology and wise deployment. And try to stay out of the crossfire...

Thursday, June 2, 2011

Navy Electronic Attack and Cyber

David Fulgham captured an interesting quote from US Navy Chief of Naval Operations (CNO) Admiral Gary Roughead in Aviation Week this week:
“You are always going to have to go in and bag that system electronically before you do anything else. As you know, for the last several years we have very much wanted to take on the broader electronic attack mission. The first Growler squadron in Iraq recovered from the combat mission [there, and] 47-hrs. later they launched a combat mission on a Libyan air base.
That’s pretty extraordinary in terms of agility. That’s why we’re investing in Growler. Electronic attack is going to become increasingly important. On the cyber side, [aircraft and ships] but particularly submarines [had] an extraordinary system with which to participate in cyberoperations. Those are areas we focused on."
 VADM BERNARD J. McCULLOUGH, III testimony in September of 2010 to Congress sheds some light on Navy Fleet Cyber Command (FLTCYBERCOM) organization. They are 10th Fleet, which includes Cryptologic Operations (including EW), IO, Network operations and defense, operations and R&D.

The comments from Admiral Roughead aren't the first time the Navy or their contractors have discussed their plans for wireless cyber operations. David Fulgham has been writing on the topic for years and has a number of articles on the topic. I'd never seen the following article before, where an unnamed contractor says that they are
"developing a weapon system that can deliver cyber-effects through free space into an aperture."
The article does include some on-the-record quotes from Northrop Grumman:
"We have the same core set of engineers on a number of different programs," says Dennis Hayden, director of business development for information operations and electronic attack. "We look at NGJ as the gun and cyber-effects as the bullets. We have the flexibility to go from traditional area-suppression jamming to reactive jamming to a very precise location jamming and cyber-effects." 
Christopher Falco, program manager for the Northrop Grumman Next Generation Jammer (NGJ) team, adds:
"NGJ is a complex problem. How it affects your concept of operations and the impact for force mix all gets wrapped together in defining the capability. The more sophisticated the requirement is, the more cyber-effects can come into play," says Falco. The demand for cyber-effects projected at long range is considered inevitable. "Absolutely, that's a given," he notes. 
Wired had an article on this in January as well, referencing many of the Aviation Space and Weekly articles and other recent events to conclude it could have a more comprehensive mission (complete with an exaggerated title to draw readers in). ITT's PM points out the versatile capabilities:
“Electronic attack system and concept of electronic attack has really evolved over years,” Palacio told Danger Room. “Initially, it primarily was a system to deal with enemy air defenses. But as you start going forward and realize the electromagnetic spectrum does many things … [so] if you build a system that can generate power and modulation over a very broad RF spectrum, it can be used not only in traditional roles, but in many different roles.”
 Lots of speculation and discussion for something still in development, will be interesting to see what comes out at the end.

[March 2012 Update]
A couple of good articles from David Fulghum at Aviation Space and Weekly on NGJ. This article, titled "New Plan: NGJ To Go Unmanned" discusses the movement towards unattended air vehicles (UAVs) to carry the NGJ system. A quote from the Navy:
“That should speak volumes to you,” says Navy Capt. John Green, chief of the AEA and EA-6B Prowler program office. “We believe that the Prowler is the [electronic warfare] past; the Growler is EW now, and the future of EW will be unmanned vehicles.”
Also have an article titled "New EW Capabilities To Emerge With NGJ" that discusses some of the AEA developments and possibile kinetic weapon pairing that might occur.

Wednesday, May 25, 2011

History of Windows exploitation

Just ran across this great blog post from Abyssec Security with a history of Windows exploitation research. The post lists various landmark papers/research with accompanying papers and links to show how the attacks have evolved to overcome defenses. A must read for anyone new to the area or interested in a timeline.

Friday, March 4, 2011

Information security "thought leader" and independent researchers

Had to share this thoughtful, informative video from Chris Eng from Veracode. It's about 3 minutes long or so. He apparently created it for an internal video competition and it spread from there.  It will make you think, laugh, and cry. Well, maybe just think and laugh.

Update: Just got this from a friend (Thanks Andre!). Sotirov posted a video on YouTube talking about the life of an "independent security researcher" which was good. (Although disconcerting to see the same voices on different, fluffier bodies!)

Wednesday, February 23, 2011

Security companies, social media, and hacktivism

On February 4th the Financial Times ran an article claiming that Aaron Barr, from HBGary Federal had unmasked key leadership in the Hacktivist group "Anonymous". Anonymous had garnered international attention for their attacks on groups opposed to Wikileaks (Mastercard, Visa, Sarah Palin, etc.) As a result of their activity the FBI had been kicking in doors attempting to arrest people, causing some concern at the group. HBGary Federal was also looking at ways to bring down Wikileaks and their support infrastructure. The Financial Times article claiming that Aaron Barr had specifics on their leadership caught the attention of Anonymous, who turned their attention to HBGary Federal and Mr. Barr. HBGary Federal was a sister company of HBGary, a computer security company from 2003 started by Greg Hoglund and his wife Penny Leavy.

On February 5th Anonymous went after HBGary Federal, starting off with a Distributed Denial of Service attack and moving from there as Aaron responded aggressively. They got into his Twitter account, Linkedin account, email account, and web administration accounts. They deleted backup accounts, wiped his iPad, and moved on to compromising HBGary and (both run by Greg Hoglund, who was also part owner of HBGary Federal).

Because HBGary used a non-standard CMS (Content Management System) it had not been subjected to significant security review. Anonymous used a previously unknown SQL injection to download the password file which used MD5 hashes. Using a rainbow table they were able to quickly crack the simpler passwords, one of which was Aaron Barr's and another was his COO, Ted Vera. He also reused this password on multiple sites, making their life easier. They used another the password from Ted Vera to SSH into a Linux server that HBGary Federal used, and utilized a known vulnerability (that hadn't been patched) to escalate to root privileges.

Because Aaron was the administrator for their Google Apps account they were able to reset and access Greg Hoglund's mail, where they found administrative passwords for in plaintext. They then utilized some social engineering to the administrator to get an account they could login with remotely (can't use the root account). Once this was accomplished they published the entire password hash table and defaced all the sites. Some details of the attacks can be found here.

After pulling off the attack Anonymous was contacted by Penny Leavy, who owns part of HBGary and HBGary Federal to try to negotiate a truce. Anonymous wasn't particularly interested, and conditioned any actions on their part to Penny firing Aaron and a number of other steps she wasn't going to take. Shortly afterwards they began leaking both HBGary Federal and HBGary corporate emails in large quantities on the Piratebay and numerous other locations, to the enjoyment of voyeurs, reporters and the curious worldwide. (I've decided not to link to them or analyze the uploaded content and will focus on published stories instead). 

This story has caught the attention of many in the security community (and even more broadly) for a number of reasons. The tie-in to Wikileaks, the sensational nature of the story, the depth of the information available, the personalities involved. The fallout has been significant as well.  The leaked emails contain references to numerous other organizations with sensitivity concerns. The DailyKos points out Aaron's plan (and an associated published government solicitation) to create and manage an army of virtual personas should cause concern when considering people group's opinions and the ability for misrepresentation and influence. Ars Technica has had a number of good stories on the topic. The published this one, talking about their "Black Ops". Lots of sensational topics (0-days, rootkits, government "back doors", etc.) although it appears that there were no confirmed connections to any other government organization, a number of government and defense contractor groups are mentioned (like Northrop Grumman (Barr's old employer), Farallon Research, Mantech, GD-AISEndgames and many others) and thus impacted by this situation. As a result, some organizations (like Palantir and Berico) that they were involved with have severed all professional ties with HBGary in an attempt to separate themselves from the situation.

There was a fair amount of interest about their rootkit work, for obvious reasons (Greg runs They had proposed an interesting one called Magenta that received some attention.

Andy Greenberg believes that the attack could backfire on Wikileaks, as people confuse hacktivism with Wikileaks and realize that the attack on HBGary and the damage caused could happen to anyone. Personally I think that idea would have had merit if there wasn't so much dirt unearthed on Aaron and the company that captured the attention of the audience. Unfortunately the sensational nature of the story makes it easy to (at least currently) overlook the underlying issues of anonymity, free speech, corporate/organizational ethics, government and corporate relationships and what protest means in the digital domain.

Given the quantity of information that people are still going through (over 8GB available on various torrents) it appears likely that other stories will be forthcoming. A number of lessons are available. Here are a few of my immediate take aways:
  1. Criminal allegations, interactions, and investigations should not be taken lightly. Once you start interacting with groups like that your threat/risk profile changes significantly.
  2. Good reminder that multiple techniques (0-day, unpatched exploits, cracking passwords, social engineering, etc.) used in conjunction are extremely powerful and can lead to full and complete compromise. 
  3. Given point (2), perhaps people will finally start encrypting sensitive emails. You never know who could end up reading them. Also wise to ensure you do have robust passwords that are not reused, and critical systems are always fully patched. You can't stop 0-day (well), but you can certainly prevent known vulnerabilities from being exploited!
  4. Important to consider who your partners are. Any behavior on their part could affect you in a blowback situation. Obviously you can't run a background investigation on everyone you interact with, but look at those opaque, back room deals and consider how they would be perceived in the transparency of the Internet.
  5. Good reminder about starting a business... probably best to figure out what you're going to be the best at and focus on doing that... and have a clear plan for how to get there. Front loading your investment/risk and chasing ambiguous, frequently delayed government contracts is a risky position that can lead to sub-optimal situations and decisions made under pressure down the road.
I'll update this post as particularly interesting parts of the story come to light. Will be interesting to see if the FBI ends up getting any traction bringing anonymous to trial, if HBGary faces any charges or impact other than relational/financial, and how the other stakeholders in this affair are impacted in the short and long term.

Update (March 2nd, 2011): Stephen Colbert did a segment on the Colbert Report on the topic that was amusing. Aaron Barr has resigned. And House Democrats are calling for an investigation, focused on the "reconnaissance cell" that HBGary was discussing to target union members.