tag:blogger.com,1999:blog-91437150599461957372024-03-14T05:31:53.740-04:00Cyber-SonA blog discussing "Cyber" and AI topicsJason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comBlogger48125tag:blogger.com,1999:blog-9143715059946195737.post-82560090019663456952023-03-07T10:06:00.000-05:002023-03-07T10:06:13.239-05:00Artificial Intelligence Opportunities<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoHXqyAnQeb2hbsSP3v8byy8K-YxNjdVq59QpLTofuK-oCQ9x-DvH299QBmbC7ziSmaQE-RLXMNcZNJ6MQVYfFWBZUQ2gtt4cWpTO_9B46ZR_4YqsZJaYxAYF8qlcCMcMXKEZC65iNqjhoT-t1Vph_fa6O8gJnVtLsE9kPtFOoUJnfr-96l1kgm87Bmg/s1920/infographic_wheel_v2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1290" data-original-width="1920" height="429" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoHXqyAnQeb2hbsSP3v8byy8K-YxNjdVq59QpLTofuK-oCQ9x-DvH299QBmbC7ziSmaQE-RLXMNcZNJ6MQVYfFWBZUQ2gtt4cWpTO_9B46ZR_4YqsZJaYxAYF8qlcCMcMXKEZC65iNqjhoT-t1Vph_fa6O8gJnVtLsE9kPtFOoUJnfr-96l1kgm87Bmg/w638-h429/infographic_wheel_v2.jpg" width="638" /></a></div><p>I'm an Artificial Intelligence (AI) and technology (in general) optimist. That means I believe the positive
outcomes will outweigh the negatives. AI is a type of new tech with significant potential to reduce or
eliminate mundane (or even interesting) human operations such as
checking out products purchased <a href="https://www.theverge.com/2021/6/15/22534570/amazon-fresh-full-size-grocery-store-just-walk-out-cashierless-technology-bellevue-washington" target="_blank">in person shopping</a>, <a href="https://www.wired.com/tag/self-driving-cars/" target="_blank">driving a car</a>,
<a href="https://www.netsuite.com/portal/resource/articles/ecommerce/warehouse-robotics.shtml" target="_blank">working in a warehouse</a>, identifying <a href="https://www.pictionhealth.com/">skin conditions</a>, and many more. Since my last blog post we've seen <a href="https://openai.com/dall-e-2/" target="_blank">Dall-E 2</a>, <a href="https://starryai.com/stable-diffusion" target="_blank">Stable Diffusion</a>, <a href="https://autocrypt.io/the-state-of-level-3-autonomous-driving-in-2023/" target="_blank">self driving cars</a> and <a href="https://openai.com/blog/chatgpt/" target="_blank">ChatGPT</a> moving from experimental phases into real world operations.</p><p>I'm not naive, with any
significant advancement of society we have seen associated downsides and
AI will not be without valid detractors. I'm still waiting for an AI
company to drastically address the challenges we see in cyber security
from hiring/training, automating data analysis, detecting threats,
remediating systems, or conducting investigation. It's happening slowly,
although the marketers have been hyping it for almost a decade now. <br /></p><p></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqPeo2S9P96ANAgpv5zkyPHHrarcC8YeRxlo6T6eiRViYqKBFI-Ubf_ywDs0iMCLuX_DVQbzs25hUCR-uTgKR_VBNFGyxY_mszVSzwySWNjHOlcik9o7A4DbS-sBwTK_M8uCdm08ETF7mL2v4SfIpeNIAEwbxwvsNfnRPPm9ajogfl-pSRALwe1rm-dw/s480/DestroyHumans.gif" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="363" data-original-width="480" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqPeo2S9P96ANAgpv5zkyPHHrarcC8YeRxlo6T6eiRViYqKBFI-Ubf_ywDs0iMCLuX_DVQbzs25hUCR-uTgKR_VBNFGyxY_mszVSzwySWNjHOlcik9o7A4DbS-sBwTK_M8uCdm08ETF7mL2v4SfIpeNIAEwbxwvsNfnRPPm9ajogfl-pSRALwe1rm-dw/w320-h242/DestroyHumans.gif" width="320" /></a></div>Some people are <a href="https://en.wikipedia.org/wiki/AI_takeover" target="_blank">afraid of Artificial Intelligence</a> (AI) and <a href="https://www.iotforall.com/impact-of-artificial-intelligence-job-losses" target="_blank">losing jobs</a> <a href="https://www.nytimes.com/interactive/2022/12/26/magazine/yejin-choi-interview.html" target="_blank">or worse</a>, some sort of digitally induced <a href="https://www.cs.memphis.edu/~tmccauly/ai_armageddon-McCauley.pdf" target="_blank">Armageddon</a>. There's lots of reasons for this, we have centuries of history where people claim we will run out of food, or assembly lines mean humans are not needed anymore. And while technology has meant many orders of magnitude improvements in productivity and quality of life, it has also yielded weapons and digital addictions. <br /><p></p><p>As an investor I'm investing in AI focused or enabled companies more often now (firms like <a href="https://www.pictionhealth.com/" target="_blank">Piction Health</a> and <a href="https://spiky.ai/" target="_blank">Spiky</a>). I love how the field is automating the mundane, unlocking new capabilities and has transformative potential to address challenges in society. From enabling first time entrepreneurs to rapidly <a href="https://jproco.medium.com/a-guide-for-building-launching-and-selling-no-code-apps-146e5efd4a60" target="_blank">build a no-code system</a>, or software engineers to <a href="https://github.blog/2022-09-07-research-quantifying-github-copilots-impact-on-developer-productivity-and-happiness/" target="_blank">produce more code</a> in the same time (and <a href="https://github.blog/2022-09-07-research-quantifying-github-copilots-impact-on-developer-productivity-and-happiness/" target="_blank">be happier</a>!), or people to be productive while their car drives themselves (and reducing fatalities at the same time!) there is a lot to love. </p><p>There are numerous areas of application with significant potential to improve the human condition. I've decided to focus all my efforts on one area that is less impactful to humanity but nonetheless an exciting opportunity: Sports. By using AI to automate the mundane tasks of collecting stats, recording video of games, editing highlight clips, and analyzing performance we can democratize access to many tools restricted to the wealthy or elite. I've played basketball for over 30 years and all of my children play (and played other sports like Soccer), so my wife and I have served as parents and I've coached for almost 15 years. There is massive potential to improve players, save money, have more fun, and help poorer players get better tools and exposure applying AI (and a specialty/subset field called computer vision.) </p><p>In 2021 <a href="https://www.businessnhmagazine.com/article/upstart-startups-sportsvisio" target="_blank">I founded</a> <a href="https://sportsvisio.com/" target="_blank">SportsVisio</a>, an Sports Technology company <a href="https://blog.sportsvisio.com/blog/jason-syversen-the-local-maximum">using AI/Computer Vision</a> to automatically create stats, highlights and analytics for sporting events. We are <a href="https://blog.sportsvisio.com/blog/jason-syversen-the-tech-of-sports-podcast" target="_blank">starting with Basketball</a> and expanding to other sports over time. <a href="https://profluence.com/podcast/jason-syversen-sportsvisio-10x/" target="_blank">I'm excited about our potential</a> to help players, parents and coaches, but for me the goal is really more about building a great company that <a href="https://www.faithdriveninvestor.org/podcast-inventory/episode-115-love-people-and-free-enterprise-with-jason-syversen" target="_blank">allows us to drive financial resources to high impact charities</a>. After selling Siege Technologies my wife and I set up a foundation <a href="https://www.givewell.org/">to find</a> and support charities having a tremendous, <a href="https://www.esquire.com/lifestyle/money/a44028/where-to-donate-your-money/">cost effective impact</a> on the marginalized in society. It's an incredible blessing to get to do so, and motivated me to get "get off the couch" and get back into the game as an entrepreneur to try to grow what we're able to distribute over time. There are still so many needs in the world and a thousand dollars can have massive impact (especially in third world countries.)</p><p>It's been fun to work in an area that non-computer science majors like my kids can understand! And wonderful to not have to sell to the 500 overworked Fortune 500 CSOs who are bombarded by sales pitches from cyber security firms around the world. Working in an area with virtually no high-tech competition is different and excited to feel like you're charting new ground. There are many industries that have done things the same way for decades or even centuries that will be disrupted by the <a href="https://ai100.stanford.edu/2021-report/standing-questions-and-responses/sq2-what-are-most-important-advances-ai" target="_blank">rapid advances in AI</a>, I'm looking forward to being in one of them.<br /></p>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-64831706777965188332021-04-27T18:14:00.004-04:002021-05-06T17:55:16.285-04:00Getting into Cybersecurity<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie9bjNV6WZmpoScc0m-EO_wi_IFXS6rlfgDNN2uAIcJgsnFhL8xzA1oP7C8rYVaCxa72NboWAt6QWL1FMjgnHQ5ul5WzDhxu9MTmtQk2bjpb1sEufT8YDY-L0X1meQz62dS_17IRunVzsp/s416/CyberSecurityDisciplines.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="121" data-original-width="416" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEie9bjNV6WZmpoScc0m-EO_wi_IFXS6rlfgDNN2uAIcJgsnFhL8xzA1oP7C8rYVaCxa72NboWAt6QWL1FMjgnHQ5ul5WzDhxu9MTmtQk2bjpb1sEufT8YDY-L0X1meQz62dS_17IRunVzsp/s320/CyberSecurityDisciplines.png" width="320" /></a></div><br />A common question hackers or security professionals get asked by others is "how do I learn how to hack" or "how do I get into cyber security". It's a complicated question because everyone has different skills, expectations, goals, motivations, and the field has more than one "right answer". <p></p><p>I was asked that again recently by a young man who is studying computer science and interested in cryptography and protocols so I gave him a more low-level, technically focused answer. But there are many paths into the field and not everyone does 0-day exploits or zero-trust systems! Hopefully this list is useful to those looking for resources and how to get into the field though.</p><p>One thing I'd share for a more general audience, is the number of support groups that exist to help different communities. There are 35+ initiatives to <a href="https://www.comparitech.com/blog/information-security/women-cybersecurity-initiatives/" target="_blank">assist women entering the field</a>. Ten organizations centered around <a href="https://www.csoonline.com/article/3586166/10-organizations-that-promote-diversity-in-infosec.html" target="_blank">diversity in cybersecurity</a>. Teaching <a href="https://www.monster.com/career-advice/article/how-to-teach-kids-code" target="_blank">kids to code</a>. Resources to train <a href="https://www.nist.gov/itl/applied-cybersecurity/nice/resources/veteran-resources" target="_blank">veterans in cybersecurity</a>. </p><p>My email is below: <br /></p><div style="margin-left: 40px; text-align: left;">It's hard to provide useful advice without context of what you're looking for in security. Given you're a CS major who likes crypto and protocol design, I'll focus my advice on the technical aspect of security (which was my focus.) But many choose to focus on the IT/Devops side, training, analyst, infrastructure, development, etc. I liked the hacking/crypto/reverse engineering/exploit/research portions, and my advice below will be slanted that way:</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"> I'd encourage you to learn as much low level stuff as you can
(assembly, exploits, reverse engineering (tools like <a href="https://www.hex-rays.com/ida-pro/" target="_blank">IDA Pro</a>, <a href="https://ghidra-sre.org/" target="_blank">Ghidra</a>, and my personal favorite, <a href="https://binary.ninja/" target="_blank">Binary Ninja</a>), protocol analysis, fuzzing, memory analysis/forensics,
etc.) The more of that you know the better equipped you will be to
tackle the hardest/most valuable problems in cyber security (and the
more interesting/fun/lucrative it is IMHO!) </div><div style="margin-left: 40px; text-align: left;"> </div><div style="margin-left: 40px; text-align: left;">For news, I used to get the <a href="https://www.sans.org/newsletters/newsbites/" target="_blank">SANS Newsbites</a> email which was solid.
There's a great Twitter account/email I get now called <a href="https://tldrsec.com/" target="_blank">TLDR Security</a>
which is mostly focused around vulnerability research and
application/cloud security but includes lots of other good content and is well written. There are a number of lists on Twitter for
security too by category. (Infosec, appsec, pentesting, etc.) Personally
I just started following some people I knew and leaders in the field and seeing
who they shared/followed and built it from there. Had to prune (still
do) as some of them are jerks or just rant about politics or whatever,
but some great ones out there too. Here's a <a href="https://www.sentinelone.com/blog/21-cyber-security-twitter-accounts-you-should-be-following-in-2021/">decent starter list</a>, but I'd add a ton (@DinoDaiZovi, @HalvarFlake, @DaveAitel, me (@jsyversen), @ErrataRob, etc.) There are Slack groups set up around particular topics you want to learn about... for example, if you are getting into reverse engineering and using Binary Ninja, they have an <a href="https://slack.binary.ninja/" target="_blank">excellent Slack</a> that's very active and informational. <br /></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><a href="https://ctftime.org/event/list/" target="_blank">Capture the Flag competitions</a> (CTFs) are a great way to learn the offensive/defensive side of the domain, there are a ton of online/virtual ones as well as ones in person you can attend. And of course Blackhat and other conferences (there's probably over a thousand at this point) are good places to learn and meet others in the field. This site claims to offer a spreadsheet <a href="https://securitytrails.com/blog/cybersecurity-conferences" target="_blank">listing them</a>, there's 51 listed <a href="https://securityscorecard.com/blog/best-cybersecurity-conferences-to-attend-in-2021" target="_blank">here</a>. <br /></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;">
There are tons of reverse engineering challenges online too. Here's a <a href="https://crackmes.one/">great site</a> that has puzzles around reverse engineering to solve that you can download and try out, they get progressively harder.<br /></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;">This is a <a href="https://www.cc.gatech.edu/~krwatson/how_to_get_started_hacking.html" target="_blank">helpful site</a> with information on how to get started in hacking (mindset, resources, places to go, networking, etc.) <br /></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;">This wasn't around when I was learning, but now you can watch Youtube channels or Twitch streams from people<a href="https://vidooly.com/blog/ethical-hacking-youtube-channels/" target="_blank"> talking about hacking</a>: (Twitch stream <a href="https://www.twitch.tv/thecybermentor" target="_blank">example</a>)</div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;">Here's a random list of <a href="https://techbeacon.com/security/modern-red-teaming-21-resources-your-security-team" target="_blank">resources</a> on red teaming, lots of good stuff in there. <br /></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;">There's even an entire genre of people now developing games to help teach cybersecurity concepts. <a href="https://www.helpsystems.com/blog/break-time-6-cybersecurity-games-youll-love" target="_blank">6 games</a> here, <a href="https://www.livingsecurity.com/blog/10-best-games-cyber-security" target="_blank">10 games here</a>, and <a href="https://www.immersivelabs.com/product/features/gamified/" target="_blank">Immersive Labs</a>, but there are many others out there and more coming. My personal favorite is <a href="https://pwnadventure.com/" target="_blank">Pwnie Island</a>, which is an FPS you can only beat by learning how to hack the game itself to beat certain challenges that are otherwise unbeatable. </div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;">Once you get decent at it, you can start focusing your energy around legally hacking certain products, submitting the bugs you find, and getting paid! Some people make $50-100k+ doing this as a side fun project. Sites that enable you to do that include <a href="https://www.hackerone.com/for-hackers/how-to-start-hacking" target="_blank">Hackerone</a> and there's a full list of bug bounty programs from <a href="https://www.bugcrowd.com/bug-bounty-list/" target="_blank">BugCrowd too</a>.<br /></div><div style="margin-left: 40px; text-align: left;"><br /></div><div style="margin-left: 40px; text-align: left;"><table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDtzJqitSj5UCT0o4Lt-5JjWWDPdA55Hbdpj-Pld5PFQFiHYZ2x-P44YobV1wDWkjcHf028CZEn7g0PUQtHFadFgkUkR974gyWlMdNRrGCx2vklC_95wacHj8u2c1a0YhHoPo49ZqVQaMI/s960/CyberSecuritySpendingOverTime.jpg" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" data-original-height="790" data-original-width="960" height="263" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDtzJqitSj5UCT0o4Lt-5JjWWDPdA55Hbdpj-Pld5PFQFiHYZ2x-P44YobV1wDWkjcHf028CZEn7g0PUQtHFadFgkUkR974gyWlMdNRrGCx2vklC_95wacHj8u2c1a0YhHoPo49ZqVQaMI/w320-h263/CyberSecuritySpendingOverTime.jpg" title="Forbes Estimated Global Cyber Security Spend" width="320" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;"><a href="https://www.forbes.com/sites/louiscolumbus/2020/04/05/2020-roundup-of-cybersecurity-forecasts-and-market-estimates/?sh=578f8e75381d" target="_blank">Forbes Global CyberSecurity Spend</a><br /></td></tr></tbody></table>Hope this is helpful, let me know if you have other, specific questions. As you get further along I can definitely point you toward more resources as you dig deeper.</div><div style="margin-left: 40px; text-align: left;"> <br />There are tons of jobs out there for sharp people who are motivated, they estimate there are supposedly 3.5 million <a href="https://cybersecurityventures.com/jobs/" target="_blank">unfilled cybersecurity jobs</a> in 2021 and the field has been growing and is expected to continue doing so for quite a while as shown in the graphic. </div><div style="margin-left: 40px; text-align: left;"> </div><div style="margin-left: 40px; text-align: left;">Good luck!</div><div style="margin-left: 40px; text-align: left;"> </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">[Edit] I posted this and asked for some feedback. Got some good suggestions I wanted to include below. First, here's <a href="https://danielmiessler.com/blog/build-successful-infosec-career/" target="_blank">another person's approach</a> to answering this same question with more effort spent on the "getting a job" portion. He seems to have more of an IT/sysadmin perspective versus my path/interest (more of the hacker/0-day researcher side) but honestly that's probably more useful for more people. </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Along that line, <a href="https://en.wikipedia.org/wiki/David_Brumley" target="_blank">David Brumley</a> suggested describing ways to engage the community. While this is helpful for building up your reputation/network, you also learn a lot by just doing and helping teach others. Possible ways to get involved range from volunteering to help at a security conference (there are tons and virtually all of them don't make money for the organizers), helping contribute to organizing a CTF, releasing tools you write open source or helping improve other people's tools, mentoring younger people who are earlier in their journey than you are (particularly people from disadvantaged backgrounds!), finding meetups in your area, etc. I'm sure there are tons of other ways!</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><a href="https://www.blackhat.com/eu-14/speakers/Erik-Cabetas.html" target="_blank">Erik Cabetas</a> is a big fan of Over The Wire games, as they offer a ton of <a href="https://overthewire.org/wargames/" target="_blank">free online games</a> to teach tools and hacking techniques. He also pointed out there are huge communities of people interested in <a href="https://www.reddit.com/r/netsec/wiki/start?utm_source=reddit&utm_medium=usertext&utm_name=netsec&utm_content=t5_1rqwi" target="_blank">security on Reddit</a> you can connect to. </div><div style="text-align: left;"><br /></div><div style="text-align: left;"><a href="https://twitter.com/clintgibler" target="_blank">Clint Gibler</a> from <a href="https://tldrsec.com/" target="_blank">TLDR Security</a> (an excellent newsletter you should totally get) had some great career tips in his last one that I thought I'd include below as well:</div><div style="margin-left: 40px; text-align: left;">
<p style="color: #202020; font-family: Helvetica; font-size: 16px; line-height: 150%; margin: 10px 0; padding: 0; text-align: left;"><a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=788b084145&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">How To Start Bug Bounty For Beginners</a><br />
A number of talks and resources by <a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=5ed3d1639a&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">@securibee</a>.<br />
</p>
<p style="color: #202020; font-family: Helvetica; font-size: 16px; line-height: 150%; margin: 10px 0; padding: 0; text-align: left;"><a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=e83d2c26b7&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">How to land your first job as a bootcamp grad</a><br />
By Netflix Senior Engineer <a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=9eb53eafcf&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">Scott Moss</a>.<br />
</p>
<p style="color: #202020; font-family: Helvetica; font-size: 16px; line-height: 150%; margin: 10px 0; padding: 0; text-align: left;"><a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=39d987f65c&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">How I Would Get My First Cybersecurity Job If I Had Zero Experience Or Education!</a><br />
By <a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=5c65190a68&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">Cybersecurity Meg</a>.<br />
</p>
<p style="color: #202020; font-family: Helvetica; font-size: 16px; line-height: 150%; margin: 10px 0; padding: 0; text-align: left;"><a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=d388b3f971&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">Remote Hunt</a><br />
Find remote jobs.<br />
</p>
<p style="color: #202020; font-family: Helvetica; font-size: 16px; line-height: 150%; margin: 10px 0; padding: 0; text-align: left;"><a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=bcf1894f96&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">tadwhitaker/Security_Engineer_Interview_Questions</a><br />
By <a href="https://tldrsec.us18.list-manage.com/track/click?u=bd5eb27cbf2439548b2e8a004&id=c7c0289e61&e=40c34dfc9f" rel="nofollow noopener noreferrer" style="color: #007c89; font-weight: normal; text-decoration: underline;" target="_blank">Tad Whitaker</a>:
A deduplicated list of questions asked during security engineer
interviews based on Glassdoor.com, covering: encryption and
authentication, networking and logging, OWASP Top 10 and AppSec,
databases, tools and games, programming and code, and compliance.</p><span> </span></div>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-90854887194978948962020-09-15T14:22:00.001-04:002020-10-13T16:40:32.002-04:00Engineer -> Cyber -> Startup -> ... Politics?<p> </p><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh1FsLtfph2gropB7YcvT-RMYiu1d1pAJOKQjBT8rjGqdsCJKXTn02ySHQSYRTy8aPAqRAZZtY7P_0x7XMKEF5GFNUaGsUG_H8RoXWYxt_OWzIgg7ajjJZq8z2QsB3UM4UAYbDZ3IN1V27/s640/Syversen+Bloomberg+photo.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="427" data-original-width="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh1FsLtfph2gropB7YcvT-RMYiu1d1pAJOKQjBT8rjGqdsCJKXTn02ySHQSYRTy8aPAqRAZZtY7P_0x7XMKEF5GFNUaGsUG_H8RoXWYxt_OWzIgg7ajjJZq8z2QsB3UM4UAYbDZ3IN1V27/s0/Syversen+Bloomberg+photo.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Bloomberg photo of me looking serious in front of computers. </td></tr></tbody></table><p></p><p>As I wrote in my <a href="https://www.cyber-son.com/2020/07/latest-initiative.html">last post</a>, I've decided that despite spending my entire career in technology (and almost all of it in cyber security), to <a href="https://www.wmur.com/article/nh-primary-source-tech-entrepreneur-political-newcomer-syverson-eyes-run-for-state-senate/32761865">run for public office</a>. It's not a typical path, and it's not one I suspect is permanent. I outlined some of the reasons how I decided to run in my <a href="https://www.cyber-son.com/2020/07/latest-initiative.html">earlier post</a>, so I won't outline them again here. What I did want to do, is spell out some of the things I think an engineer/nerd/tech-person/hacker/etc. brings to the table from a skill set/perspective point of view and some tech-focused goals. You can see my specific career trajectory <a href="https://www.linkedin.com/in/jsyversen/" target="_blank">at Linkedin</a>, and although I've been fortunate to have a really cool career I honestly believe that many of the technical people I've worked with share most if not all of the aptitudes I describe below. A few of them are unique to cyber folks, and a few are also specific to hackers, but most I think apply across members of the engineering/technology fields. <br /></p><p><span style="font-size: large;">Aptitudes</span></p><ul style="text-align: left;"><li><span style="font-size: large;"><span style="font-size: small;">Analytical mindset</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Ability to work with numbers/large data sets/statistics/budgets/finances<br /></span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Ability (love?) of reading specs, protocol docs, legal documents, prior art, etc.</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Ability to focus on facts and not just the emotional component to complex issues</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Strategic mindset looking at long term implications and not just short term</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Understanding of computers and technology and software<br /></span></span></li><ul><li><span style="font-size: large;"><span style="font-size: small;">How they're built and how to build them<br /></span></span></li><li><span style="font-size: large;"><span style="font-size: small;">How to use them effectively</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">How to hack/exploit them. And how to (mostly) secure them</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">How to communicate about technical topics to non technical people<br /></span></span></li><li><span style="font-size: large;"><span style="font-size: small;">How and when to apply technology and when to focus on people/process</span></span></li></ul><li><span style="font-size: large;"><span style="font-size: small;">Importance of STEM education</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">How technology drives jobs, education, economic growth, and organizational efficiency</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Ability to deal with people who passionately take a position and focus on common ground and how to bridge the communication divide. (Linux vs. Windows, Emacs/Vim, SW or HW problem, etc.!)</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">How cyber security affects policy (voting, privacy, corporate liability, government IT spending, etc.)</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Strong work ethic</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Seeing new ways of doing things, inventing new ideas.</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Love of learning, digging into complicated topics and not looking for easy answers<br /></span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Dissatisfaction with the status quo, finding ways to improve processes.</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Ability to multi-task (I've been told ADHD is common in hackers, I know I have it!) <br /></span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Rational decision making, processes driven by facts/logic/data and not rhetoric/rumor/etc. </span></span></li></ul><p><span style="font-size: large;"><span style="font-size: small;"> There are plenty of things engineers ALSO need to have to be an effective politician. A love of people. Good interpersonal/writing/presenting skills. Empathy/compassion. These came from genetics (my extroverted non-engineering mother complemented my Norwegian engineering father nicely!), faith (hard to say you love God if you can't love the people in front of you!) and life (you grow in compassion and empathy as you walk with people who are suffering, experience trauma/difficulties yourself, have children, etc.!)</span></span></p><p><span style="font-size: large;">Tech-Oriented Goals<br /></span></p><ul style="text-align: left;"><li><span style="font-size: large;"><span style="font-size: small;">Help secure funding to increase broadband and 5G access across New Hampshire</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Review and enhance state policies, procedures and technical posture around cyber security, computerized voting, remote education, internal and citizen-facing government software, government networks/systems</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Ensure the state government works closely with federal agencies to receive and share cyber security threat information and develop policies/procedures for the state and support towns/county-level cyber security posture and programs <br /></span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Pursue right-to-repair legislation that ensures that citizens and companies who purchase products are allowed to repair/maintain those products</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Increase government transparency and electronic records access to the public</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Increase the implementation and security around electronic medical records</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Accelerate the digitization of legacy paper/analog based processes and procedures, such as requesting legal documents </span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Support initiatives to develop enhanced technical literacy in young people (computer science, IT, science/math curriculum) and retraining programs to provide upward/lateral mobility, particularly with under-represented/minority groups<br /></span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Balanced, data driven approach to the increasing use of physical and online surveillance technologies and the inherent tradeoffs between increased security and decreased privacy</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Analysis of data-ownership models and the application of privacy-preserving technologies to encrypt/anonymize citizen data wherever possible</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Embrace of digital currency options and new technologies to enhance business/citizen experiences in the state (electronic tolling, online registration, etc.)</span></span></li><li><span style="font-size: large;"><span style="font-size: small;">Support robust, reliable, high quality online learning options Kindergarten through adult educational levels for accredited and unaccredited programs </span></span><br /></li></ul><div><p>I'm sure there are plenty of other things that will come up, and of course my focus isn't purely on technical topics. (Low taxes is one I'm fond of!) But that's a good list of things I think about and a unique POV to bring to the capital leveraging my tech background.</p><p>Would love to see others in the tech/security community also get involved in public service, either serving in government or even better volunteering for roles such as poll workers, running for local/state office and supporting good people in your communities who do run. If anyone has questions for me about the process, the campaign, issues, etc. feel free to reach out. Easiest way is email or Twitter. <br /></p><p>If anyone wants to volunteer or donate to my campaign, I need a ton of support! From my last post: </p><blockquote><p>"I discovered that the senator currently representing the district (who
by all accounts is a very nice guy) is receiving almost $140k a year
from a special interest group, lists government "lobbying" and
"representation" among his official duties, doesn't recuse himself from
matters related to the special interest and in fact puts out press
releases bragging about the millions of dollars in benefits that flow
back to the special interest. Not coincidentally, the special interest
also contributed over $75k to his campaign" </p></blockquote><p> <br /></p><p> </p></div>
<iframe frameborder="0" height="1000" src="https://secure.anedot.com/syversen-for-senate/donate?embed=true" width="100%"></iframe>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-78575262114316025662020-08-26T20:50:00.000-04:002020-08-26T20:50:56.269-04:00Latest initiative<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfmHuxJjCG8AN8v9iB8X2z1jRBwMG2OMd11FbO67zu1P6cwfihK1bPN_9i9n_7PuHsciV544C5NU9DdpvlZ3CtsRgrZujm0-2GhKUdNZ1JHP8xU9TiBUcSLxLa1eBT0oJsI5N5ikcvrqJv/s2048/Image+from+iOS.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1381" data-original-width="2048" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfmHuxJjCG8AN8v9iB8X2z1jRBwMG2OMd11FbO67zu1P6cwfihK1bPN_9i9n_7PuHsciV544C5NU9DdpvlZ3CtsRgrZujm0-2GhKUdNZ1JHP8xU9TiBUcSLxLa1eBT0oJsI5N5ikcvrqJv/s640/Image+from+iOS.jpg" width="640" /></a> <br /></div><p></p><p>In 2016 I fulfilled my dream of starting and selling a successful high tech firm. We built a great team where we treated customers and employees with respect and a high performance culture. <a href="https://www.siegetechnologies.com/" target="_blank">Siege Technologies</a> built awesome technologies and made a difference in the world which was very rewarding.<br />
<br />
I left the company in 2019 to focus on investing, advising startups, and philanthropy work full time. By 2020 I was the managing partner at <a href="https://www.10xvp.com/" target="_blank">10X Venture Partners</a>, GP of a small fund (both at 10X and the fund I'm investing for charitable benefit), advising a number of tech firms and serving on numerous charitable boards doing inspiring things like fighting sexual exploitation, poverty, and addiction (and volunteering/advising a few others.) It was/is rewarding work and seemed like a great place to be for a while going forward. </p><p>But in the summer of 2020, I read <a href="https://forum.effectivealtruism.org/posts/bsE5t6qhGC65fEpzN/growth-and-the-case-against-randomista-development" target="_blank">a paper arguing</a> that government policies were far more impactful to help the poor than individual philanthropic programs. Minutes after finishing it, two random strangers suggested running for state Senate, coincidentally within 5-10 minutes of each other! Like most people, I didn't have a positive view of politics or politicians and wasn't enthusiastic about the idea at first. Or after a second glance. But after further reflection and numerous discussions, I realized that:<br />
</p><ol>
<li>The state Senate is a place that you can make a difference. Numerous important bills came down to a single Senate vote in the last session, and each senator plays a critical role in the direction of the state. NH has over 1.36M people and a budget of over $13B so the impact you can have is much larger than regional charities serving dozens or even hundreds of people. </li>
<li>If all the good/moral people avoid politics, what can we say if we don't like the people who are in office? Despite the negative views of politicians, there are some good people who serve for the right reasons and not more base drivers like money, career advancement, or pride. And while some may be motivated by greed/anger/extreme ideological reasons or even boredom, there are some who run because they genuinely care and want to give back.</li>
<li>While I've never considered myself a political type, many of the skills I've developed and my strengths and weaknesses <i>will</i> transfer well to a campaign. The campaign trail is much like running a startup and days are consumed with raising funds from "investors", meeting with various stakeholders, learning the regulatory framework, managing operations, building a team, planning and executing a budget, marketing, and trying to attract a large group of people who believe in what you're offering. While serving as a senator will be very different, things like people skills, textual/policy/logical/budget analysis, public speaking, integrity, work ethic, ability to focus on creating "win-win" scenarios, love of others, and conflict resolution will be valuable.</li><li>I discovered that the senator currently representing the district (who by all accounts is a very nice guy) is receiving almost $140k a year from a special interest group, lists government "lobbying" and "representation" among his official duties, doesn't recuse himself from matters related to the special interest and in fact puts out press releases bragging about the millions of dollars in benefits that flow back to the special interest. Not coincidentally, the special interest also contributed over $75k to his campaign. 😒 And it's all legal in NH, since senators only make $100/year and we have very lax laws around how elected officials are compensated. When I worked at <a href="https://www.darpa.mil">DARPA,</a> I wasn't usually allowed to accept a free lunch (there were limited exceptions) because of the concern that that free $10 ham sandwich might unduly influence your next contract award... but in NH it's OK to accept 6 digits in personal compensation from groups that lobby for government money <i><b>while</b></i> serving as a senator. That's wrong and needs to be fixed.<br /></li></ol><p></p><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTFyRmGquiwWkb986G4QKUVrrOqF0VwEZj4WSq56GoOYLXJeFCGmVf06pYBMYd71kPHbMz6k8dsRJAGd7_BPusjoTF3RFfnr1U4Ji9nlKAi-xnLXTS9BzWkoUoJBuTofPpes6_X9vmbUn8/s818/Filing.jpg" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="818" data-original-width="696" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTFyRmGquiwWkb986G4QKUVrrOqF0VwEZj4WSq56GoOYLXJeFCGmVf06pYBMYd71kPHbMz6k8dsRJAGd7_BPusjoTF3RFfnr1U4Ji9nlKAi-xnLXTS9BzWkoUoJBuTofPpes6_X9vmbUn8/s640/Filing.jpg" /></a></td></tr><tr><td class="tr-caption" style="text-align: center;">Filing to run at the state house<br /></td></tr></tbody></table><p></p><p>As a result of these considerations I <a href="https://www.syversen4senate.com/post/manage-your-blog-from-your-live-site" target="_blank">decided to run for Senate.</a> I've really enjoyed getting to meet people from around the state and learn more about the challenges and issues facing the state (like COVID-19 and the opioid crisis) and some the unique aspects of our state/government that make New Hampshire unique and such a <a href="https://www.usnews.com/news/best-states/new-hampshire" target="_blank">great place to live</a>.</p><p>I don't plan to put the campaign stuff on this blog, will keep it to tech/entrepreneur content. But as a result of the campaign (and hopefully winning/serving!) I suspect that means I won't be posting as much here for a while as I'll be posted on the campaign site at <a href="http://syversen4senate.com">syversen4senate.com</a>, and on socials on <a href="https://www.facebook.com/SyversenForSenate/" target="_blank">FB</a> and <a href="https://twitter.com/Syversen4Senate" target="_blank">Twitter</a>.<br /></p>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-51431774355247231922019-09-24T23:58:00.002-04:002019-09-25T09:33:21.506-04:00Sexy versus common cyber problems<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzCxqcIlwjHA0aGOtVtEV3DTXxf_kZlenqpGn7x_wdd5hcZQj5mVLB8BQbjkmpfYu8oZguvdxX6100JlOgPqDTKYtu6u_WbwAdn1Imn9FwqxEo3SG2OhhYsVO60At946tX4mR88vuG4Zq0/s1600/CyberIsHot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="398" data-original-width="498" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzCxqcIlwjHA0aGOtVtEV3DTXxf_kZlenqpGn7x_wdd5hcZQj5mVLB8BQbjkmpfYu8oZguvdxX6100JlOgPqDTKYtu6u_WbwAdn1Imn9FwqxEo3SG2OhhYsVO60At946tX4mR88vuG4Zq0/s320/CyberIsHot.png" width="320" /></a></div>
Many people in the cyber security/defense/IT community are fascinated by the "sexy" work of high-end vulnerability researchers. Often the word "hacker" and someone who can break into any hardened system become confused in modern culture. The people who find so-called 0-day vulnerabilities (vulnerabilities in software that the vendor doesn't yet know about or have a fix for) and turn them into exploits are often looked at the top of the pyramid of hackers due to the incredibly challenging technical obstacles that must be overcome, the deep and arcane knowledge of system semantics and architectures and the obvious intelligence of many of the practitioners of this domain.<br />
<br />
The Google <a href="https://googleprojectzero.blogspot.com/" target="_blank">P0 team</a> is probably the preeminent public global team researching and publishing <a href="https://en.wikipedia.org/wiki/Project_Zero#Notable_discoveries" target="_blank">novel attacks</a> against hardened systems such as Windows, Chrome, iOS and other software systems critical to the secure usage and survival of the Internet. <a href="https://www.vice.com/en_us/article/59nyqb/how-google-changed-the-secretive-market-for-the-most-dangerous-hacks-in-the-world" target="_blank">They are impacting</a> the gray market for vulnerabilities. Other teams conduct this research as a PR function for their product or services firms. Many high end teams are restricted to secretive government (or government funded) laboratories or government agencies to support law enforcement or national security objectives. And a small amount support themselves or a larger criminal syndicate through the development and use of these capabilities. When I did a Google search for vulnerability research, I also found <a href="https://brenebrown.com/" target="_blank">Brene Brown</a> which made me chuckle. (Different kind of <a href="https://www.amazon.com/gp/product/B00D1Z9RFU/" target="_blank">vulnerability research</a>!)<br />
<br />
<a href="http://heartbleed.com/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" target="_blank"><img alt="http://heartbleed.com/" border="0" data-original-height="413" data-original-width="341" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfi3qI17yew0kT2akP3noZOFRPW_fib6Gqu9PLNxkyVDUoyI0xprLCi2aI91wc8VY9QZn6IR7ZpZzDdP6L-inLUFmr_kjLBrScVJ8IM3jqSJ0nizxcwEQHeEyfN6Sc-tXLLvMpIORm48Jh/s200/heartbleed.png" width="165" /></a><a href="http://heartbleed.com/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt="http://heartbleed.com/" border="0" data-original-height="1600" data-original-width="823" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzueCdGNMg_8hB53JpmP0z6wo2KFBqtOHzCE4AqWO7xRsxeO7zvEH6dtGwSJBgwIPPG4a1UrBg_B3t0RgtQSdizUeUt_av658TPw5jDBS7d_UbAoLBhPbgUx2Pui5xSR82vXH1X-Bbuuw7/s200/meltdown-text.png" width="102" /></a><a href="https://www.blackhat.com/" target="_blank">Blackhat</a> and many conferences were built around a platform to share the latest and most interesting "hacks" that these researchers have developed. News stories and books are built around the challenging accomplishments of the individuals and research teams. Vulnerabilities come with their own logos and web sites now.<br />
<br />
Some members of the community watch admiringly and wish they could do the same. Some enjoy reading/learning about it and admire the technical accomplishments. Others leverage the research to raise awareness around theoretical or ever-real threats to their company/products. While others use it to spread FUD (fear, uncertainty, or doubt) to sell more product or further a political agenda. Many companies benefit from the free research and Q&A that is performed on their products by third parties for no cost that allow them to leverage these discoveries to secure their products without paying for it. (To their credit, many are seeking ways to better engage these third parties and compensate them for those valuable contributions.) <br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.f5.com/content/dam/f5/downloads/F5_Labs_Lessons_Learned_from_a_Decade_of_Data_Breaches_rev.pdf" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img alt="https://www.f5.com/content/dam/f5/downloads/F5_Labs_Lessons_Learned_from_a_Decade_of_Data_Breaches_rev.pdf" border="0" data-original-height="1276" data-original-width="1456" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7YghPNujPolW6rd7cmrhIwc7CNgJ10ztjdDcw3WyuDbjSJJQwWDBMAuCZ8CdN1O08IQMlAcCcKF8B4LDx8sR54jSW7bIrck3Gxz0MxdRK3IKmywCB1QlgvLcp5JW5vxKQnXxwOaE4pW0D/s400/Screen+Shot+2019-09-24+at+11.22.20+PM.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="https://www.f5.com/content/dam/f5/downloads/F5_Labs_Lessons_Learned_from_a_Decade_of_Data_Breaches_rev.pdf" target="_blank">Graphic from F5 Decade of breaches lessons learned report.</a></td></tr>
</tbody></table>
An increasing portion of the community is spending time pushing back on this so-called "sexy" part of the community. They rail that it gets too much attention, that it's pointless to try to find/fix super complex vulnerabilities because you'll never find them all. That high end talent is wasted on this problem. Their argument is built around the (strong) empirical evidence that the vast majority of security compromises aren't done using super-fancy 0-day attacks but rather password re-use, phishing attacks, outdated code that has known exploits in <a href="https://www.metasploit.com/" target="_blank">Metaspoloit</a>, misconfigured systems, open cloud repositories, etc. 27% of companies <a href="https://www.tripwire.com/state-of-security/vulnerability-management/unpatched-vulnerabilities-breaches/" target="_blank">state that</a> they've been breached because they didn't patch KNOWN vulnerabilities, so why spend so much time/energy finding unknown ones? <br />
<br />
While I haven't heard the counter argument made publicly (that one should exclusively focus or at least massively increase attention on 0-day vulnerability research) there are certainly individuals and organizations who make this their exclusive focus and have no interest in addressing the human/configuration side of the problem for various reasons. And I have seen individuals in those groups who have denigrated the work of those working on social engineering attacks, auditing systems for compliance and/or
rolling out patches.<br />
<br />
The problem is that like most complex domains, it is not a boolean problem or a boolean answer. It's complicated and requires a nuanced perspective which is often missing in online rants. In this post, I'll address some of these complexities and explain why we need to address the human/configuration side of the problem while not neglecting the "high end" technical security risks that remain.<br />
<br />
Attackers target the human or misconfigured/unpatched systems for numerous reasons:<br />
<ol>
<li>It has a low barrier to entry, meaning significantly high portions of the attacker community have access to these techniques (ie, script kiddies, starting out criminal/national state teams, etc.) </li>
<li>It does not burn valuable capabilities in the event of later compromise. Why spend your 0-day if you don't have to!?</li>
<li>It is often more reliable. (In the modern era many 0-days rely on probabilistic techniques like <a href="https://en.wikipedia.org/wiki/Heap_spraying" target="_blank">heap spraying</a> which fail a portion of the time depending on the usage/configuration of memory in the target.) </li>
</ol>
But if these attacks don't work, or the attacker is concerned that using well-known techniques may trigger enhanced monitoring/scrutiny of their actions they will often choose to use more complex advanced techniques such as 0-day exploits (software exploits that are built around the knowledge of an unknown (0-day) vulnerability in a piece of software. For a great read on the topic check out this <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR1700/RR1751/RAND_RR1751.pdf" target="_blank">RAND report</a>.) Only a subset of attackers even have the resources to buy or build their own 0-day exploits.<br />
<br />
Decades ago this was commonly performed by individual hackers who found vulnerabilities and didn't share them but used them to poke around and "explore" the Internet. Reporting a discovered vulnerability to a vendor could result in the police being called or lawsuits and many hackers were young and didn't think they were "causing any harm" or even wrong for using what they'd found for their own entertainment. <br />
<br />
But today many firms have vulnerability reporting programs and policies of working with third party researchers. Most of the top software companies in the world even offer some sort of compensation (cash, prizes, or recognition) to these third party researchers through the use of internal or external <span id="goog_126870038"></span><a href="https://en.wikipedia.org/wiki/Bug_bounty_program" target="_blank">bug bounty</a> programs<span id="goog_126870039"></span> (A great <a href="https://www.vulnerability-lab.com/list-of-bug-bounty-programs.php" target="_blank">list is here</a>.) The combination of maturing software development practices, productive pathways to reporting third party discovered vulnerabilities and anti-exploitation mitigating techniques available in modern operating systems and hardware means that finding useful 0-days and exploiting them typically requires a significant effort by an advanced individual or team of individuals.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHZ9VWoZwEECDzvOkchDaskbMyscJnoSzLBEaORfbuKXg324VuI9ObzR7JTnVZRcJCn6OtzuHe4azXpYALkuZk2bMuHnYp0hSKhQ9xJ0bpqiqpqmaD89V2RU9gg24sKEDWcjoJvuJtW0nq/s1600/https+_specials-images.forbesimg.com_dam_imageserve_77815636689749eab000f9aef62eb371_960x0.jpg%253Ffit%253Dscale.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="609" data-original-width="960" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHZ9VWoZwEECDzvOkchDaskbMyscJnoSzLBEaORfbuKXg324VuI9ObzR7JTnVZRcJCn6OtzuHe4azXpYALkuZk2bMuHnYp0hSKhQ9xJ0bpqiqpqmaD89V2RU9gg24sKEDWcjoJvuJtW0nq/s320/https+_specials-images.forbesimg.com_dam_imageserve_77815636689749eab000f9aef62eb371_960x0.jpg%253Ffit%253Dscale.jpg" width="320" /></a>Attacks are conducted using BOTH approaches on a daily basis around the world. While reports and news stories getting attention focus on breaches that utilized one or more 0-day attacks, the vast majority are done using human/system mistakes. 0-day attacks tend to be utilized in the highest value or extremely targeted cases by nation states conducting intelligence operations although in less frequent cases by law enforcement, or "defense" operations. A non-negligible portion of 0-days are deployed by criminal groups (although in an era when North Korea employs large teams of hackers to <a href="https://www.forbes.com/sites/kateoflahertyuk/2019/08/07/north-korean-hackers-2-billion-heist-is-funding-wmd-programs/#54bda89a38fb" target="_blank">raise billions</a> to bypass national sanctions and <a href="https://www.cnbc.com/2019/09/13/treasury-department-sanctions-north-korean-hackers-over-cyberattacks-of-critical-infrastructure.html" target="_blank">fund weapons/missile research</a>,<a href="https://www.networkworld.com/article/2201011/the-russian-cybermafia--rbn---the-rbs-worldpay-attack.html" target="_blank">Russian Business Network</a> as long as they target other countries, drawing the line between criminal group and nation state operations becomes increasingly difficult!)<br />
or Russia explicitly refuses to shut down criminal operations out of the <br />
<br />
Attackers will use the path of least resistance to accomplish their objective. In a perfect world humans would not be susceptible to manipulation and sharing passwords or other sensitive data. And software would be free of bugs and vulnerabilities. Systems and networks would always be properly configured. But that world is far away and I would argue theoretically unachievable. (Although I have yet to gather the methodology for a proof, I'm working on it!)<br />
<br />
As a result, we are faced with a world with vulnerable software, systems/networks and humans. And attackers who spend the minimal amount of resources to accomplish their objectives. In that environment, defenders should focus their efforts on ways of increasing the cost to an attacker that is consistent with their <a href="https://www.mitre.org/sites/default/files/publications/pr_18-1174-ngci-cyber-threat-modeling.pdf" target="_blank">threat model</a>. If you're an individual or small/medium sized business (SMB) not in a high-risk class, you don't need to worry about targeted 0-day attacks and should focus more on phishing-style threats, reducing your threat surface and patching. If you're an elite government agency or global Internet powerhouse, you should invest in the full panoply of security measures including internal/external red teaming, vulnerability research programs, human testing, secure coding programs, multi-tiered security layers, robust secure operations centers with visibility into each layer, deception measures in the network, customized locked-down software stacks, investments into new architectures and mitigations, etc.<br />
<br />
Individuals and specialized research shops will continue to exist and advance the objectives of these groups. If someone is a vulnerability researcher (VR) they aren't going to suddenly start offering phishing training to individuals, even if that was the highest payoff security measure for the organization who employs them because the role wouldn't be interesting to them and would squander their abilities. They'll just <a href="https://www.indeed.com/jobs?q=Vulnerability+Research+Engineer&aceid=&gclid=EAIaIQobChMIx_-8n4Xs5AIVmK_ICh2AOQmTEAAYASAAEgJ5HPD_BwE" target="_blank">change employers</a> or take a mundane position and do this as an evening hobby. Similarly, we shouldn't force phishing training experts to become VR experts just because there is a need if staring at hexadecimal and decoding heap structures isn't something that fascinates them and they have an aptitude for.<br />
<br />
To state more succinctly, attackers will continue to exploit BOTH classes of vulnerability (software vulnerabilities and human weaknesses/system configuration) as required for their objectives, and improving the security of BOTH while properly understanding our risk is critical. Doing that in a quantitatively robust way is currently impossible since we're still grappling with how to quantify both classes of risk, but heuristics and other measures are appearing so we can at least approximate it. (Example papers on quantifying <a href="https://www.cmu.edu/epp/people/faculty/research/Fischhoff-HF%20Canfield%20phishing%202016.pdf" target="_blank">phishing</a>, <a href="http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.697.4787&rep=rep1&type=pdf" target="_blank">vulnerabilities</a>) Researchers continue to publish papers looking at trying to quantify/model these actors as game theoretic problems using things like attack graphs with limited practical success. (<a href="https://www.sciencedirect.com/science/article/pii/S0305054816301113" target="_blank">Random example</a>)<br />
<br />
The larger question about the allocation of resources (People, money, etc.) needs to be addressed at the policy level. As long as companies can knowingly <a href="https://it.slashdot.org/story/17/06/17/0458217/what-happens-when-software-companies-are-liable-for-security-vulnerabilities" target="_blank">sell software that has known vulnerabilities in it</a> and is insecure by default configuration, we will have massive security breaches. As long as enterprises build/buy solutions that depend on everyone in their organization never making a bad security decision and having to analyze false web sites or phone callers to detect falsehoods, we will have humans being exploited. As long as we have <a href="https://cybersecurityventures.com/jobs/" target="_blank">millions of job openings</a> for <a href="https://www.forbes.com/sites/taylorarmerding/2018/10/09/cybersecurity-not-just-a-job-many-jobs-of-the-future/#718ba6fe3f2b" target="_blank">security professionals,</a> we will remain understaffed and dependent on untrained operators and insecure code. <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkxGykph_kNN25uwmBw5io6tEnG12Cc2HV-dbZlX4xwkDOl2wHexyMKJuUfPzYpN4I8OvR8MByvc7qfBSVWNsGLs-zxBMNRZEa06c12gEiA1wCsGfODU694OJdTLlsW2Hsc5CWl9n0KERL/s1600/WorkTogether.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="195" data-original-width="258" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkxGykph_kNN25uwmBw5io6tEnG12Cc2HV-dbZlX4xwkDOl2wHexyMKJuUfPzYpN4I8OvR8MByvc7qfBSVWNsGLs-zxBMNRZEa06c12gEiA1wCsGfODU694OJdTLlsW2Hsc5CWl9n0KERL/s200/WorkTogether.jpg" width="200" /></a>To see security postures change significantly requires measures across the entire spectrum. Changing the hardware and underlying software our platforms run on. Writing more secure code. Shipping systems securely by default. Automating testing and management. Training more users and security professionals. Buying security products that don't suck and work together to provide a complete picture. Embracing creative defensive approaches like dynamic defense (and "defending forward", whatever that means?) Quantifying everything and making rational decisions. To date we keep spending more money each year but still haven't seen a reduction in breaches... and we aren't going to by denigrating people in the community plugging different holes in the dike than we are. Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-12558899706402993192018-11-28T14:46:00.000-05:002018-11-28T14:46:02.505-05:00Crowd-sourcing and bounties for defenseA little different post than I've done in the past, but I thought it would be interesting to the larger offensive/defensive cyber communities and too long form for Linkedin or Twitter. I'm an advisor to a company called <a href="http://www.418intelligence.com/" target="_blank">418 Intelligence</a>, which is run by a friend of mine named Mark Jaster. They are trying to provide a platform that allows companies to move beyond bug bounties and actually crowd sourcing threat hunting/anomaly detection. They're just now opening up the platform to the community, I think it's worth checking out as I think there's upside for the individuals and for companies and room to grow/expand. I'd love to hear what people think of their approach, and would incorporate any positive or negative feedback you have back to them.<br />
<br />
Here's the invitation: <br />
<br />
<div class="MsoNormal" style="margin-left: .5in;">
If you have skills
in analyzing logs and pcap files here is an opportunity to join the first cyber professionals
testing a new community platform, supported by DHS, designed to
incentivize and crowdsource better defense and insights on what methods
are working. If testing and shaping this vision sounds interesting,
sign-up to participate as a tester of the alpha release of the FOURSight
DEF3NSE cyber defense crowdsourcing platform from <a href="httpp://www.418intelligence.com" target="_blank">FOUR18 Intelligence</a>.
This release operates a three-round live simulation game of an
intrusion where you analyze artifacts and bet points with other players
on what is happening and how to defend against it. It then transitions
into crowdsourcing countermeasures against a known attacker group
executing the same attack playbook in the real world. The sign up form
can be found here: <a data-saferedirecturl="https://www.google.com/url?q=https://survey.co1.qualtrics.com/jfe/form/SV_eLMmzwOSfTxgXdP&source=gmail&ust=1543438630366000&usg=AFQjCNGnqw_QQtHvM821e5K4evvQSQyV2Q" href="https://survey.co1.qualtrics.com/jfe/form/SV_eLMmzwOSfTxgXdP" target="_blank">FOURSight DEF3NSE Pre-registration Form</a>. </div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
FOURSight
DEF3NSE is the first online community and marketplace for cyber
defenders and decision makers to directly connect and incentivize
crowdsourcing better defense and network resilience against
cyberattacks. The system uses a unique, gamified and incentivized
"wisdom-of-the-crowd" betting experience to crowdsource fast and
accurate assessments of cyber risks and countermeasures, and it is
designed to pay-off participants by creating a market for this
information, including what will be the first-ever bounties for breach
hunting. If the vision of bounty-hunting for attackers, or of testing
what you know and winning pay-offs by predicting how successfully a
countermeasure will perform against an attack sounds interesting, please
join others in testing the platform and helping the designers make it
great. </div>
<div class="MsoNormal" style="margin-left: .5in;">
<br /></div>
<div class="MsoNormal" style="margin-left: .5in;">
Once
you register you will receive orientation materials explaining the
system further, and an update on the testing schedule, but if you have
any questions you can contact the team at <a href="mailto:admin@def3nse.net" target="_blank">admin@def3nse.net</a>. </div>
Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-40275216623885395972018-06-21T23:54:00.001-04:002018-06-21T23:54:20.465-04:00@War review<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6mFpbQGETRDW1bUx3vexzU1qFzMKTB_nMyHU7Ul_KeNmGatyR4tD41Z8vonKsdvK3jAqJkvfRGB_qYFL7sX2uEwkgpMac5WLUXBCJ559XtPNkcfQP-tRyNzZ57w27nw_UGQHQ_dTpjvaF/s1600/23545111.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="316" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6mFpbQGETRDW1bUx3vexzU1qFzMKTB_nMyHU7Ul_KeNmGatyR4tD41Z8vonKsdvK3jAqJkvfRGB_qYFL7sX2uEwkgpMac5WLUXBCJ559XtPNkcfQP-tRyNzZ57w27nw_UGQHQ_dTpjvaF/s320/23545111.jpg" width="212" /></a></div>
I finished Shane Harris' book on Cyber Warfare recently and felt obligated to write a review about it on GoodReads. Given I spent the time writing it up, thought it might be worth sharing here for those following my blog who share an interest in the cyber security/warfare communities.<br />
<br />
<br />
<span style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;">A thorough introduction to the world of cyber warfare from the perspective of a journalist surveying published media from mid 2005-2015 time frame. Some sampled private discussions and insights into behind the scenes discussions and classified projects. A good read for someone new to the field to catch up quickly. </span><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><span style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;">Unfortunately the author spends a significant amount of time pontificating on concerns that have been excessively debated elsewhere and attempting to seem moderate while making clear his opinions where the concerns lie... and unfortunately basing his conclusions on rumors he heard from self-proclaimed "experts". One example is the "thousands of exploits" the NSA is hoarding. This claim appears to be based on a single unquoted individual, and appears inconsistent to the other information in his book. (Pointing to a budget of $25M to acquire exploits, and price tags of $50,000-$1,000,000 would imply a catalog of 25-500 (dozens or hundreds, not thousands)) </span><span style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;">Much hand wringing is spent on NSA surveillance, defense-industrial relations, foreign government spying, and other topics that have been extensively discussed in the media over the last decade and a half.</span><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><span style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;">Speculation is rampant in the book regarding what's happening behind closed doors and allegations are made without the editorial self-control that a reputable paper would employ. As someone with two decades of experience in this community, this reviewer recalls numerous relevant events that were not included and significant portions of the book devoted to commonly discussed events from various media sources (with a few interesting exceptions). In fact, the acknowledgements section credits many of the content writers of those stories from the news sources covering cybersecurity/cyber warfare (Michael Riley, Nicole Perlroth, Kim Zetter, etc.) who actually interviewed the original sources and wrote about the events as they happened (or as they were uncovered!)</span><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><span style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;">Books such as "Countdown to Zero-Day" by Kim Zetter provide a much deeper look that is more technically accurate and better sourced and represent a good alternative for a reader looking to gain insight into the technical and political aspects of the cyber warfare complex through a single (large) operational lens. </span><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><br style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;" /><span style="background-color: white; color: #181818; font-family: Merriweather, Georgia, serif; font-size: 14px;">@War is a good option if one has no prior exposure and views it as a breathless description of the events of the last 10-15 years in the US cyber warfare community from a non-technical observer doing his best to share what he's read about and been told as an outsider.</span>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-68732101289991538842018-01-19T11:14:00.003-05:002018-01-19T11:16:27.028-05:002017-2018 Update<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://nehemiahsecurity.com/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" target="_blank"><img alt=" Nehemiah Security" border="0" data-original-height="310" data-original-width="1500" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYHkLXVY65dvlMRUmLMUAHxjbXfv44bmT6VaYwJLz0in7jt40hXJceQrVuLfsgV0ogdgAVUkLK79bgPRvorWHe3Pv-3uiMUg0XKrL0YtL2KGqPHr4wXHsmyV6sbuI0vnckT__pEv16uHRF/s320/Nehemiah+Transparent.jpg" title="Nehemiah Security" width="320" /></a><a href="https://www.siegetechnologies.com/" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;" target="_blank"><img alt=" Siege Technologies" border="0" data-original-height="276" data-original-width="907" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4UVNLe6bMNu7L9SoAYgdFcXQW2zZsqtM4J3JZ5rt0NqF0bmXrMvDMkMpZXUjoq4WJOHJ_NE0MNiLi9oUcODgspmhRS6eipWb4nmqS1ujNKSfY4ufcnUuRgSvZmxi6bSLdYYg6Efym63zn/s200/Siege_logo.png" title="Siege Technologies" width="200" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYHkLXVY65dvlMRUmLMUAHxjbXfv44bmT6VaYwJLz0in7jt40hXJceQrVuLfsgV0ogdgAVUkLK79bgPRvorWHe3Pv-3uiMUg0XKrL0YtL2KGqPHr4wXHsmyV6sbuI0vnckT__pEv16uHRF/s1600/Nehemiah+Transparent.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /></a></div>
As readers of this blog (or former readers!) have noticed I have been updating the blog less and less over the years. We successfully sold <a href="http://www.siegetechnologies.com/" target="_blank">Siege Technologies</a> to <a href="https://nehemiahsecurity.com/" target="_blank">Nehemiah Security</a> back <a href="https://nehemiahsecurity.com/nehemiah-security-acquires-siege-technologies/" target="_blank">in 2016</a> and have been working on the integration between the firms.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.siegetechnologies.com/" target="_blank"><img border="0" data-original-height="646" data-original-width="1440" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcTXJm7JhzLZMZ4A8Q7meC1wNPoX1M2gIYTmDNmknh-bbO8hlhWQxyXwzGVymw-Q2zvHA2YoDbqwo1ifTbO26mOj1koA5mucHP0_loIisx0I1HMVoS1hoMFpmtu1Uud5zih6wpG-zs6Xsc/s320/siege-logo-large.png" width="320" /></a></div>
Pretty exciting to see technology we've been developing for years (Now known as <a href="https://nehemiahsecurity.com/solutions/atomiceye-rq/" target="_blank">AtomicEye RQ</a>) make its way into the broader commercial market and getting traction with some big (Fortune 500) customers in addition to mid size and various government groups.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://nehemiahsecurity.com/solutions/atomiceye-rq/" target="_blank"><img alt=" AtomicEye" border="0" data-original-height="377" data-original-width="1600" height="75" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1tKDryLy_k0fa-wffw0dIbCcex3f-l3zjg1K53xHCLUhI_TgurL5dbpAH_ZvAg3HlIuWwXOUMX3rGd_XEHEfS5Bz9Gb9vLHHnS_LHWVJe1RM283ZdhnmqrI8KflO_ctK_3UOt2IrnwKGG/s320/atomiceye_9in.png" title="AtomicEye" width="320" /></a></div>
It wouldn't have happened without an experienced team like the group that Nehemiah brings to the table. Hopefully once that stabilizes I'll be able to get back to blogging more often, either this year (2018) or next (2019). Hoping to get back to some technical/cyber topics but will probably also include more diverse content as well. Stay tuned!Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-63605248856828764362017-04-19T15:01:00.000-04:002017-04-19T15:01:07.306-04:00Leadership lessonsNormally use this blog for longer form discussions about public news in the "cyber" field, but since I don't have another blogging forum I'm going to post this writeup here.<br />
<br />
Getting tweens/teens to do chores can provide some lessons on leadership. I've assembled ten of them below for your enjoyment. 😀<br />
<br />
1) Questions are OK. Sure, they're doing it to try to delay/distract/disrupt your objective as long as humanly possible. But it's OK to want to know what the objective and buy into the overall mission.<br />
2) Be specific. If you don't know where you're going it's unlikely you'll get there. Describe what you're looking for and there's a small (OK, tiny) possibility it will happen the first time around.<br />
3) Explain what triggers task completion and try to avoid time based metrics. If it's time, the human response is to conserve energy (see: USSR as an example of how well that works out). But if it's goal based, people will often choose to work harder to accomplish the objective quickly and do other things they value more. Like watch <a href="http://www.netflix.com/" target="_blank">Netflix</a>.<br />
4) Positive and negative outcomes are useful and must be tailored to the individual. Some people love chocolate, others don't. Some would consider reading a punishment, others a pleasure. Personally I find beatings are consistently unpopular but you might find something else works well. 😏<br />
5) Music and humor are great ways to make tasks more enjoyable and lighten the mood. Unless you're listening to NF's <a href="https://www.youtube.com/watch?v=wOzQMCyPc8o" target="_blank">rap song about Mom dying and leaving him</a>, in which case you want to start crying and console each other.<br />
6) Yelling doesn't produce anything positive IMHO. Except fear/anger. Which, if you're trying to <a href="http://starwars.wikia.com/wiki/Sith_training" target="_blank">train a Sith</a> could be useful I suppose.<br />
7) Showing/training is important for things more complicated than "carry this from here to there". Although sometimes even that requires instructions.<br />
8) Have reasonable expectations and don't accept poor work. The DMV is a great reminder that even adult humans are perfectly willing to work in a way that <a href="https://jalopnik.com/5908130/the-ten-scariest-dmv-horror-stories/" target="_blank">yields a terrible product/experience</a>. Don't be <a href="https://www.united.com/ual/en/us/" target="_blank">United Airlines</a> and accept that just because it's the way things are or you might end up with kicking, screaming and blood <a href="https://www.youtube.com/watch?v=qjcfgLlZMkM" target="_blank">everywhere</a>.<br />
9) Positive feedback provided promptly to people doing great work or with a great attitude is helpful. Kind of like participation trophies, but actually earned. 🏆<br />
10) Lead by example. Returning to my Sith Lord example, Darth Vader doesn't make his troops do all the enemy soldier killing, he's at the front of the line doing it himself (<a href="https://www.youtube.com/watch?v=T-NvFIK_beQ" target="_blank">even at a distance</a>). Showing everyone you're willing to work just as hard slaughtering enemy troops means they have someone that they can and <a href="https://www.youtube.com/watch?v=shuOYVeAj40" target="_blank">should follow</a>. Or get <a href="https://www.youtube.com/watch?v=T-NvFIK_beQ" target="_blank">force choked</a>.Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-77730723926190297972017-04-19T14:41:00.001-04:002017-04-19T14:41:27.800-04:00Hardware enabled trust<a href="http://siegetechnologies.com/" target="_blank">Siege</a> has been doing some work with hardware and software enabled root of trust implementations over the past few years. Specifically, looking at implementations like Trusted Platform Module (TPM), boot processes, UEFI, hypervisors and other implementations that utilize hardware "trust" functionality. Wanted to share some insight into what the research and implementation communities are doing.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNun6bQquUQ-4MIoVZLZt1W4O_cEsDSySCIrSr83_VmMrsEvl4ixmnKtbGSlXdhmLv6ioPW6ypsqavMvPXnSFai0tJfkM6neIspu-uPjZOmrvYZsZtSK_hPtzi6oGul68WhL3uyJ9ee_cD/s1600/Chip.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNun6bQquUQ-4MIoVZLZt1W4O_cEsDSySCIrSr83_VmMrsEvl4ixmnKtbGSlXdhmLv6ioPW6ypsqavMvPXnSFai0tJfkM6neIspu-uPjZOmrvYZsZtSK_hPtzi6oGul68WhL3uyJ9ee_cD/s1600/Chip.png" /></a></div>
<br />
To start, the major presentation that started a lot of attention for hypervisors and hardware trust was Joanna Rutkowska's 2006 <a href="http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html">Blue Pill</a> presentation <a href="https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf">at Blackhat</a>. That discussed injecting a hypervisor rootkit into a running operating system utilizing AMD's SVM (Secure Virtual Machine) instructions. Also discussed countermeasures, detections, and possible extensions to Intel's VT-x instructions. Also in 2006 researchers from Watson research discussed virtualizing the TPM so virtual machines could utilize TPM functionality.<br />
<br />
In 2009 Rafal Wojtczuk, Rutkowska and Alexander Tereshkin <a href="http://theinvisiblethings.blogspot.com/2009/12/another-txt-attack.html">presented several attacks </a> against the Intel's TXT (Trusted Execution Technology). Also in 2009 Rafal and Joanna <a href="http://theinvisiblethings.blogspot.com/2009/03/attacking-smm-memory-via-intel-cpu.html">presented an attack</a> against System Management Mode (SMM). From the <a href="http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf">paper</a>:<br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of "Ring -2", as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in "Ring -1".</blockquote>
</blockquote>
The authors describe<br />
<blockquote class="tr_bq">
<blockquote class="tr_bq">
how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits</blockquote>
</blockquote>
<div>
In 2011 Rafal Wojtczuk and Rutkowska <a href="http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf">presented an attack</a> against the Intel VT-d and by extension Intel's TXT (Trusted Execution Technology). Wojticzuk, Rutkowska and Tereshkin were all part of Rutkowska's Invisible Things Lab, where the <a href="http://qubes-os.org/Home.html">Qubes OS</a> was also developed. Some of their posts on Qubes are <a href="http://theinvisiblethings.blogspot.com/search/label/qubes">available here</a>. Qubes is an interesting project as they are attempting to implement defenses against the operating system/kernel, hypervisors and hardware that they are aware of by utilizing the full functionality of the hardware and secure design principles with strong isolation to build a significantly more secure operating system environment.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5fpYmeAzhhXSUFTXrG32U5ePjOTZLEjfjL-BZtl65OC7QESxzn5alSCuQN-GPwa9HBCEKRByEUFj4K7faj5LOABZd1JS1cQDptRLxhUG2_9wlWkK9Nq8c714Oucxp-s3FqdNjXzfqxXP/s1600/windows-8-boot-microsoft.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5fpYmeAzhhXSUFTXrG32U5ePjOTZLEjfjL-BZtl65OC7QESxzn5alSCuQN-GPwa9HBCEKRByEUFj4K7faj5LOABZd1JS1cQDptRLxhUG2_9wlWkK9Nq8c714Oucxp-s3FqdNjXzfqxXP/s320/windows-8-boot-microsoft.jpg" width="320" /></a></div>
There are tons of other papers out there as well, I'd love to do a more comprehensive survey on the topic at some point. Siege has been doing some really cool research in the area and we started years ago, finally got to present it at Blackhat in 2016. <a href="https://www.blackhat.com/docs/us-16/materials/us-16-Sharkey-Breaking-Hardware-Enforced-Security-With-Hypervisors.pdf" target="_blank">Breaking Hardware Enforced Security with Hypervisors</a> has some good information on the area and approaches to subverting the TPM interactions with the kernel/boot process by leveraging other architectural features (in our case, VT-x). Hopefully we'll have an opportunity to present some of the other things we've done in the domain in the next few years.</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-75600846990188328592016-05-26T10:56:00.000-04:002016-05-26T10:56:29.078-04:00From public sector to private sector: A view from the trenches.<div style="border-bottom: solid #4F81BD 1.0pt; border: none; mso-border-bottom-themecolor: accent1; mso-element: para-border-div; padding: 0in 0in 4.0pt 0in;">
(An abridged version of this post <a href="https://www.thecipherbrief.com/article/techcyber/government-private-sector-1092" target="_blank">appeared in the CipherBrief</a> on May 15th, 2016) </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipLb1h9tVHmovZHUTHstXOnm-Zcy03RodH3loD0BBNgi-BsRgD0OnGl93vSrTVYoXe6T9-W4u_7vzkZAy48WoNRJ4wprIaMu3IrfbKWL2-yh59I0Q-WNDrrU1C6d_lVJvNRk96ngOZchAz/s1600/DARPA_Logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipLb1h9tVHmovZHUTHstXOnm-Zcy03RodH3loD0BBNgi-BsRgD0OnGl93vSrTVYoXe6T9-W4u_7vzkZAy48WoNRJ4wprIaMu3IrfbKWL2-yh59I0Q-WNDrrU1C6d_lVJvNRk96ngOZchAz/s320/DARPA_Logo.jpg" width="320" /></a></div>
<div style="border-bottom: solid #4F81BD 1.0pt; border: none; mso-border-bottom-themecolor: accent1; mso-element: para-border-div; padding: 0in 0in 4.0pt 0in;">
<br /></div>
<div style="border-bottom: solid #4F81BD 1.0pt; border: none; mso-border-bottom-themecolor: accent1; mso-element: para-border-div; padding: 0in 0in 4.0pt 0in;">
In 2009 I left a job at the <a href="http://www.darpa.mil/">Defense
Advanced Research Projects Agency</a> and started <a href="https://www.siegetechnologies.com/">Siege Technologies</a>. My goal was
to fill the vacuum of small, innovative companies building advanced, disruptive
technical solutions in offensive and defensive cyber warfare left by recent
large corporate acquisitions. The last
day at DARPA I signed paperwork removing all the accesses I had received during
my time there with DARPA and our numerous partners. They took my green badge,
CaC card, DARPA badge, and computer. I felt a little like George Banks in Mary
Poppins when the bank fires him and proceeds to destroy his umbrella and poke a
hole in his hat as part of the discharge process. I founded Siege Technologies two weeks later
and slowly collected most of those resources again over time. The experience
was extremely informative and provided some important lessons for anyone
contemplating a move into private industry from government or into a startup
from a large company.</div>
<div class="MsoNormal">
<o:p></o:p></div>
<h2>
Advantages of government experience<o:p></o:p></h2>
<div class="MsoNormal">
There are some powerful advantages that time in government
provide someone making the plunge into entrepreneurship. The biggest is a
perspective on what’s going on at a national or even global level. Insight into
the hard problems, operational challenges and thought leaders are invaluable
takeaways from government service. Additionally the friends and contacts created
throughout government, industry and academia can provide valuable assistance
down the road. Having worked as a contractor, government employee and corporate
employee again there’s a big difference walking into your favorite government
agency with a “blue badge” versus a “green badge”. Having a government badge
causes government people to assign moral characteristics to you that are
significantly different than the negative assumptions pinned on contractors
sadly. And strangely these positive views follow you out into corporate
America. Even though I was the same person throughout the experience there is a
significant difference in how the people you meet while wearing the government
badge perceive you, during <i style="mso-bidi-font-style: normal;">and after </i>government
service. <o:p></o:p></div>
<h2>
Starting from scratch is hard<o:p></o:p></h2>
<div class="MsoNormal">
It is not easy to take a blank piece of paper and write a
novel. Starting a company is similar, as building something from nothing
requires the ability to see a future that does not yet exist, and execute to
make that vision a reality. Taking a small firm and helping it break out of a
small business mindset to reach its potential is equally hard (and maybe harder
in some ways) because you need to reshape structures that may have hardened and
take on risk that may have been previously discarded or avoided. The technical
team, technology, access to customers and partners, cash, and information are
never as robust as you would like and are often in a state of flux. A challenge
unique to moving to a startup from government is the gossip mill of other
disgruntled government/commercial individuals who allege stolen ideas, inside
access, or other improprieties as the real drivers of success. Changing the
mindset of the brave souls who move from the comfort of government to the
excitement of a startup is imperative, as there is no checklist of procedures
or higher authority to consult before getting things done. Sitting at your desk
or attending meetings are not going to get a product built or customers signed
up, startups are an exercise in energy exertion. I vividly remember talking to
my wife in December of 2009 about whether we would have a paycheck before
Christmas and estimating how many days until our final credit line was maxed.
Getting my first Siege paycheck on Christmas Eve was the best Christmas Eve
gift I’ve received! As Benjamin Franklin said, “Nothing ventured, nothing
gained”. <o:p></o:p></div>
<h2>
Smaller is riskier<o:p></o:p></h2>
<div class="MsoNormal">
There is a big difference between a job in the government, a
job at a big business and a leadership position in a startup. The government
has a difficult job ever firing anyone or laying people off, although it does
happen in rare occasions. Big business doesn’t usually fire people and layoffs
are usually focused on culling the weaker ranked employees (although entire
segments of the business can be felled in a single swipe!) And while small
companies engage in layoffs and firing, they introduce a new variable into the
equation: Cash. In business they say “cash is king” because without it, a
business cannot conduct operations. Starting a company involves working for
free, reduced pay, gaps in funding, contributing money, and wondering how to
make payroll. Borrowing money from friends, banks, and signing numerous
contracts as the guarantor. Even well funded VC-backed firms have to worry
about cash throughout the process and keeps track of the “going out of
business” point when your burn rate chews up the cash in the bank. <o:p></o:p></div>
<h2>
Smaller is faster<o:p></o:p></h2>
<div class="MsoNormal">
Making decisions in a small company is easy. The individual
makes a decision and moves out. Sometimes there are managers or stakeholders to
consult, but the reporting chain is much smaller and stakeholders to consult
much fewer. The ability to make decisions quickly allows companies to react to
changing market dynamics and technology much more quickly than larger firms
competing in the same space. A great example of this is purchasing. When I
worked at a large defense contractor, in the 1990's I needed to get a copy of “PC Anywhere”.
Weeks went buy until I heard it was authorized. Weeks turned into months and I
reached out to find where it was to discover the acquisition system had lost my
order. When I explained what I needed I was assured it would be coming soon. A
week or two later a different product (PC-Xware) arrived! Contrast that with a small firm
with a flat management chain… if someone needs something at a small firm they
ask their manager and it gets ordered on a corporate card within a day or two. <o:p></o:p></div>
<h2>
Smaller is more innovative<o:p></o:p></h2>
<div class="MsoNormal">
It’s easy to understand why small companies move faster, but
where does the phrase “small companies innovate, big companies integrate”
exist? Innovation is a complex topic which numerous books have been written
about to describe. I believe there are a number of factors behind the wave of
innovation coming from small firms:<o:p></o:p><br />
<br />
<ul>
<li><i style="text-indent: -24px;">Ability to attract and retain top talent.</i><span style="text-indent: -24px;"> Employees like to work in nimble, more fun, better paying environments!</span></li>
<li><span style="text-indent: -24px;"><i style="mso-bidi-font-style: normal;">Emphasis placed on innovation</i>. Small companies are taking on larger, often entrenched competitors and creating something new is often imperative to survival.</span></li>
<li><span style="text-indent: -24px;"><i style="mso-bidi-font-style: normal;">A culture that values disruption over the status quo.</i> Big companies don’t change quickly while growth-oriented small companies are focused on how to change the game and become a big company!</span></li>
<li><span style="text-indent: -24px;"><i style="mso-bidi-font-style: normal;">Quicker access to resources and decision making</i>. The lack of process and large management chains enable individuals to go and quickly buy/hire/talk/build whatever they need to do as part of their mission to get the job done, while larger organizations utilize processes to limit risk. </span></li>
</ul>
</div>
<h2>
Building a company is rewarding<o:p></o:p></h2>
<div class="MsoNormal">
Taking a company from nothing or small into something large
enough to have some “punching power” is extremely satisfying. It means the
market recognizes that you are offering something of value. That people are
joining your endeavor to make a difference. The resources you accumulate as you
grow mean some of the concerns from earlier days are mitigated and new
opportunities begin to present themselves. A new era of entrepreneurs are
rising up who are increasingly availing themselves of the opportunity to inject
a conscience into their work and engage in social causes through their
corporate position, products, and with the resources created by the firm. My
wife and I have committed to giving the bulk our gains from Siege some day to
charitable causes and view the firm as an opportunity to have a positive impact
at a scale unachievable as individual contributors to those causes. Firms like
Newman’s own give away their profit to philanthropic causes, and numerous
clothing/jewelry/coffee businesses integrating a social cause into their
corporate mission and value statement. In fact the percentage of corporate
giving is inversely correlated with size, with the smallest firms giving the
most generously<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn1" name="_ftnref1" style="mso-footnote-id: ftn1;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[1]</span></span><!--[endif]--></span></span></a><sup>,<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn2" name="_ftnref2" style="mso-footnote-id: ftn2;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[2]</span></span><!--[endif]--></span></span></a></sup><o:p></o:p></div>
<h2>
Perspectives on the cyber security startup market<o:p></o:p></h2>
<div class="MsoNormal">
The cyber security startup market has been hot. On fire is
probably more accurate. The graph below shows how investment has been ramping
up over the last seven years (I started Siege at the relative low point of
2009, apparently not a good year from investors perspective!) <o:p></o:p></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjckcev3OvYbROfNQly9cg7EIkDV_PwYWG8QCmPdy-7P-OII5m4rO4mzu3d_HnrG02NHlhqCGPiILTbUT5Uc-MN7dN8J6FbcnGHDskWRaBf8cLickYUw2owgwd92YSccnXFSwp4oA-DMNeW/s1600/Bar+chart.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjckcev3OvYbROfNQly9cg7EIkDV_PwYWG8QCmPdy-7P-OII5m4rO4mzu3d_HnrG02NHlhqCGPiILTbUT5Uc-MN7dN8J6FbcnGHDskWRaBf8cLickYUw2owgwd92YSccnXFSwp4oA-DMNeW/s320/Bar+chart.png" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="page-break-after: avoid;">
<span style="mso-no-proof: yes;"><!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
stroked="f">
<v:stroke joinstyle="miter"/>
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="Picture_x0020_1" o:spid="_x0000_i1025" type="#_x0000_t75"
style='width:6in;height:229pt;visibility:visible;mso-wrap-style:square'>
<v:imagedata src="file://localhost/Users/Syversen/Library/Caches/TemporaryItems/msoclip/0/clip_image001.png"
o:title=""/>
</v:shape><![endif]--><!--[if !vml]--><!--[endif]--></span><o:p></o:p></div>
<div class="MsoCaption">
Figure <!--[if supportFields]><span style='mso-element:
field-begin'></span><span style="mso-spacerun:yes"> </span>SEQ Figure \* ARABIC
<span style='mso-element:field-separator'></span><![endif]--><span style="mso-no-proof: yes;">1</span><!--[if supportFields]><span style='mso-no-proof:
yes'><span style='mso-element:field-end'></span></span><![endif]--> Millions of
Dollars invested in Cybersecurity Companies.<o:p></o:p></div>
<div class="MsoNormal">
Spending on cybersecurity in 2015 exceeded $75 billion according
to Gartner<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn3" name="_ftnref3" style="mso-footnote-id: ftn3;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[3]</span></span><!--[endif]--></span></span></a>. The
market is over $100 billion according to Market and Markets and will grow to $170
billion (USD) by 2020, at a Compound Annual Growth Rate (CAGR) of 9.8 percent
from 2015 to 2020<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn4" name="_ftnref4" style="mso-footnote-id: ftn4;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[4]</span></span><!--[endif]--></span></span></a>. The
cyber security insurance market is expecting significant growth and should
reach $7.5 billion in annual sales by 2020, up from $2.5 billion this year<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn5" name="_ftnref5" style="mso-footnote-id: ftn5;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[5]</span></span><!--[endif]--></span></span></a>.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
But in 2015 signs were showing that the valuations and
dollars heading to cybersecurity companies had begun to cool. Specifically, “some
are predicting a measured slow-down leaving a slew of Seed/Series A funded
companies without a Series B sponsor”<a href="https://www.blogger.com/null" name="_Ref324763881"></a><a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn6" name="_ftnref6" style="mso-footnote-id: ftn6;" title=""><span style="mso-bookmark: _Ref324763881;"><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[6]</span></span><!--[endif]--></span></span></span></a><span style="mso-bookmark: _Ref324763881;"></span>. Median security EV/revenue
multiples have declined from 5.5x in 2013, to 5x in 2014 and 4.5x in 2015<!--[if supportFields]><span
style='mso-element:field-begin'></span> NOTEREF _Ref324763881 \f \h <span
style='mso-element:field-separator'></span><![endif]--><span class="MsoFootnoteReference">4</span><!--[if gte mso 9]><xml>
<w:data>08D0C9EA79F9BACE118C8200AA004BA90B02000000080000000E0000005F005200650066003300320034003700360033003800380031000000</w:data>
</xml><![endif]--><!--[if supportFields]><span style='mso-element:field-end'></span><![endif]-->.
<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
That said the problems still remain. Enterprises large and
small, government agencies and individuals are still being targeted and
compromised with increasing frequency. 2015 alone saw a reported jump of 48% in
compromises that were reported, and successful detected attacks have been
rising at a compounded annual growth rate of <b style="mso-bidi-font-weight: normal;">66% </b>year over year since 2009<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn7" name="_ftnref7" style="mso-footnote-id: ftn7;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[7]</span></span><!--[endif]--></span></span></a>. The
annual cost of these attacks range from hundreds of billions to trillions
depending on your estimation methodology and sources (considering theft of IP
versus just cleanup, for example). Nobody has built the silver bullet solution
to solve the problem and significant opportunities exist if entrepreneurs are
really providing new solutions to the problems that exist and loom over the
horizon in the form of technologies or services. <o:p></o:p></div>
<h2>
Perspectives on transitioning government-funded technology<o:p></o:p></h2>
<div class="MsoNormal">
At Siege we have a number of technologies that we have
developed with external funds, spanning areas as diverse as cyber
quantification to custom hypervisors to software protection and software
vulnerability remediation. Some were developed entirely with government funds,
some with almost exclusively internal or commercial funds and most with a
hybrid. Taking these capabilities from the lab to product is not easy. Numerous
hurdles must be addressed, from classification to export control to publication
restrictions to the myriad of intellectual property rights issues. And that’s
before you address the “valley of death” that exists between research and
products. An article in IEEE captures this challenge well, saying “<i style="mso-bidi-font-style: normal;">New and innovative technologies will only
make a difference if they're deployed and used. It doesn't matter how visionary
a technology is unless it meets user needs and requirements and is available as
a product via user-acceptable channels.<span style="mso-spacerun: yes;">
</span>One of the cybersecurity research community's biggest ongoing challenges
is transitioning technology into commercial or open source products available
in the marketplace</i>”<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn8" name="_ftnref8" style="mso-footnote-id: ftn8;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[8]</span></span><!--[endif]--></span></span></a>
and that reflects my personal experience working in research and innovation at
big companies, DARPA and now a smaller firm.<span style="mso-spacerun: yes;">
</span><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Inventors are often beholden to their creations and believe
it possesses more value than they often do. There is usually a gap between the
requirements targeted during development and what the market needs. And there
is funding required to get the product from where it is currently to where it
needs to be. Inertia fights against changing anything and turning this
technology into a product, but the fight can be well worth it if the numerous
obstacles are addressed with vigor head on. It is a fight that must be won in
order to “change the game” and make a difference instead of allowing the
solutions to important national and global problems to die an inglorious death in
the lab.</div>
<h2>
Conclusion<o:p></o:p></h2>
<div class="MsoNormal">
It is impossible to affect change without taking risk.
Change necessitates overcoming resistance and various obstacles to achieve a
necessary goal. Starting or joining a new venture provides the opportunity to
affect significant change at personal, technological, national and societal
levels if success is achieved. But even if failure is an outcome, lessons are
learned and character is formed through that process. The average successful
entrepreneur has several failures in his or her belt (I had two false starts)
and is middle aged with the median age entrepreneurs started their companies
being 40<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn9" name="_ftnref9" style="mso-footnote-id: ftn9;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[9]</span></span><!--[endif]--></span></span></a>.<span style="mso-spacerun: yes;"> </span>Teddy Roosevelt captures the opportunity well
with his famous quote: “<i style="mso-bidi-font-style: normal;">It is not the
critic who counts; not the man who points out how the strong man stumbles, or
where the doer of deeds could have done them better. The credit belongs to the
man who is actually in the arena, whose face is marred by dust and sweat and
blood; who strives valiantly; who errs, who comes short again and again,
because there is no effort without error and shortcoming; but who does actually
strive to do the deeds; who knows great enthusiasms, the great devotions; who
spends himself in a worthy cause; who at the best knows in the end the triumph
of high achievement, and who at the worst, if he fails, at least fails while
daring greatly, so that his place shall never be with those cold and timid
souls who neither know victory nor defeat.</i>”<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftn10" name="_ftnref10" style="mso-footnote-id: ftn10;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[10]</span></span><!--[endif]--></span></span></a><o:p></o:p></div>
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:12.0pt;
font-family:Cambria;
mso-ascii-font-family:Cambria;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Cambria;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<!--StartFragment-->
<!--EndFragment--><br />
<div style="mso-element: footnote-list;">
<!--[if !supportFootnotes]--><br clear="all" />
<hr align="left" size="1" width="33%" />
<!--[endif]-->
<br />
<div id="ftn1" style="mso-element: footnote;">
<div class="MsoNormal">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref1" name="_ftn1" style="mso-footnote-id: ftn1;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[1]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt;"> CEO Force For Good, “Giving in Numbers</span><span style="font-size: 11.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"> 10TH ANNIVERSARY 2015 EDITION”, September 2015.</span></div>
</div>
<div id="ftn2" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref2" name="_ftn2" style="mso-footnote-id: ftn2;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[2]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;">
https://philanthropy.com/article/Most-Small-Companies-Make/225215</span><o:p></o:p></div>
</div>
<div id="ftn3" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref3" name="_ftn3" style="mso-footnote-id: ftn3;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[3]</span></span><!--[endif]--></span></span></a> <span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;">http://blogs.wsj.com/venturecapital/2016/02/17/the-daily-startup-increased-spending-in-cybersecurity-drives-funding-surge/</span><o:p></o:p></div>
</div>
<div id="ftn4" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref4" name="_ftn4" style="mso-footnote-id: ftn4;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[4]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;">
http://www.marketsandmarkets.com/PressReleases/cyber-security.asp<o:p></o:p></span></div>
</div>
<div id="ftn5" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref5" name="_ftn5" style="mso-footnote-id: ftn5;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[5]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"> </span><span style="font-size: 11.0pt; mso-bidi-font-family: "Times New Roman"; mso-bidi-font-size: 12.0pt; mso-fareast-font-family: "Times New Roman";">PwC, “Insurance 2020 & beyond:
Reaping the dividends of cyber resilience”, September 2015</span><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><o:p></o:p></span></div>
</div>
<div id="ftn6" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref6" name="_ftn6" style="mso-footnote-id: ftn6;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[6]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"> Momentum Partners,
“Cybersecurity Market Review 4Q 2015 Year End”, January 2016<o:p></o:p></span></div>
</div>
<div id="ftn7" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref7" name="_ftn7" style="mso-footnote-id: ftn7;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[7]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;">
http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html</span><o:p></o:p></div>
</div>
<div id="ftn8" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref8" name="_ftn8" style="mso-footnote-id: ftn8;" title=""><span class="MsoFootnoteReference"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 12.0pt;">[8]</span></span><!--[endif]--></span></span></a> <span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;">Maughan, D., Balenson, D.,
Lindqvist, U., & Tudor, Z. (2013). Crossing the Valley of Death:
Transitioning Cybersecurity Research into Practice. IEEE Security &
Privacy, 11(2), 14-23.</span><o:p></o:p></div>
</div>
<div id="ftn9" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref9" name="_ftn9" style="mso-footnote-id: ftn9;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[9]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"> Ewing Marion Kauffman
Foundation, “The Anatomy of an Entrepreneur”, August 2009.</span><o:p></o:p></div>
</div>
<div id="ftn10" style="mso-element: footnote;">
<div class="MsoFootnoteText">
<a href="https://www.blogger.com/blogger.g?blogID=9143715059946195737#_ftnref10" name="_ftn10" style="mso-footnote-id: ftn10;" title=""><span class="MsoFootnoteReference"><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"><span style="mso-special-character: footnote;"><!--[if !supportFootnotes]--><span class="MsoFootnoteReference"><span style="font-family: "cambria"; font-size: 11.0pt;">[10]</span></span><!--[endif]--></span></span></span></a><span style="font-size: 11.0pt; mso-bidi-font-size: 12.0pt;"> Theodore Roosevelt, Excerpt
from the speech "Citizenship In A Republic" delivered at the
Sorbonne, in Paris, France on 23 April, 1910.</span><o:p></o:p></div>
</div>
</div>
Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-3002638177296897052014-11-12T17:19:00.000-05:002014-11-12T17:22:05.042-05:00Side channel attacks<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.manvswebapp.com/wp-content/uploads/2013/03/side-channel-attack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.manvswebapp.com/wp-content/uploads/2013/03/side-channel-attack.jpg" height="132" width="320" /></a></div>
<br />
Interesting <a href="http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf">paper</a> came out late 2013 <a href="http://www.extremetech.com/extreme/173108-researchers-crack-the-worlds-toughest-encryption-by-listening-to-the-tiny-sounds-made-by-your-computers-cpu">describing a method to use audio emanations</a> from a CPU to determine the private key.<br />
<br />
Since the 1990's work has gone on using timing or power analysis to accomplish the same thing (deduce secret keys). <a href="http://en.wikipedia.org/wiki/Paul_Kocher">Paul Kocher</a> pioneered much of this work, including <a href="http://dl.acm.org/citation.cfm?id=706156">timing attacks against RSA</a> (<a href="http://www.cryptography.com/public/pdf/TimingAttacks.pdf">paper here</a>). <a href="https://www.riscure.com/archive/DPA_attack_on_RSA_in_CRT_mode.pdf">Multiple</a> <a href="http://www.iacr.org/archive/ches2009/57470141/57470141.pdf">attacks</a> <a href="http://www.di.ens.fr/~fouque/pub/ches06.pdf">against RSA</a> have used power attacks with success. There are multiple defenses against timing and power attacks, including filtering emanations, smoothing activity (adding noise), blocking the ability for someone to sense data, etc. with varying degrees of success.<br />
<br />
The recent work can be viewed as a derivative of that prior work. But instead of measuring time between actions, or power surges directly it's using acoustic emanations to derive the same information.<br />
<br />
Of course, the field of side channel attacks on systems is old and interesting. Some classics:<br />
<ul>
<li><a href="http://en.wikipedia.org/wiki/Tempest_(codename)">Tempest</a>-style attacks intercepting video broadcasts from outside the building <a href="http://en.wikipedia.org/wiki/Van_Eck_phreaking">since the 1980's</a>.</li>
<li>Optical tempest, where the authors analyzed the activity light on various systems and constructed a system to intercept the light from across the street of an office building and recreate a serial data stream (Pre-published version <a href="http://www.foo.be/docs-free/tempest/optical_tempest.pdf">here</a>, ACM version <a href="http://rootsecure.net/content/downloads/pdf/optical_tempest_optical.pdf">here</a>.)</li>
<li>Creative attack <a href="http://c-skills.blogspot.com/2007/01/first-vista-remote-exploit.html">described in 2007</a> to use the microphone on your system to drive input to a speech parsing engine (such as Windows Speech Recognition in Vista). MS <a href="https://blogs.technet.com/b/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx">downplayed it of course</a> but it highlights an interesting attack vector.</li>
<li><a href="http://en.wikipedia.org/wiki/George_Hotz">George Hotz's</a> PS3 hack, where he <a href="http://pastie.org/795944">used an FPGA board</a> to disrupt the memory bus on the PS3 and cause instruction flow to jump into regions of memory that he controlled.</li>
<li>I discussed using speakers for covert channels in an earlier <a href="http://cyber-son.blogspot.com/2013/11/badbios-and-nefarious-advanced-malware.html">post</a>.</li>
</ul>
<div>
Another interesting side channel technique came out in 2014 from researchers at <a href="http://cyber.bgu.ac.il/">Ben Gurion university</a>. They <a href="http://cyber.bgu.ac.il/content/how-leak-sensitive-data-isolated-computer-air-gap-near-mobile-phone-airhopper">showed</a> that you can use FM receivers in mobile phones to collect specially encoded data from nearby video displays to create a cooperative TEMPEST exfiltration channel. Not really an attack per se, as it involves cooperative systems but it's certainly useful to enable broader attacks. (Just like ASLR bypasses aren't attacks per se, they are information leaks that can be utilized to enable complex attacks/exploits.) Also not new, as it's building on the Tempest work from before but doing it from a cell phone is novel.<br />
<br />
Using RFID to access systems or propagate code has been discussed <a href="http://www.rfidvirus.org/">since at least 2006</a>. Vulnerabilities in optical character recognition systems (which take pictures, and analyze them in an attempt to convert into digitally represented text) were <a href="http://www.exploit-db.com/exploits/4012/">published in 2007</a>. Attacks using QR codes were <a href="http://www.jesterscourt.cc/2012/03/09/curiosity-pwned-the-cat/">deployed in the wild</a> in 2012.<br />
<br />
Those attacks rely on analog systems that are looking for digital input in the analog medium provided by an adversary. Denial of service attacks that are purely analog (such as pointing a light at a camera, or <a href="http://en.wikipedia.org/wiki/Electromagnetic_pulse">EMP</a> disables the function of systems quite nicely) have been well documented. But what about hacking a passive sensor such as a wireless IDS? (there are hundreds of vulnerabilities in just two popular passive, inline sensors: <a href="http://www.cvedetails.com/product/8292/Wireshark-Wireshark.html?vendor_id=4861">Wireshark</a> (285, 22 enable RCE) and <a href="http://www.cvedetails.com/product/1068/Snort-Snort.html?vendor_id=621">Snort</a>. (10, 2 enable RCE)) And what would you call it if you took advantage of a feature extractor (such as a facial or gait recognition engine in a camera) to crash or even exploit a device? </div>
<br />
It's my opinion that as computing devices become more ubiquitous and embedded in everything you'll see these types of attacks in more and more interesting locations (Police car license plate scanners anyone? Border security systems. NFC is getting owned <a href="http://arstechnica.com/security/2014/11/iphone-galaxy-s5-nexus-5-and-fire-phone-fall-like-dominoes-at-pwn2own/">all over the place</a> lately. The list goes on). Attacks will move beyond information leaks and disruption to include remote access via non-anticipated "side channels" or subsystems that people don't realize create risk. (Your <a href="http://www.blackhat.com/presentations/bh-europe-08/Feng-Xue/Whitepaper/bh-eu-08-xue-WP.pdf">Antivirus</a> <a href="http://www.pcworld.com/article/2459760/antivirus-products-riddled-with-security-flaws-researcher-says.html">software</a>, your networked <a href="http://www.cnet.com/news/internet-connected-coffee-maker-has-security-holes/">coffee pot</a>, your <a href="http://www.cse.sc.edu/~wyxu/papers/TPMSUsenix.pdf">tire pressure monitors</a>!)Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-19869142524737180102013-11-12T11:47:00.003-05:002014-11-12T15:35:07.394-05:00#badBIOS and Nefarious / Advanced Malware<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYCPro4rKFbehKMAPwvLOGDfrQ20OJ5wKBQKvkyeBKrLNZzxjsukdSp5dg0bDQXyPm7ZWslgnmwY3wZfYjR55BwuMzoyuwSgVtF9W-H4RusGxsqk38PM1XUrqueHMNuSdoB9cDuqKfBy19/s1600/badbios-680x400.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYCPro4rKFbehKMAPwvLOGDfrQ20OJ5wKBQKvkyeBKrLNZzxjsukdSp5dg0bDQXyPm7ZWslgnmwY3wZfYjR55BwuMzoyuwSgVtF9W-H4RusGxsqk38PM1XUrqueHMNuSdoB9cDuqKfBy19/s400/badbios-680x400.jpg" height="235" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://blog.erratasec.com/2013/10/badbios-features-explained.html#.UoI0_JRAR_k">Screen shot</a> of possible high frequency audio channel in badBIOS</td></tr>
</tbody></table>
"badBIOS" is a name given to a suspected attack that had been going on for several years against systems owned by Dragos Ruiu. He posted on it on Twitter (<span style="color: blue; text-decoration: none;"><a class="pretty-link js-nav" data-send-impression-cookie="true" href="https://twitter.com/dragosr" style="text-decoration: none;">@dragosr</a></span>) using the hashtag #badBIOS and <a href="https://plus.google.com/103470457057356043365/posts">Google+</a>. The story gained momentum when Ars Technica did an excited <a href="http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/">writeup about it</a>. I'm going to try to summarize the nearly magical properties that it is believed/suspected to possess with references (<a href="http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/">here</a>, <a href="http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en">here</a>, <a href="https://plus.google.com/103470457057356043365/posts/9fyh5R9v2Ga">here</a>) but I apologize if I confuse the claims/rumor/possibilities:<br />
<ul>
<li>It infects OpenBSD, Linux, Mac and Windows systems.</li>
<li>It infects the BIOS (UEFI and others).</li>
<li>Even if the BIOS has been reflashed, it persists through reboots.</li>
<ul>
<li>Dragos posited it is due to video or network card firmware modifications</li>
</ul>
<li>It utilizes IPv6 even if that's disabled in the network stack.</li>
<li>It loads a hypervisor</li>
<li>It transfers via USB and other mechanisms.</li>
<li>It "reacts and attacks the software that we're using to attack it". For example, the registry editor stopped functioning to prevent them from performing forensics analysis.</li>
<li>It communicates via high frequency audio sent through the computer microphones and speakers.</li>
<li>It can hide itself in Windows font files and deletes them if inspected. </li>
</ul>
<div>
From the Ars interview:</div>
<blockquote class="tr_bq">
<span style="background-color: white; color: #263034; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px;">"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of a sudden the search function in the registry editor stopped working when we were using it to search for their keys."</span></blockquote>
<div>
The argument being that if it is not connected via the network (Bluetooth, Wifi and Ethernet were all removed/unplugged) and a USB drive wasn't used to reinfect the system, how could it have been infected despite a reflashed BIOS and new hard drive? </div>
<blockquote class="tr_bq">
<span style="background-color: white; color: #263034; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px;">But the story gets stranger still. In posts </span><a href="https://www.facebook.com/dragosr" style="background-color: white; color: #699fb3; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; text-decoration: none;">here</a><span style="background-color: white; color: #263034; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px;">, </span><a href="https://twitter.com/search?q=%23badBIOS" style="background-color: white; color: #699fb3; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; text-decoration: none;">here</a><span style="background-color: white; color: #263034; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px;">, and </span><a href="https://plus.google.com/app/basic/stream/z13tzhpzvpqyuzv1n23cz52wykrrvjjce" style="background-color: white; color: #699fb3; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; text-decoration: none;">here</a><span style="background-color: white; color: #263034; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px;">, Ruiu posited another theory that sounds like something from the screenplay of a post-apocalyptic movie: "badBIOS," as Ruiu dubbed the malware, has the ability to use high-frequency transmissions passed between computer speakers and microphones to bridge airgaps.</span></blockquote>
<div>
That summarizes the major posited properties of the malware. With such powerful, never before seen, complex properties posited, Dragos has encountered some skepticism from (normally skeptical) security/IT community. I won't highlight them all, but there are plenty on <a href="https://twitter.com/search?src=typd&q=%23badBIOS">Twitter</a>, the Blogosphere (<a href="http://www.securityartwork.es/2013/10/30/badbios-2/?lang=en">here</a>, <a href="https://plus.google.com/103470457057356043365/posts">here</a>, etc.), etc. Even Ars posted a <a href="http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/">follow up article</a> to give attention to the amount of skepticism. badBIOS already has its own satirical<a href="https://twitter.com/veryBadBIOS"> Twitter account</a>. Renowned researcher <a href="https://plus.google.com/116955343244117063827">Tavis Ormandy</a> went through the font files and disk images and concluded that there was nothing suspicious there and Dragos should just ignore it and relax. [Turned out to be good advice.]</div>
<div>
<br /></div>
<div>
The major concerns seem to revolve around the following points:</div>
<div>
<ol>
<li>Where is the evidence? (Both the lack of available data, and nothing in the data provided)</li>
<li>Why has this been going on for three years and just now being exposed?</li>
<li>Why would someone combine so many novel attacks into one network/attack against Dragos?</li>
<li>Can you even build a set of code that is portable against so many firmware/hardware/OS configurations? In a bandwidth constrained environment? </li>
</ol>
<div>
There have been multiple people supporting Dragos, with Tweets from known members of the community (like <a href="https://twitter.com/alexstamos/status/393027135377399808">Alex Stamos</a> or <a href="https://twitter.com/thedarktangent/status/393984201151627264">Jeff Moss</a>), blogs (<a href="http://www.greebo.net/2013/11/06/stop-just-stop/">here</a> and <a href="http://americablog.com/2013/11/badbios-dire-computer-virus-improbable-hoax.html">here</a>), or even <a href="http://www.infoworld.com/d/security/4-reasons-badbios-isnt-real-230636">news pieces</a>. </div>
<div>
There are viable counter arguments for the doubters:</div>
<div>
<ol>
<li>Dragos has been providing some <a href="https://plus.google.com/103470457057356043365/posts/bop8ufrMp7s">disk images</a>, <a href="https://plus.google.com/photos/103470457057356043365/albums/5942264214202908273/5942264213021399442">spectral analysis</a> of the audio and other forensics data sources for analysis (although mostly to private, often unnamed sources). </li>
<li>It is possible that the code has been growing in complexity over time. And Dragos wasn't aware of the issue until later on.</li>
<li>Dragos runs the <a href="http://en.wikipedia.org/wiki/Pwn2Own">Pwn2Own</a> competition at CansecWest. Between that and his normal work (which presumably involved enough 0-day research to qualify him to start such a contest in the first place) might make him an interesting target for someone trying to acquire 0-days. </li>
</ol>
<div>
Interestingly, almost nobody seems to doubt that the individual components are not possible. Now that I've summarized how we got here and what's been seen to date, I'm going to add some thoughts. </div>
</div>
</div>
<div>
<br /></div>
<div>
First, there were a LOT of skeptics when Stuxnet came out. I was one of the early people (late <a href="http://cyber-son.blogspot.com/2010/09/stuxnet-military-grade-scada-weapon.html">September 2011</a>) who embraced Ralph Langer's hypothesis (seemed like the most obvious solution given all the evidence.) There were people speculating that the analysis was flawed, it was really a ruse by the Russians or Chinese, etc.) Turned out that the analysis was fine and the nefarious/advanced malware option, was in fact, the correct conclusion. There are lots of compelling research demonstration in each of the areas postulated to date, the only really novel thing here (so far) would be the fact that they are all combined into one VERY complex piece(s) of code:</div>
<div>
<ul>
<li>Researchers at <a href="https://twitter.com/SiegeTech/statuses/400037106170343424">Siege Technologies</a> and <a href="http://www.heise.de/newsticker/meldung/Supertrojaner-BadBIOS-Unwahrscheinlich-aber-moeglich-2043114.html">academics in Germany</a> have demonstrated covert channels are possible over audio channels. </li>
<li>BIOS <a href="http://news.techworld.com/security/3372954/researchers-proof-of-concept-malware-infects-bios-network-cards-without-trace/">infections</a> can provide persistence and are definitely <a href="https://www.blackhat.com/presentations/bh-usa-07/Heasman/Presentation/bh-usa-07-heasman.pdf">not new</a>. They just <a href="http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/playing-hide-and-seek-with-bios-implants">keep getting better</a> over time.</li>
<li>Proof of concept infections/reprogramming of Network cards (<a href="http://www.alchemistowl.org/arrigo/Papers/Arrigo-Triulzi-CANSEC10-Project-Maux-III.pdf">here</a> and <a href="http://esec-lab.sogeti.com/dotclear/public/publications/10-hack.lu-nicreverse_slides.pdf">here</a>) and <a href="http://www.pcworld.com/article/2050063/new-proof-of-concept-tool-detects-stealthy-malware-hiding-in-graphics-cards.html">video cards</a> have already been developed (and now people are publishing papers on how to catch them). One aspect of such low level attacks is they are impervious to disk replacement or BIOS reflashing and don't care about the version of the operating system. </li>
<li>Hypervisor attacks have been around <a href="http://en.wikipedia.org/wiki/Blue_Pill_(software)">for years</a>.</li>
<li>Ipv6 is just a standard network protocol. Even if it is "disabled" you could still utilize the code on the host system.</li>
<li>USB sticks have been a well known attack vector for years. In 2005 researchers at Blackhat showed that you could exploit the operating system <a href="http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Barrall-Dewey.pdf">USB drivers</a> when plugging in the device. This was also <a href="https://srlabs.de/blog/wp-content/uploads/2014/11/SRLabs-BadUSB-Pacsec-v2.pdf">shown more recently in 2014</a>, where it had been improved to hide on USB firmware.</li>
<li>Malware has been sensing/reacting to <a href="http://www.securelist.com/en/analysis/204791949/The_evolution_of_self_defense_technologies_in_malware">evade detection</a> for years. </li>
<li>Multiple platforms can be handled many ways. One would be code residing on the BIOS or peripheral devices (NIC/Graphics/etc) as discussed in bullets above. Another would be motherboard/processor components such as the <a href="http://www.blackhat.com/presentations/bh-usa-09/TERESHKIN/BHUSA09-Tereshkin-Ring3Rootkit-SLIDES.pdf">AMT</a> / <a href="http://stewin.org/papers/dimvap15-stewin.pdf">manageability engine</a>. </li>
<li>For storage, people have used hard drives for ages. Given they were removed here, other approaches must be considered. Obviously if components in hardware were reflashed (as described in the research papers above) that would provide persistence. Other research has shown that <a href="http://recon.cx/2013/slides/Recon2013-Josh%20Thomas-Hiding%20@%20Depth%20-%20Exploring%20%26%20Subvertion%20NAND%20Flash%20memory.pdf">NAND regions</a> marked as unusable on disks could be utilized (of course, that would most likely be on the hard drive removed, but it could theoretically extend to boot flash for other components). Others have discussed <a href="http://books.google.com/books?id=fDxg1W3eT2gC&pg=PA20&lpg=PA20&dq=intel+microcode+rootkit&source=bl&ots=e65XgABstB&sig=r2xFA7pQoR6pbX8Yu9lJDMT3CLc&hl=en&sa=X&ei=GFCCUvuOAomikQer_4HYDQ&ved=0CEUQ6AEwBA#v=onepage&q=intel%20microcode%20rootkit&f=false">since 2006</a> modification of the processor itself, by exploiting the ability of the processor to upgrade the microcode. (Of course that's difficult to do given the cryptographic signature constraints.) McAffee filed for a <a href="http://www.google.com/patents/US20120254994">patent in 2011</a> to put security in at the microcode level.</li>
</ul>
</div>
<div>
So to summarize:<br />
<ul>
<li>The lack of third party confirmation means that probably everything that is "suspected" isn't "actual". The very definition of suspected means that confirmation is missing. </li>
<li>Nothing that has been suggested as a possibility is theoretically new, although the practical deployment of a robust tool might be novel. </li>
<li>Certainly the integration of all of those capabilities would be very novel. The combination of even 3/4ths (or maybe even half!) of the alleged capabilities would put it on par or ahead of <a href="http://cyber-son.blogspot.com/2010/09/stuxnet-military-grade-scada-weapon.html">Stuxnet</a>. </li>
<li>Knowledge of capabilities and threats can certainly induce paranoia, especially in a field that advocates it as a <a href="http://www.computerweekly.com/feature/Why-paranoia-is-good">desirable property</a>. </li>
</ul>
<div>
Personally, I think it's likely that there have been a few nefarious things on the network, some of which are gone. As a result of that absence, significantly advanced properties are suspected instead of assuming that the attack is transient. I remember significant challenges I had trouble shooting a random hard crash my system was experience. A mistake in malware that was exploiting hardware was definitely one of my concerns... but nothing I did could identify a problem. Turned out after I turned for outside help it was temperature, the fans were going and it was simply overheating.<br />
<br />
Seems obvious now but the complete absence from logs, random behavior, persistence despite testing and replacement of hardware had led me to some interesting possibilities that were theoretically possible but unlikely. Might be the same thing going on here. [Update: Turns out that's exactly what it was..., Dragos came out and said <a href="https://twitter.com/dragosr/status/404460546977562624">he was incorrect</a>. Looks like he was just overly paranoid and hadn't spent enough time looking at all the weird OS things that happen under the hood. His knowledge led him to unlikely but possible nefarious causes, instead of a simpler answer.]</div>
<div>
<br /></div>
<div>
It's really hard to do forensics when you don't have a position of trust. When you don't know what's good or bad. And when those beliefs keep getting disrupted because you don't have consistent data/records. And doing complex analysis in isolation is a bad idea, crowdsourcing is a great approach to this sort of problem (with data provided of course, everyone was crowdsourcing opinions!)<br />
<br />
It's also been interesting to see the community awaken to the possibilities of these academic, proof of concept types of attacks existing in the wild. Much like the snarky reactions to Stuxnet, most don't believe these would ever occur in the "real world". But most of the techniques discussed in this post and around badBIOS date back to mid 2000's and probably even earlier in less obvious forums (obscure blogs, email lists, IRC, etc.) There's nothing new under the sun, and yesterday's research will be today's proof of concept... and tomorrow's operational code.<br />
<br />
[November 2014: Updated to include Dragos saying he was wrong, just overly paranoid, #badBIOS USB firmware publications, and MITRE's BIOS implant work]</div>
</div>
Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-76867801912238576072013-02-11T17:30:00.002-05:002016-04-27T15:31:07.551-04:00Cyber-espionage tool - Gauss[Note: This post was written in August 2012 but I never finished it to my satisfaction so it didn't get posted. Posting it here now because I loved this font signaling trick and wanted to write about. One advantage of posting 6 months later is I can report on what they found after 6 months of analysis, see below.]<br />
<br />
Kaspersky has been spearheading a rash of discovery and analysis of advanced cyber-espionage tools that they (and others) are attributing to "nation-states". Stuxnet broke ground in 2011 and eventually even the hardened skeptics admitted it was state sponsored... then came Flame, Duqu and now <a href="http://www.wired.co.uk/news/archive/2012-08/13/gauss-virus-detection">Gauss</a> this summer.<br />
<br />
I didn't write as multiple people have covered these topics at length, I'm pretty confident things are nearing saturation when my wife mentions them to me. But a couple of things are interesting. First, it seems that either nation states are getting more active in this space, or AV companies are getting better at detecting them. I'm curious which it is. Second, Gauss demonstrated that the authors learned from at least some of the mistakes that Stuxnet made. Particularly of interest to me was their use of an encrypted payload that was keyed to the system configuration and not reversible. (Unlike Stuxnet, which had a child-like "if PCI device address = xyz, than decrypt) approach. I'd considered this possibility 6 years ago when learning about ABE (Attribute Based Encryption), which enables the implementor to use attributes as part of the key in a one way function. In the case of Gauss, they simply hashed the %PATH%” environment string and the name of the directory in %PROGRAMFILES% so that analysts don't know what variables are necessary to unlock the encrypted payload.<br />
<br />
Another interesting feature of Gauss is its installation of a custom font, called Palida narrow.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigf_UXL32y5Q3sm_yuMBOkOzECT8dI-CCPdfhfbAs7K7-q_LML3brlVkvLQyBEJGSu_k4OL5huvRabzv0ouZxzBRVUa56sygn5QpIVkS8A3aXURHMWGUAtZXmvFyfB8xpwrq022B1U0PVQ/s1600/great2012_pic15s.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="197" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigf_UXL32y5Q3sm_yuMBOkOzECT8dI-CCPdfhfbAs7K7-q_LML3brlVkvLQyBEJGSu_k4OL5huvRabzv0ouZxzBRVUa56sygn5QpIVkS8A3aXURHMWGUAtZXmvFyfB8xpwrq022B1U0PVQ/s320/great2012_pic15s.png" width="320" /></a></div>
<br />
Kaspersky had no idea why it was installed. But the researchers at Crysys have some good hypotheses:<br />
<br />
<blockquote class="tr_bq">
One possibility is that there are other components using Palida for some reasons. E.g., tricking with some characters on web pages to hide alerts, or similar, not really clear operations.<br />
A very far-fetched idea is that Gauss uses the font for printed material. It actually tricks some parts of the system to substitute fonts with Palida, so any prints will contain Palida. Later, printed documents could be identified by looking on the tiny specialities of the font.<br />
A third, and more probable idea is that Palida installation can be in fact detected remotely by web servers, thus the Palida installation is a marker to identify infected computers that visit some specially crafted web pages.</blockquote>
<br />
They go on to document how web developers could use CSS style pages to determine if a font is installed on a system or not. If the browser discovers it doesn't have the font it can be directed to a URL to retrieve the proper font file. By hosting this on a site controlled by the attacker they can determine if a given system has Gauss installed. A <a href="http://blog.crysys.hu/2012/08/on-the-palida-narrow-mystery-of-gauss-malware-and-possible-remote-detection/">writeup with code is provided on the Crysys page</a>.<br />
<br />
Another possibility is the font is inserted to create a vulnerability that provides a backdoor into the system. <a href="http://www.computerworld.com/s/article/9140688/Hackers_will_exploit_Windows_kernel_bug_researchers_say">Fonts have been used in attacks in the past</a>, this could just be another opportunity for future access. More specifically, the <a href="http://www.computerworld.com/s/article/9221498/Duqu_exploits_same_Windows_font_engine_patched_last_month_Microsoft_confirms">TrueType font DLL was exploited by Duqu</a>, which is alleged to be developed by the same people that developed Gauss due to their architectural similarities.<br />
<br />
[Feb, 2013] The Wired article <a href="http://www.wired.co.uk/news/archive/2012-08/13/gauss-virus-detection">I linked to describing Gauss</a> says that both Kaspersky and Crysys believe that signaling was the intent and I agree that is clearly most likely. Given the targeted, sensitive nature of the attack and the limited number of machines it was on (and lessons learned from Stuxnet landing all sorts of unintended locations) and the fact nobody has identified (or reported at least) a vulnerability resulting from the Palida vulnerability signaling just makes sense. Easy to check, subtle, and useful.<br />
<br />
As of August 15th the Internet traffic on Gauss drops significantly and people were recognizing they had a serious, <a href="https://www.securelist.com/en/blog/208193781/The_Mystery_of_the_Encrypted_Gauss_Payload">unsolved mystery</a> on their hands and were setting out to crack it. An <a href="http://www.zdnet.com/gauss-malware-my-take-on-its-mystery-components-7000003894/">article on ZDNet</a> in September points out it still hasn't been cracked. In December <a href="http://www.securelist.com/en/blog/208194061/Hashcat_s_GPU_accelerated_Gauss_encryption_cracker">they posted about a cracking tool</a> trying to target the MD5 hash used to protect the payload decryption targeting/fingerprinting module. (Which incidentally runs MD5 10,000 times... not surprising it hasn't been broken yet!)<br />
<br />
February 5, 2013 the hack cracking tool was updated to a new version (see <a href="https://hashcat.net/oclGaussCrack/">history here</a>) and there was no information indicating anything other than a complete stonewall. (They still haven't cracked the encrypted payload or identified what the font is used for).<br />
<br />
[May 7, 2013] The Infosec Institute has a <a href="http://resources.infosecinstitute.com/gauss-between-technology-and-politics/" target="_blank">nice writeup</a> on Gauss (I found it as they reference this blog post) that covers some aspects I didn't describe.Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-56908550543380988952012-03-26T09:50:00.001-04:002017-04-19T14:34:51.060-04:00Air Force Electronic Attack and Cyber<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="tr_bq">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM15gmEpoapYHJmk8uQr9MSQSH1omKZiCg29MaXVoaSnNYepqFiGbCenlhkA6ecSuyZ-gYlGX_1ewPMmMerZZnlcr6o83GUWcsdTc3JATxJo2i6bkolHw89IKE-TXzLn9x79QifbogXvkR/s1600/JSF.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM15gmEpoapYHJmk8uQr9MSQSH1omKZiCg29MaXVoaSnNYepqFiGbCenlhkA6ecSuyZ-gYlGX_1ewPMmMerZZnlcr6o83GUWcsdTc3JATxJo2i6bkolHw89IKE-TXzLn9x79QifbogXvkR/s320/JSF.jpg" width="320" /></a></div>
Good article on <a href="http://www.aviationweek.com/aw">Aviation Space and Week</a> a few days ago I had to share. Not surprisingly, it was written by <a href="http://www.aviationweek.com/aw/community/persona/index.jsp?newspaperUserId=29473&plckUserId=29473">David Fulghum</a>, who wrote <a href="http://cyber-son.blogspot.com/2011/06/navy-electronic-attack-and-cyber.html">several</a> <a href="http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/CYBER052109.xml">other</a> articles in the past I've referenced in the IW area. He does a great job finding interesting, unclassified stuff to write about in the DoD and IO/IW/EW community activities, although it is not always easy to substantiate. </div>
<br />
The article quotes several senior AF executives describing aircraft-oriented attack technologies by the USAF and other countries (namely China and Russia). I'll quote them below:<br />
<blockquote>
The Air Force is pursuing “cyber-methods to defeat aircraft,” Gen. Norton Schwartz, the service’s chief of staff, told attendees at the 2012 Credit Suisse and McAleese Associates Defense Programs conference in Washington March 8. But Lt. Gen. Herbert Carlisle, the deputy chief of staff for operations, says the same threat to U.S. aircraft already is “out there.”<br />
Ashton Carter, deputy secretary of defense, is pushing both offensive and defensive network-attack skills and technology. “I’m not remotely satisfied” with the Pentagon’s cyber-capabilities, Carter says.<br />
“The Russians and the Chinese have designed specific electronic warfare platforms to go after all our high-value assets,” Carlisle says. “Electronic attack can be the method of penetrating a system to implant viruses. You’ve got to find a way into the workings of that [target] system, and generally that’s through some sort of emitted signal.”<br />
The Chinese have electronic attack means — both ground-based and aircraft-mounted — specifically designed to attack E-3 AWACS, E-8 Joint Stars and P-8 maritime patrol aircraft, he says.</blockquote>
Interesting comments. First, if they are really interested in "cyber methods to defeat aircraft". Second, that he would think stating that goal at the Credit Suisse and co. conference was a good idea. Third, that Ash Carter's not "remotely satisfied" with our cyber capabilities. And fourth, that Herbert Carlisle claims the Russians and Chinese have already designed platforms to attack "all our high value assets".<br />
<br />
The article goes on to rehash earlier claims regarding USAF airborne attack capabilities. <a href="http://en.wikipedia.org/wiki/Main_Page">Wikipedia</a> summarizes those using the three previously mentioned articles from Aviation Space and Week, and two others <a href="http://en.wikipedia.org/wiki/Suter_%28computer_program%29">here</a>. There are two even more detailed articles on the topic, mostly expanding the events in Syria in Air Force Technology that I'd not seen before. You can find part one <a href="http://www.airforce-technology.com/features/feature1625/">here</a> and two <a href="http://www.airforce-technology.com/features/feature1669/">here</a>. <br />
<br />
While reading Fulghum's article I also read a couple of new ones he wrote on NGJ, including a focus on autonomous platforms and info on weapons/AESA radars. I updated my <a href="http://cyber-son.blogspot.com/2011/06/navy-electronic-attack-and-cyber.html">Navy Airborne Electronic Attack post</a> accordingly.<br />
<br />
It all reminds me of that saying, "<a href="http://en.wikipedia.org/wiki/May_you_live_in_interesting_times">May you live in interesting times</a>." I'd say that's accurate and only accelerating!Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-86031270613914266482012-03-15T15:30:00.000-04:002012-03-15T15:30:45.279-04:00Army Cyberwarfare R&D<div class="separator" style="clear: both; text-align: center;"><a href="http://upload.wikimedia.org/wikipedia/commons/1/13/I2wd_logo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://upload.wikimedia.org/wikipedia/commons/1/13/I2wd_logo.jpg" width="320" /></a></div>Just ran across this <a href="http://www.fedtechmagazine.com/article/2011/08/taking-offense">interesting article</a> from August of 2011 with Georgio Bertoli, the Army's <a href="http://www.cerdec.army.mil/directorates/i2wd.asp">I2WD </a>Offensive Information Operations Branch Chief. Some highlights:<br />
<blockquote class="tr_bq">There are few specifics Bertoli can provide about his work because so much of it is classified. But the primary goal of cyber warfare, he explains, is to provide warfighters with a non-kinetic means of striking enemies without permanently destroying infrastructure. The second goal is to disrupt, deny and degrade enemy operations and prevent them from strategizing and communicating. </blockquote><blockquote class="tr_bq">His team, which consists of 20 government engineers and support contractors, uses software-defined radio, electronic warfare, signals intelligence and other technologies to help build what the Army refers to as its future force. <br />
"Just like a handgun versus a Howitzer," he says, "there's a whole spectrum of tools."</blockquote> To give an example of some of those approaches, <a href="http://usacac.army.mil/cac2/cew/repository/presentations/11_Bertoli_C4ISR_Symposium_%28Sep2008%29.pdf">here's a good presentation</a> he gave at the C4ISR conference that's worth a review. In it, he highlights the differences between CNO (Computer Network Operations) and EW (Electronic Warfare) and the pros and cons of each. <br />
<br />
Some other comments from the article:<br />
<blockquote class="tr_bq">Unlike kinetic warfare, in which one weapon potentially can thwart multiple enemies — "a bullet is a bullet," Bertoli notes — cyber-warfare typically requires a family of tools. For instance, what works on one particular waveform or network may not work on another. </blockquote><blockquote class="tr_bq">"So now you have this huge toolbox. How do you manage that? How do you train somebody to be proficient in them?" Bertoli asks. It would be akin to teaching soldiers to use a different gun for each enemy. His team at CERDEC is working to create a common look and feel for cyber tools so they're easy to learn, and to develop a common framework so developers don't have to start from scratch with each weapon. </blockquote>That reminded me of a solicitation hit the Internet that his group put out that solicited technologies from industry back in 2009. I went online to see what they were asking industry to provide for ideas and found as of Feb 2012 it's the same BAA from 2009. The document is available on the Army site <a href="https://acquisition.army.mil/asfi/sol_attachment_viewer.cfm?psolicitationnbr=W15P7T09RS152&FILE_NAME=W15P7T%2D09%2DR%2DS152BAA%2Edoc&ext=%20%28.doc%29&isXML=N">here</a>, and has lots of fun stuff for all the hackers out there. I won't include all of it for brevity, but here's what is listed under Computer Network Operations:<br />
<blockquote class="tr_bq">CNE and CNA support shall include but not be limited to:</blockquote><blockquote class="tr_bq"><ul></ul></blockquote><ul><li>Network discovery and mapping tools capable of operating in a relatively low bandwidth tactical environment and avoid or circumvent network/host-based IDS </li>
<li>Destroy, disrupt, deny, deceive, degrade, delay, target, neutralize, or influence threat information system networks and their components, and Threat C4-ISR systems and nodes and other battlefield communications and non-communications systems</li>
<li>Understand various types of tactics, technologies, and tools used to perform CNO.</li>
<li>Vulnerability identifications and testing of both wired and wireless networks </li>
<li>Techniques that can be used to find and route communications data through predefined path (accessible route) or to a particular location (cooperative nodes) </li>
<li>Methods for performing both distributed and coordinated CNO missions </li>
<li>Non-Access dependent CNO technique R&D </li>
<li>Identification, capture and manipulation techniques for data in transit. </li>
<li>Stealthy, real time, precise (within one meter) geographic location and mapping of Threat/adversary logical networks and their components. This includes, but is not limited to the following:</li>
</ul><blockquote class="tr_bq"><blockquote class="tr_bq">Ø Individual work stations, terminals, and/or PCs, either networked or stand alone </blockquote><blockquote class="tr_bq">Ø Computer networks of any scale (both wired and wireless) </blockquote><blockquote class="tr_bq">Ø Virtual Private Networks (VPNs) (both wired and wireless) </blockquote><blockquote class="tr_bq">Ø Computer network components (local and/or backbone) </blockquote><blockquote class="tr_bq">Ø Displays </blockquote><blockquote class="tr_bq">Ø PCS and other commercially available wireless device types </blockquote><blockquote class="tr_bq">Ø Government owned or managed private communications networks (military or non-military) </blockquote><blockquote class="tr_bq">Ø Trunked Mobile systems or other networked commercially available communications systems </blockquote><blockquote class="tr_bq">Ø Telecommunications equipment (e.g., Private Branch Exchange (PBXs), corded and cordless phones) </blockquote><blockquote class="tr_bq">Ø Cryptographic components </blockquote><blockquote class="tr_bq">Ø Other peripheral components</blockquote></blockquote><ul><li>Stealthy, non-cooperative access to logical networks and their components, that overcome threat/adversary best attempts to protect such networks and components. Proposals submitted under this sub-topic shall specify both hardware and software protection measures forming the basis of the target network environment</li>
<li>Stealthy, non-cooperative access to RF devices, communications networks and their network components, non-communications networks and their components, and other RF-centric networks and their components, to develop revolutionary TTPs that overcome threat/ adversary best attempts to protect such networks and components. Proposals submitted under this sub-topic shall specify both the hardware and software protection measures forming the basis of the target network environment</li>
<li>Stealthy, non-cooperative network discovery software tools, countermeasure capabilities and TTPs that overcome threat/adversary best information assurance/protect measures. Proposals submitted under this sub-topic shall specify both hardware and software protection measures forming the basis of the target network environment</li>
<li>Stealthy, non-cooperative network characterization tools and TTPs that overcome threat/adversary best information assurance and protection measures. Proposals submitted under this sub-topic shall specify both hardware, software, and protocol or transmission protection measures forming the basis of the target network environment</li>
<li>Stealthy logical network exploitation and/or countermeasure software schemes and TTPs capable of surgically inserting intelligent software agents into threat/ adversary logical networks, regardless of protocols in use or available</li>
<li>Stealthy intelligent software agents and TTPs for exploitation and countermeasures of threat/adversary logical networks, and other network-centric networks and their components, and/or Command and Control networks and their components.</li>
<li>Stealthy component mapping of logical networks and location data correlation and deconfliction with other all-source intelligence data </li>
</ul><blockquote class="tr_bq"><ul></ul></blockquote><blockquote class="tr_bq"><ul></ul></blockquote><ul></ul><blockquote class="tr_bq"><ul></ul></blockquote><blockquote class="tr_bq"><ul></ul></blockquote><blockquote class="tr_bq"><ul></ul></blockquote><div style="text-align: left;">TTP is Tactics, Techniques, and Procedures for the uninitiated. They also have sections talking about their interest in a CNO framework, software agents, and EW/IW techniques.<br />
<br />
If anyone has ideas in those areas they have submission information on <a href="https://acquisition.army.mil/asfi/solicitation_view.cfm?psolicitationnbr=W15P7T09RS152">their acquisition page</a>. Not anywhere near as user-friendly as <a href="http://www.darpa.mil/">DARPA</a>'s <a href="http://cft.usma.edu/">Cyber Fast Track</a> (CFT), and I'm confident they won't be as quick either. It's not been as well advertised though, so I'm sure they'd love to hear from some innovative people out there interested in building cyber tools. Sounds like fun!</div>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-40178327478162467752012-02-16T19:19:00.000-05:002016-09-23T11:01:54.872-04:000-days and cowboys<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_tOtnNIwOSruSvz4VedGtdyQ5IVW97vwFyKwix-MdbKwz9Z0dMtQQ_mdU4Uhl-o-nBVLyfFcsS1l8FQSQiEUR7NoWQZ6F3NAu2VXhRmIXVRu6Mkfj7Wdg-AV1HvTct857U8a4CE8EeZ4u/s1600/Cowboy+Hat.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_tOtnNIwOSruSvz4VedGtdyQ5IVW97vwFyKwix-MdbKwz9Z0dMtQQ_mdU4Uhl-o-nBVLyfFcsS1l8FQSQiEUR7NoWQZ6F3NAu2VXhRmIXVRu6Mkfj7Wdg-AV1HvTct857U8a4CE8EeZ4u/s320/Cowboy+Hat.jpg" width="320" /></a></div>
(I post most of the stuff I see on <a href="https://twitter.com/jsyversen" target="_blank">Twitter</a> now, it's such a seamless way to share information. But I just wrote a long post and thought this article was funny/worth mentioning) <br />
<br />
In February 2012, Chris Soghoian <a href="http://www.zdnet.com/article/0-day-exploit-middlemen-are-cowboys-ticking-bomb/" target="_blank">called for</a> "reining in" the 0-day researchers and adding regulations or other mechanisms to prevent people from buying/selling "weaponized exploits". He also <a href="http://www.zdnet.com/blog/security/0-day-exploit-middlemen-are-cowboys-ticking-bomb/10294">calls people cowboys and a "ticking bomb"</a> which I think is a bit FUD-oriented. His basic theme that there's a large, opaque market that could go wrong some day is generally a legitimate point (I was surprised how fast/loose people could be there) but I'm not sure how on earth legal restrictions would be constructed to do that effectively. The biggest problem out there now is the lack of transparency and trust between buyers and sellers... if it was brought to light buyers like Google and Facebook could continue to improve their products, commercial vendors can get what they are looking for and researchers could be paid for their work. Hard to picture some senator effectively putting that into legislation or some regulation...<br />
<br />
Some questions that come to mind:<br />
<ul>
<li>Who would define what an exploit is? Does it matter if it's "weaponized" or not? What, exactly, is he proposing to ban/regulate?</li>
<li>Who defines what is legitimate or not? If the FBI wanted to buy one to compromise some mafia machine, is that OK with him? Or it was a government? </li>
<li>Is Metasploit/<a href="http://www.rapid7.com/">Rapid7</a> bad? Isn't that what <a href="http://www.metasploit.com/">Metasploit</a> is, a "weaponized exploit" framework? What about <a href="http://immunityinc.com/products-canvas.shtml">Canvas</a> and all the other penetration testing tools?</li>
<li>If Congress can't even figure out how to regulate copyright violations without <a href="http://wordpress.org/news/2012/01/help-stop-sopa-pipa/">breaking the Internet</a>, who on earth would even dream of suggesting they wade into a domain that's significantly more complex? </li>
<li>His concern that Anonymous was going to hack some organization that bought an exploit, and use it is just a little silly. If they are able to hack into the organization that's buying "weaponized exploits" in the first place, it's pretty likely they don't need much help to wreck havoc. </li>
</ul>
Can't spend too much time on silly suggestions or poorly thought out ideas in our community as you'd have a new full time job, but some deserve to be called out! Doesn't mean thoughtful dialog on how to improve the situation isn't useful (one could argue, necessary!) but adding FUD to the mix isn't helpful.<br />
<br />
[Sep 2016 Update] Sounds like the US State Department and the Wassenaar Agreement folks agreed with his argument and proposed some disastrous rules making penetration testing and research tools export controlled. (So if you go to Blackhat and present on some new vulnerability with a POC and foreigners are in the audience you could be fined or go to jail!) Rapid7 has a politically correct writeup about <a href="https://community.rapid7.com/community/infosec/blog/2016/03/18/wassenaar-arrangement-recommendations-for-cybersecurity-export-controls" target="_blank">some of the issues</a>. And of course Dave Aitel was writing about it non stop through the process on his <a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">mailing list</a> and cyber security <a href="https://cybersecpolitics.blogspot.com/" target="_blank">policy blog</a>. <a href="https://cybersecpolitics.blogspot.com/2016/01/will-there-be-zombie-wassenaar-rule.html" target="_blank">Fortunately the Wassenaar rules died</a>, although I'm sure it will return <a href="https://cybersecpolitics.blogspot.com/2016/01/will-there-be-zombie-wassenaar-rule.html" target="_blank">again in some other form</a>, just like Internet regulations have.Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-18893481661975650902012-02-16T18:57:00.001-05:002012-03-15T10:37:23.778-04:00Starting a defense-focused cyber technology company<div class="separator" style="clear: both; text-align: center;"><a href="http://www.siegetechnologies.com/wp-content/uploads/2010/05/SiegeTechnologiesLogo1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.siegetechnologies.com/wp-content/uploads/2010/05/SiegeTechnologiesLogo1.jpg" /></a></div><br />
My posting frequency seems to have declined precipitously, both due to busyness and the usefulness of <a href="http://www.twitter.com/">Twitter</a> to share interesting technical news/articles. (If you're not already on you should be!)<br />
<br />
<br />
Thought I'd write an article about what I've learned while starting <a href="http://www.siegetechnologies.com/">Siege Technologies</a>. I started the company in 2009 with my friend Sam Corbitt who I'd known since I was a rookie engineer. 2011 was another successful year and we continue to grow at a great pace. That growth has been exciting but definitely limits my ability to write up interesting stuff as much as I'd like but the experience might be interesting to read about for those contemplating a similar move (you know who you are!), or who started down the path recently (Hello <a href="http://www.digitaloperatives.com/">Digital Operatives</a>, <a href="http://www.apogee-research.com/">Apogee Research</a>, <a href="http://www.exceptiontech.com/">Exception Technologies</a>, and <a href="http://www.trailofbits.com/">Trail of Bits</a>!) <br />
<br />
<br />
One of the principals behind the company was to implement what <a href="http://www.jimcollins.com/index.html">Jim Collins</a> calls the <a href="http://www.jimcollins.com/books/g2g-ss.html">Hedgehog Concept</a>. That is, to figure out what you are passionate about, what can you be the best at, and is there a market for that skill? Find the intersection of those factors and focus exclusively on that. So many times when I was at <a href="http://www.darpa.mil/">DARPA</a> I would be approached by business development types from companies (who I will leave nameless to protect the guilty!) and I would ask them that question, "What are you the best at?", or "When I think of x, I should think of you guys." Far too frequently they either couldn't answer or would smile coyly and say "We're good at whatever you want us to be good at!"<br />
<br />
At the same time, I saw (mostly small) companies that focus on excellence getting snapped up. SI Government Solutions <a href="http://www.nytimes.com/2009/05/31/us/31cyber.html?pagewanted=all">got bought</a> by <a href="http://www.raytheon.com/capabilities/products/cybersecurity/index.html">Raytheon</a>. <a href="http://www.govcomm.harris.com/crucial/">Crucial Security</a> was snapped up by Harris. I'd already watched <a href="http://www.ravenwing.com/">Ravenwing</a> bought by <a href="http://www.boeing.com/">Boeing</a> and saw first hand <a href="http://www.baesystems.com/Newsroom/NewsReleases/2004/press_05112004.html">Alphatech</a> acquired by <a href="http://baesystems.com/ait">BAE SYSTEMS</a>. And there were many others. Most of the big companies wanted more "cyber" in their lives and often didn't really know how to build it from a technical perspective (or, what to do when you had it on your hands!) Some tried hiring people with "cyber" on their resume or buying any company that had computer & security somewhere in their capabilities description. (Raytheon dominated the acquisition field though, going from practically no real capability to owning SI Govs, <a href="http://www.pikewerks.com/">Pikewerks</a>, <a href="http://www.bbn.com/">BBN</a>, <a href="http://www.tekassoc.com/index.htm">Tek Associates</a> all in a couple of years, an impressive run! Unfortunately they scattered them across competing business units, a problem that big firms encountered - not unique to them!)<br />
<br />
<br />
Simultaneously, these and other companies were bought and integrated while new, innovative firms were birthed and the natural corporate life cycle continued. Siege was formed to concentrate on innovative technology development to solve cyber/CNO/computer security problems. We would aspire to be the best in the country at low level computer security technologies. To build those, we'd integrate hacker type software engineers/researchers with PhD-style researchers who can still implement technical solutions. Our team would focus on supporting government and commercial customers looking for advanced technical solutions.<br />
<br />
<br />
To be the best, we had to have some unique advantage or combination of advantages that were unique. I decided to combine a focus on talent (and provide a corporate culture to enable recruitment and retention of said talent) with a focus on idea generation/innovation, customer support and corporate flexibility. We were originally going to be in two places, Boston (actually the nice and much less crowded suburb of <a href="http://en.wikipedia.org/wiki/Manchester,_New_Hampshire">Manchester, NH</a>!) and DC but also opened up an office in Rome, NY because of a really talented guy I really respected who wanted to join but didn't want to move.<br />
<br />
We put a lot of stuff in place (benefits, bonuses, recruitment avenues, etc.) to support bringing in great engineers and scientists. We turned down lots of work that wasn't centered around R&D (IT security, software development, etc.) to maintain our focus on innovation and high end talent. We turned down work that was R&D, but out of our "swim lane" to maintain our focus on cyber security. We really encourage new idea creation, both as a culture and as a business and have dozens of ideas we've generated. That allows us to pursue only the ones that have impact or capture a partners attention and treat ideas as commodities to be utilized and explored, rather than a few precious gems to hide from the world lest it be stolen or compromised in some way.<br />
<br />
<br />
Another approach that has been key has been building relationships through the process. I asked CEOs of companies I admired to serve as advisors and whenever they were permitted they agreed to do so. Also, we built informal relationships with people who provided great advice. One of the best pieces of advice came from <a href="http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&ved=0CEwQFjAF&url=http%3A%2F%2Fwww.linkedin.com%2Fpub%2Fj-christopher-ramming%2F0%2F80%2F694&ei=k309T8vxEufq0QGHkYjSBw&usg=AFQjCNHyJgm9pusZoOP4tUeDnrg50n536Q">Chris Ramming</a>, who advised us to focus on bringing in work first and not getting lost in the details of starting the firm/infrastructure. Build the base first, and the rest will get figured out later... but there will be nothing without customers.<br />
<br />
We built strong relationships at bigger firms (including <a href="http://boeing.com/">Boeing</a>, <a href="http://www.lmco.com/">Lockheed Martin</a>, <a href="http://www.northropgrumman.com/">Northrop Grumman</a>, <a href="http://www.raytheon.com/">Raytheon</a>, and others) that looked to cultivate small, innovative firms in a mutually beneficial arrangement and had some great partnerships with other small/medium sized firms as well. And we interacted with the larger business/support community, receiving help from the <a href="http://abihub.org/">ABI Innovation Center</a>, to our local bank and even <a href="http://www.shaheen.senate.gov/">Senator Shaheen</a> early in our development to resolve a major government paperwork mix-up that threatened to sink the firm. We tried using the <a href="http://www.sba.gov/">SBA</a>, the <a href="http://www.nhsbdc.org/">SBDC</a>, and various other small business/entrepreneurial support groups to no avail (although the SBDC gave a little feedback on an early business plan and has a nice filter to find government opportunities off the terrible <a href="http://fbo.gov/">FBO</a> site.) <br />
<br />
<br />
Doing all of that, while maintaining my priority (my family) and maintaining healthy growth was not easy but it's actually gone pretty well. The credit goes to the people outside of Siege who've helped us along the way and especially the people who decided to join Siege, build the tech and make it the company it is now. And most all, the graciousness of God, who allowed market trends/career movements/people to coincide perfectly and made it all come together. I'm just along for the ride, my job is to try to make sure I don't screw up a good thing while it's going!<br />
<br />
I'll probably include some more stories in the future with the normal cyber stuff. Would like to highlight some of the cool people/organizations that've been part of the process.Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-50317941327955489182011-10-17T14:46:00.000-04:002011-10-17T14:46:19.182-04:00Nation state activity<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5AOCUXF3PbLQ9KhM9wKsdRY-jhi4cjXSJ0ozPO1OH-fYSddnda0UER-sLWBB6lF_CS1J4323Jq87gsFC5Rq_hdHLv_QWArH3WbcAjKEyurvd12nAkPwyqL8qg8uGmDCRrx6ydzm68_ZkJ/s1600/cyber_warfare.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5AOCUXF3PbLQ9KhM9wKsdRY-jhi4cjXSJ0ozPO1OH-fYSddnda0UER-sLWBB6lF_CS1J4323Jq87gsFC5Rq_hdHLv_QWArH3WbcAjKEyurvd12nAkPwyqL8qg8uGmDCRrx6ydzm68_ZkJ/s320/cyber_warfare.jpg" width="320" /></a></div><br />
Wanted to write about the increasing pace of "hacking" or "cyber-attack/exploitation" activities associated with nation-state actors. I'm not going to discuss the "hacktivist" activities or web page defacement that have been lingering for a while, only concerted theft of data or attacks (rather than annoyances)<br />
<br />
Here are a couple of good articles and publicized nation-state attacks. Of course, it's important to note that it's much more fun for companies/people to claim it's a nation-state as it sounds more exciting and Hollywood ready. It's also wonderful for companies, because it removes the obligation to defend themselves ("how could we, they were a <i><b>nation-state</b></i>!") That said, just because every claim isn't automatically true doesn't mean that nations really aren't involved.<br />
<br />
There is an overwhelming body of data showing that foreign activity to indicating that some nations (see, China) are actively involved in acquiring military and economic advantage by compromising foreign entities at a rapid rate. Short article on Wikipedia has some more information <a href="http://en.wikipedia.org/wiki/Cyberwarfare_in_the_People%27s_Republic_of_China">on that topic</a>. There's a good article at the Economist <a href="http://www.economist.com/node/16478792">discussing the topic</a> as well, which reflects the increasing recognition by the main stream media about what's happening. Lots of material here, but strongly encourage you to take a look if you aren't already familiar with that data set.<br />
<br />
<b>Shady Rat (Multiple corporate compromises for IP, China)</b><br />
<a href="http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat">McAfee writeup</a><br />
<a href="http://www.vanityfair.com/culture/features/2011/09/operation-shady-rat-201109?vm=r#gotopage3">Vanity fair article</a><br />
<br />
<b>SecurID compromise (?, presumably China)</b><br />
<a href="http://it.slashdot.org/story/11/10/12/0051220/rsa-blames-nation-state-for-cyber-attack">Attacks on RSA</a><br />
<br />
<b>Attack on Iranian Nuclear Centrifuges (Israel)</b><br />
See Stuxnet writeup <a href="http://cyber-son.blogspot.com/2010/09/stuxnet-military-grade-scada-weapon.html">here</a>.<br />
<br />
<b>International Monetary Fund Attack (?)</b><br />
Multiple articles, <a href="http://www.msnbc.msn.com/id/43369776/ns/technology_and_science-security/t/experts-nation-state-behind-imf-cyber-attack/">here's one</a>.<br />
<br />
<b>DigiNotar Attack (Iran)</b><br />
<a href="https://www.eff.org/deeplinks/2011/09/post-mortem-iranian-diginotar-attack">Iranian certificate attack post-mortem</a><br />
<br />
<b>United States/Iraq</b><br />
<a href="http://cyber-son.blogspot.com/2009/08/cyberwarfare.html">Contemplated US attack</a><br />
<br />
<b>SCADA</b><br />
<a href="http://cyber-son.blogspot.com/2009/11/cyberwar-power-grid-network-attacks-and.html">Writeup on possible past, future</a><br />
<br />
<b>Koreas</b><br />
<a href="http://cyber-son.blogspot.com/2009/07/korean-cyber-activities.html">North/South Activity</a><br />
<br />
<b>Russian attack on Estonia</b><br />
<a href="http://www.doubleshotsecurity.com/pdf/NANOG-eesti.pdf">NANOG presentation</a><br />
<a href="http://en.wikipedia.org/wiki/July_2009_cyber_attacks">Wikipedia</a><br />
<br />
<b>France</b><br />
<a href="http://cyber-son.blogspot.com/2010/06/french-cyber-activities.html">Writeup on some of their activities</a><br />
<br />
Would be interesting to expand these and track activities/capabilities by nation. Too much work for me unfortunately, but if anyone knows of something like that that's published I'd love to reference it.<br />
<br />
Bottom line is it's clear that movement is on a significant uptick and the trend doesn't appear to be abating any time soon. Would recommend increased investment/attention by the defensive community and look at how to secure the user, supply chain, and remote attacks through training, technology and wise deployment. And try to stay out of the crossfire...Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-87037290773091456112011-06-02T11:50:00.001-04:002012-03-15T15:40:20.293-04:00Navy Electronic Attack and Cyber<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMwrYWrZZyAkQ6CKjvp9mgnTrRg61AZXJeK7XOoFLMMM9udW7YYq76Kz9DtVm7RkF14flE5rKVNTyeQq-sRvbbiC3uEmhYgF6ACbSqI1aSi5Ge_wCzjtwkxgjwgFVuXM7uXAmfChQSz25f/s1600/boeing-growler-deploy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMwrYWrZZyAkQ6CKjvp9mgnTrRg61AZXJeK7XOoFLMMM9udW7YYq76Kz9DtVm7RkF14flE5rKVNTyeQq-sRvbbiC3uEmhYgF6ACbSqI1aSi5Ge_wCzjtwkxgjwgFVuXM7uXAmfChQSz25f/s320/boeing-growler-deploy.jpg" width="320" /></a></div><br />
David Fulgham captured an interesting quote from US Navy Chief of Naval Operations (CNO) Admiral Gary Roughead in <a href="http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckBlogPage=BlogViewPost&newspaperUserId=27ec4a53-dcc8-42d0-bd3a-01329aef79a7&plckPostId=Blog%3a27ec4a53-dcc8-42d0-bd3a-01329aef79a7Post%3a99a33f93-77bd-4b38-8983-79eccfd5e00e&plckScript=blogScript&plckElementId=blogDest">Aviation Week this week</a>:<br />
<blockquote><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans; font-size: x-small; line-height: 16px;">“You are always going to have to go in and bag that system electronically before you do anything else. As you know, for the last several years we have very much wanted to take on the broader electronic attack mission. The first Growler squadron in Iraq recovered from the combat mission [there, and] 47-hrs. later they launched a combat mission on a Libyan air base.</span><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans; font-size: x-small; line-height: 16px;"><br />
</span><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans; font-size: x-small; line-height: 16px;">That’s pretty extraordinary in terms of agility. That’s why we’re investing in Growler. Electronic attack is going to become increasingly important. </span><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans; font-size: x-small; line-height: 16px;">On the cyber side, [aircraft and ships] but particularly submarines [had] an extraordinary system with which to participate in cyberoperations. Those are areas we focused on.</span>"</blockquote> VADM BERNARD J. McCULLOUGH, III testimony in September of 2010 to Congress<a href="http://democrats.armedservices.house.gov/index.cfm/files/serve?File_id=46ab9cfd-c2a2-4529-a8bf-49413b1df8bf"> sheds some light on</a> Navy Fleet Cyber Command (FLTCYBERCOM) organization. They are 10th Fleet, which includes Cryptologic Operations (including EW), IO, Network operations and defense, operations and R&D.<br />
<br />
The comments from Admiral <a href="http://en.wikipedia.org/wiki/Gary_Roughead">Roughead</a> aren't the first time the Navy or their contractors have discussed their plans for wireless cyber operations. David Fulgham has been writing on the topic for years and has a number of articles on the topic. I'd never seen the <a href="http://www.aviationweek.com/aw/blogs/defense/index.jsp?plckController=Blog&plckBlogPage=BlogViewPost&newspaperUserId=27ec4a53-dcc8-42d0-bd3a-01329aef79a7&plckPostId=Blog%3a27ec4a53-dcc8-42d0-bd3a-01329aef79a7Post%3a99a33f93-77bd-4b38-8983-79eccfd5e00e&plckScript=blogScript&plckElementId=blogDest">following article</a> before, where an unnamed contractor says that they are<br />
<blockquote><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">"developing a weapon system that can deliver cyber-effects through free space into an aperture."</span></blockquote>The article does include some on-the-record quotes from Northrop Grumman:<br />
<blockquote><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">"We have the same core set of engineers on a number of different programs," says Dennis Hayden, director of business development for information operations and electronic attack. "We look at NGJ as the gun and cyber-effects as the bullets. We have the flexibility to go from traditional area-suppression jamming to reactive jamming to a very precise location jamming and cyber-effects."</span> </blockquote><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Christopher Falco, program manager for the Northrop Grumman Next Generation Jammer (NGJ) team, adds:</span><br />
<blockquote><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">"</span><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">NGJ is a complex problem. How it affects your concept of operations and the impact for force mix all gets wrapped together in defining the capability. </span><span class="Apple-style-span" style="font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px;">The more sophisticated the requirement is, the more cyber-effects can come into play," says Falco. The demand for cyber-effects projected at long range is considered inevitable. "Absolutely, that's a given," he notes.</span> </blockquote>Wired <a href="http://www.wired.com/dangerroom/2011/01/jammer-could-invade-nets/">had an article on this</a> in January as well, referencing many of the Aviation Space and Weekly articles and other recent events to conclude it could have a more comprehensive mission (complete with an exaggerated title to draw readers in). ITT's PM points out the versatile capabilities:<br />
<blockquote><span class="Apple-style-span" style="font-family: Arial, Verdana, sans-serif; font-size: 14px; line-height: 20px;">“Electronic attack system and concept of electronic attack has really evolved over years,” Palacio told Danger Room. “Initially, it primarily was a system to deal with enemy air defenses. But as you start going forward and realize the electromagnetic spectrum does many things … [so] if you build a system that can generate power and modulation over a very broad RF spectrum, it can be used not only in traditional roles, but in <em style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">many</em> different roles.”</span></blockquote> Lots of speculation and discussion for something still in development, will be interesting to see what comes out at the end.<br />
<br />
[March 2012 Update]<br />
A couple of good articles from David Fulghum at Aviation Space and Weekly on NGJ. This article, titled "<a href="http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/awst/2012/01/23/AW_01_23_2012_p24-415796.xml&headline=null&next=0">New Plan: NGJ To Go Unmanned</a>" discusses the movement towards unattended air vehicles (UAVs) to carry the NGJ system. A quote from the Navy:<br />
<blockquote class="tr_bq">“That should speak volumes to you,” says Navy Capt. John Green, chief of the AEA and EA-6B Prowler program office. “We believe that the Prowler is the [electronic warfare] past; the Growler is EW now, and the future of EW will be unmanned vehicles.”</blockquote>Also have an article titled "New EW Capabilities To Emerge With NGJ" that discusses some of the AEA developments and possibile kinetic weapon pairing that might occur.Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-49464567743417093342011-05-25T10:36:00.000-04:002011-05-25T10:36:36.232-04:00History of Windows exploitation<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMIJm2BL0bcUigks9Tq4973LGYf3nUqaWVE4p6O3pM07EhifWR9uw1Tfo_YymO6fR1xIbLqs3x3_KDwp4XIPNo4JZztTyNkg2yit1-NZaxh87LgDMFHj4m8zvZ2Azkws4_9zArxZDsey5n/s1600/Microsoft.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMIJm2BL0bcUigks9Tq4973LGYf3nUqaWVE4p6O3pM07EhifWR9uw1Tfo_YymO6fR1xIbLqs3x3_KDwp4XIPNo4JZztTyNkg2yit1-NZaxh87LgDMFHj4m8zvZ2Azkws4_9zArxZDsey5n/s1600/Microsoft.jpeg" /></a></div>Just ran across <a href="http://www.abysssec.com/blog/2010/05/past-present-future-of-windows-exploitation/">this great blog post</a> from <a href="http://www.abysssec.com/">Abyssec Security</a> with a history of Windows exploitation research. The post lists various landmark papers/research with accompanying papers and links to show how the attacks have evolved to overcome defenses. A must read for anyone new to the area or interested in a timeline.Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-39903280558803794762011-03-04T16:35:00.001-05:002011-03-07T16:46:08.071-05:00Information security "thought leader" and independent researchers<div class="separator" style="clear: both; text-align: center;"><a href="http://www.veracode.com/blog/2010/12/how-to-become-an-information-security-thought-leader/"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuM6YbUvGWMZbNMOSL1sc0uy7pZU4vx31jjRfUnlI7Q2W08S_HAX-7HqdE5Qf-gCdOShFKfLAY4vBSBLtFGyka_g6NzP2eYvDKBZn4cT9g6mpk5vqWBUMuXujqkwImsKlrdFpFHTB9BUvh/s320/Screen+shot+2011-03-04+at+4.32.19+PM.png" width="320" />The next information security thought leader</a></div>Had to share this <a href="http://www.veracode.com/blog/2010/12/how-to-become-an-information-security-thought-leader/">thoughtful, informative video</a> from Chris Eng from <a href="http://www.veracode.com/">Veracode</a>. It's about 3 minutes long or so. He apparently created it for an internal video competition and it spread from there. It will make you think, laugh, and cry. Well, maybe just think and laugh.<br />
<br />
Update: Just got this from a friend (Thanks Andre!). Sotirov posted a <a href="http://www.youtube.com/watch?v=pzcLTPy8yDQ">video on YouTube</a> talking about the life of an "independent security researcher" which was good. (Although disconcerting to see the same voices on different, fluffier bodies!)Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-49528793874673257432011-02-23T13:19:00.002-05:002011-03-04T16:54:37.333-05:00Security companies, social media, and hacktivism<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgglFelBYumcFwJt4oAT2Wu8K-vccS7uFEeF-aFVAVKS4yWnIZzeiI2a0ZKv_jv41KAz7dvwlo5Bbj4TtYELEVncME6TqA9G6cgq-Koc9SUJ3mCOu9jtj9j8w4pHtysK9C-HeAdcJ8psBuR/s1600/HBGary+RSA+Lulz+Picture.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgglFelBYumcFwJt4oAT2Wu8K-vccS7uFEeF-aFVAVKS4yWnIZzeiI2a0ZKv_jv41KAz7dvwlo5Bbj4TtYELEVncME6TqA9G6cgq-Koc9SUJ3mCOu9jtj9j8w4pHtysK9C-HeAdcJ8psBuR/s320/HBGary+RSA+Lulz+Picture.jpg" width="320" /></a></div>On February 4th the Financial Times ran an article claiming that Aaron Barr, from <a href="http://hbgaryfederal.com/">HBGary Federal</a> had <a href="http://uk.finance.yahoo.com/news/Cyberactivists-warned-arrest-ftimes-3487898538.html?x=0">unmasked key leadership</a> in the Hacktivist group "<a href="http://en.wikipedia.org/wiki/Anonymous_%28group%29">Anonymous</a>". Anonymous had garnered international attention for their attacks on <a href="http://www.bbc.co.uk/news/technology-11935539">groups opposed</a> to Wikileaks (Mastercard, Visa, Sarah Palin, etc.) As a result of their activity the FBI had been <a href="http://arstechnica.com/tech-policy/news/2011/01/two-real-guns-pointed-at-me-how-the-fbi-raided-anonymous.ars">kicking in doors</a> attempting to arrest people, causing some concern at the group. HBGary Federal was also <a href="http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack-wikileaks.ars/">looking at ways</a> to bring down Wikileaks and their support infrastructure. The Financial Times article claiming that Aaron Barr had specifics on their leadership caught the attention of Anonymous, who turned their attention to HBGary Federal and Mr. Barr. HBGary Federal was a sister company of <a href="http://en.wikipedia.org/wiki/HBGary">HBGary</a>, a computer security company from 2003 started by Greg Hoglund and his wife Penny Leavy. <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxpG1kGy6DDFNlB_7HNHQIBikhfz_625KKcoEoJwZjkGPPtXUX-dxudOnTyoWHL8m2Md238B2ggVsPoGbUuR-hylidkoJTKXMu9FH4LwwDAmxqlAHcwJE_CN_kzydFGcOR4G7uBNMLKp_j/s1600/hbgary_rsa_sign.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxpG1kGy6DDFNlB_7HNHQIBikhfz_625KKcoEoJwZjkGPPtXUX-dxudOnTyoWHL8m2Md238B2ggVsPoGbUuR-hylidkoJTKXMu9FH4LwwDAmxqlAHcwJE_CN_kzydFGcOR4G7uBNMLKp_j/s320/hbgary_rsa_sign.jpg" width="239" /></a></div>On February 5th Anonymous went after HBGary Federal, <a href="http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars">starting off with a Distributed Denial of Service</a> attack and moving from there as Aaron responded aggressively. They got into his Twitter account, Linkedin account, email account, and web administration accounts. They deleted backup accounts, wiped his iPad, and moved on to compromising HBGary and Rootkit.com (both run by Greg Hoglund, who was also part owner of HBGary Federal).<br />
<br />
Because HBGary used a non-standard CMS (Content Management System) it had not been subjected to significant security review. Anonymous used a previously unknown SQL injection to download the password file which used MD5 hashes. Using a rainbow table they were able to quickly crack the simpler passwords, one of which was Aaron Barr's and another was his COO, Ted Vera. He also reused this password on multiple sites, making their life easier. They used another the password from Ted Vera to SSH into a Linux server that HBGary Federal used, and utilized a known vulnerability (that hadn't been patched) to escalate to root privileges.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnACJbz20S6VqqCUaW47qZWBQgqRs7Q-VlNk5u_z2Wezrl2hH8exHMCaNDmldWV42WDYGYccSuoUuEpM1PmN6CD2VKuMHlIRo2fQcAJ48i_bed4N2_0EiQGHDN07wmSaf5h2yTBAOSJ8P5/s1600/Anonymous.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnACJbz20S6VqqCUaW47qZWBQgqRs7Q-VlNk5u_z2Wezrl2hH8exHMCaNDmldWV42WDYGYccSuoUuEpM1PmN6CD2VKuMHlIRo2fQcAJ48i_bed4N2_0EiQGHDN07wmSaf5h2yTBAOSJ8P5/s200/Anonymous.jpg" width="136" /></a></div>Because Aaron was the administrator for their Google Apps account they were able to reset and access Greg Hoglund's mail, where they found administrative passwords for rootkit.com in plaintext. They then utilized some social engineering to the administrator to get an account they could login with remotely (can't use the root account). Once this was accomplished they published the entire rootkit.com password hash table and defaced all the sites. Some details of the attacks can be found <a href="http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars">here</a>.<br />
<br />
After pulling off the attack Anonymous was <a href="http://krebsonsecurity.com/2011/02/hbgary-federal-hacked-by-anonymous/">contacted by Penny Leavy</a>, who owns part of HBGary and HBGary Federal to try to negotiate a truce. Anonymous wasn't particularly interested, and conditioned any actions on their part to Penny firing Aaron and a number of other steps she wasn't going to take. Shortly afterwards they began leaking both HBGary Federal and HBGary corporate emails in large quantities on the Piratebay and numerous other locations, to the enjoyment of voyeurs, reporters and the curious worldwide. (I've decided not to link to them or analyze the uploaded content and will focus on published stories instead). <br />
<br />
This story has caught the attention of many in the security community (and even more broadly) for a number of reasons. The tie-in to Wikileaks, the sensational nature of the story, the depth of the information available, the personalities involved. The fallout has been significant as well. The leaked <a href="http://threatpost.com/en_us/blogs/hbgary-emails-sweet-valentine-social-engineers-021411">emails contain references</a> to numerous other organizations with sensitivity concerns. The DailyKos points out Aaron's plan (and an associated published government solicitation) to <a href="http://www.dailykos.com/story/2011/02/16/945768/-UPDATED:-The-HB-Gary-Email-That-Should-Concern-Us-All">create and manage an army</a> of virtual personas should cause concern when considering people group's opinions and the ability for misrepresentation and influence. Ars Technica has had a number of good stories on the topic. The published this one, talking about their "<a href="http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars/">Black Ops</a>". Lots of sensational topics (0-days, rootkits, government "back doors", etc.) although it appears that there were no confirmed connections to any other government organization, a number of government and defense contractor groups are mentioned (like Northrop Grumman (Barr's old employer), <a href="http://crowdleaks.org/hbgary-inc-working-on-secret-rootkit-project-codename-magenta/">Farallon Research</a>, <a href="http://www.thetechherald.com/article.php/201107/6812/RSAC-2011-ManTech-International-Corp-suffered-botnet-attack">Mantech</a>, <a href="http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars">GD-AIS</a>, <a href="http://risky.biz/endgame">Endgames</a> and many others) and thus impacted by this situation. As a result, some organizations (like <a href="http://www.thetechherald.com/article.php/201106/6804/Firm-targeting-WikiLeaks-cuts-ties-with-HBGary-apologizes-to-reporter">Palantir</a> and <a href="http://www.thetechherald.com/article.php/201106/6810/Berico-Technologies-severs-ties-with-HBGary-over-WikiLeaks-plot">Berico</a>) that they were involved with have severed all professional ties with HBGary in an attempt to separate themselves from the situation.<br />
<br />
There was a fair amount of interest about their rootkit work, for obvious reasons (Greg runs Rootkit.com) They had proposed an interesting one called Magenta that received <a href="https://www.infosecisland.com/blogview/11846-Magenta-HBGary-Federals-Cyberoffense-Failure.html">some attention</a>. <br />
<br />
Andy Greenberg<a href="http://blogs.forbes.com/andygreenberg/2011/02/17/why-anonymous-hbgary-hack-could-hurt-wikileaks/"> believes that the attack</a> could backfire on Wikileaks, as people confuse hacktivism with Wikileaks and realize that the attack on HBGary and the damage caused could happen to anyone. Personally I think that idea would have had merit if there wasn't so much dirt unearthed on Aaron and the company that captured the attention of the audience. Unfortunately the sensational nature of the story makes it easy to (at least currently) overlook the underlying issues of anonymity, free speech, corporate/organizational ethics, government and corporate relationships and what protest means in the digital domain. <br />
<br />
Given the quantity of information that people are still going through (over 8GB available on various torrents) it appears likely that other stories will be forthcoming. A number of lessons <a href="http://www.pcworld.com/businesscenter/article/220209/lessons_learned_thanks_to_hbgary_and_anonymous.html">are available</a>. Here are a few of my immediate take aways:<br />
<ol><li>Criminal allegations, interactions, and investigations should not be taken lightly. Once you start interacting with groups like that your threat/risk profile changes significantly.</li>
<li>Good reminder that multiple techniques (0-day, unpatched exploits, cracking passwords, social engineering, etc.) used in conjunction are extremely powerful and can lead to full and complete compromise. </li>
<li>Given point (2), perhaps people will finally start encrypting sensitive emails. You never know who could end up reading them. Also wise to ensure you do have robust passwords that are not reused, and critical systems are always fully patched. You can't stop 0-day (well), but you can certainly prevent known vulnerabilities from being exploited!</li>
<li>Important to consider who your partners are. Any behavior on their part could affect you in a blowback situation. Obviously you can't run a background investigation on everyone you interact with, but look at those opaque, back room deals and consider how they would be perceived in the transparency of the Internet.</li>
<li>Good reminder about starting a business... probably best to figure out what you're going to be the best at and focus on doing that... and have a clear plan for how to get there. Front loading your investment/risk and chasing ambiguous, frequently delayed government contracts is a risky position that can lead to sub-optimal situations and decisions made under pressure down the road.</li>
</ol>I'll update this post as particularly interesting parts of the story come to light. Will be interesting to see if the FBI ends up getting any traction bringing anonymous to trial, if HBGary faces any charges or impact other than relational/financial, and how the other stakeholders in this affair are impacted in the short and long term.<br />
<br />
Update (March 2nd, 2011): Stephen Colbert <a href="http://www.colbertnation.com/the-colbert-report-videos/375428/february-24-2011/corporate-hacker-tries-to-take-down-wikileaks">did a segment</a> on the Colbert Report on the topic that was amusing. Aaron Barr <a href="http://www.pcmag.com/article2/0,2817,2381207,00.asp">has resigned</a>. And House Democrats are <a href="http://arstechnica.com/tech-policy/news/2011/03/democrats-push-for-congressional-investigation-of-hbgary-federal.ars">calling for an investigation</a>, focused on the "reconnaissance cell" that HBGary was discussing to target union members. <br />
<ol></ol>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-80057787255440005142010-12-20T11:52:00.000-05:002010-12-20T11:52:34.919-05:00Automated Vulnerability Research<object height="385" width="480"><param name="movie" value="http://www.youtube.com/v/qbfujXuJrbs?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/qbfujXuJrbs?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object><br />
<br />
A paper just hit the Web this month describing a methodology for automated analysis of source/binary code for vulnerabilities and automatically generating a correlating, working exploit. The paper was done by Thanassis Avgerinos at Carnegie Mellon as part of his graduate research. You can view a video and the paper <a href="http://security.ece.cmu.edu/aeg/">at the site </a>they set up for this area. <br />
<br />
It's an interesting paper that unfortunately received mostly negative comments from the "hacking" community (ie, <a href="http://seclists.org/dailydave/2010/q4/25">DailyDave</a>, Sean/Sotirov/others on Twitter, etc.). Mostly I believe that's because that community has been trained to point out failures in general (applications, operating systems, enterprises, irrelevant academic research, etc.) The outsider/attacker mindset can make it difficult to accept ideas not from your trusted circle of friends. In fact, the individual most outspoken against the research (Sean Heelan, a researcher from Ireland now with Immunity wrote his 2009 master's thesis on a similar, but less ambitious topic: "<a href="https://docs.google.com/viewer?url=http://seanhn.files.wordpress.com/2009/09/thesis1.pdf&embedded=true&chrome=true">Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities</a>".<br />
<br />
The new paper is an excellent read and incorporates preconditioned symbolic execution with an end-to-end system to demonstrate it is possible to take source and binary pairs and automatically develop a working exploit (in bounded, fairly simple) cases. They properly acknowledge the prior work by Brumley (<a href="http://www.cs.cmu.edu/%7Edbrumley/pubs/apeg.html">using patch-based approaches</a>) and Heelan and point out the remaining work (which is significant!) And as the hacking community has shown, it becomes significantly more difficult to scale this and automate for more complex scenarios.<br />
<br />
As we move to an era where Artificial Intelligence is able to automatically <a href="http://en.wikipedia.org/wiki/Machine_translation">translate language</a>, <a href="http://www.wired.com/wiredscience/2009/04/newtonai/">discover laws of physics</a>, <a href="http://www.defenseindustrydaily.com/Can-DARPA-Teach-Machines-to-Read-05533/">learn to read</a>, it doesn't seem far fetched to automatically fuzz software and develop exploit code. Oh, wait... we can do that now. The real challenge for this research is not solving the simple case, but showing how it could tackle more complex problems and avoiding attempts to minimize their difficulty. (Which the author did originally, causing many to ignore or overlook his work.)<br />
<br />
Humans will presumably stay ahead of AI for the near future, but we've already lost at chess. It seems to me the only reason computers can't find bugs in software better than the best human is we haven't programmed them to do so yet.Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.comtag:blogger.com,1999:blog-9143715059946195737.post-67671923500006943332010-10-01T10:40:00.002-04:002010-12-07T16:47:47.270-05:00Stuxnet: Military-grade SCADA weapon<div class="separator" style="clear: both; text-align: center;"><a bitly="BITLY_PROCESSED" href="http://frank.geekheim.de/wp-content/uploads/2010/09/natanz_visit.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="267" src="http://frank.geekheim.de/wp-content/uploads/2010/09/natanz_visit.jpg" width="400" /></a></div>Stuxnet was uncovered over the summer and as details have been forthcoming it is a compelling piece of work. Stuxnet is a self-propagating worm designed to target a particular SCADA facility utilizing Siemens WinCC/Step7 software and targets associated PLC with a particular as-yet-unknown payload. The majority of the compromises were in Iran but other countries, such as Germany, Russia and the US have been infected as well. Some of the quotes from those conducting analysis: "Hack of the century", "nation-state weapons-grade attack software", "will be the most analyzed piece of malware ever", are not unique quotes. From an article titled "<a bitly="BITLY_PROCESSED" href="http://www.techworld.com.au/article/361089/stuxnet_best_malware_ever">Is Stuxnet the 'best' malware ever?</a>":<br />
<blockquote><div class="storybody">"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team. </div><div class="storybody">"I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. By comparison, other notable attacks, like the one dubbed "Aurora" that hacked Google's network, and those of dozens of other major companies, was child's play. </div></blockquote>To summarize some of the reasons that it has engendered such praise:<br />
<ul><li> It used <a bitly="BITLY_PROCESSED" href="http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347">4 unique 0-day vulnerabilities</a></li>
<li>It utilized other vulnerabilities as well to propagate (<a bitly="BITLY_PROCESSED" href="http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99">including RPC</a>)</li>
<li>It spread across the network but could air-gap jump <a bitly="BITLY_PROCESSED" href="https://docs.google.com/viewer?url=http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01C%2520-%2520USB%2520Malware%2520Targeting%2520Siemens%2520Control%2520Software%2520-%2520Update%2520C.pdf&embedded=true&chrome=true">using USB devices </a>, <a bitly="BITLY_PROCESSED" href="http://threatinfo.trendmicro.com/vinfo/articles/securityarticles.asp?xmlfile=091410-STUXNET.xml">network shares and WebDav</a></li>
<li>It has been stealthily operating <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/w32stuxnet-variants">since at least June 2009</a> </li>
<li>It utilized not one, but <a bitly="BITLY_PROCESSED" href="http://blog.mandiant.com/archives/1236">two digital signature</a>s to digitally sign its Windows rootkit</li>
<li>It contained the <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/stuxnet-introduces-first-known-rootkit-scada-devices">first observed SCADA rootkit</a></li>
<li>The code was "<a bitly="BITLY_PROCESSED" href="http://frank.geekheim.de/?p=1189">exceptionally well written</a>" software designed to <a bitly="BITLY_PROCESSED" href="http://frank.geekheim.de/?p=1189">handle errors, not crash</a> and <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/stuxnet-p2p-component">utilized remote updating</a>. </li>
<li>It contained a <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/exploring-stuxnet-s-plc-infection-process">unique targeting capability</a> ensuring it only hit a <a bitly="BITLY_PROCESSED" href="http://www.langner.com/en/">particular SCADA network</a></li>
<li>It was capable of traditional client/server C2 (command and control) but also <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/stuxnet-p2p-component">utilized a peer-to-peer update functionality</a> in case the C2 server was down/unavailable</li>
<li>The majority of the published analysis on Stuxnet was done by <a bitly="BITLY_PROCESSED" href="http://www.langner.com/en/">Langer </a>(a German Siemens expert) and <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blog-tags/w32stuxnet">Symantec</a>. An analysis of the <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components">Stuxnet structea</a>, <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/w32stuxnet-installation-details">and the installation process</a>, are available and helpful for those interested.</li>
<li>The best and most comprehensive discussion of Stuxnet to date can be found in the Symantec Stuxnet Dossier <a bitly="BITLY_PROCESSED" href="https://docs.google.com/viewer?url=http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf&embedded=true&chrome=true">available here</a>. </li>
<li>The code is designed to <a bitly="BITLY_PROCESSED" href="http://www.blogger.com/goog_505710009">stop propagating on </a><span class="rss:item"><a bitly="BITLY_PROCESSED" href="http://www.f-secure.com/weblog/archives/00002040.html">June 24, 2012</a>. This is different then typical worms which are designed to infect as many machines as possible and implies a limited scope and specific objective(s). </span></li>
</ul>Any one of those capabilities with sufficient penetration would be enough to garner interest. But combining all of them is a generation or two ahead of anything ever seen in the wild before. The code is of interest from a purely technical achievement perspective, but has significant implications for nations and other stakeholders in potential cyberwarfare. <br />
<br />
Recently, multiple different parties conducting analysis (or reviewing the public analysis) have concluded that the attack was likely against an Iranian nuclear facility, either the Bushehr nuclear power plant or the Uranium enrichment facilities in Natanz and likely originated in Israel. I'll attempt to summarize the arguments below:<br />
<ul><li>Almost 60% of the infections are in Iran <a bitly="BITLY_PROCESSED" href="http://www.symantec.com/connect/blogs/w32stuxnet-network-information">according to Symantec</a> (who took over the C2 server)</li>
<li>The SCADA/PLC payload doesn't get activated unless the <a bitly="BITLY_PROCESSED" href="http://www.langner.com/en/">particular network fingerprint is found</a>. None of the systems infected with Stuxnet have been reporting (of course, they might hide/cover it up if they were targeted) that this fingerprint matched. Given the investment it appears likely that a particular high value network was targeted.</li>
<li>Guesswork from multiple parties wondering what high value systems might be targeted in Iran quickly jumped to nuclear facilities. Arguments for Bushehr (<a bitly="BITLY_PROCESSED" href="http://www.digitalbond.com/index.php/2010/09/16/stuxnet-target-theory/">here</a>, <a bitly="BITLY_PROCESSED" href="http://www.langner.com/en/">here</a>, and a screenshot of their HMI showing their Siemens WinCC license <a bitly="BITLY_PROCESSED" href="http://www.upi.com/enl-win/b00bf188f7671cf2f939d18b1453852f/">here</a>) and <a bitly="BITLY_PROCESSED" href="http://frank.geekheim.de/?p=1189">Natanz</a> are available and have been picked up across technical web sites, <a bitly="BITLY_PROCESSED" href="http://blogs.forbes.com/andygreenberg/2010/09/22/theories-mount-that-stuxnet-worm-sabotaged-iranian-nuke-facilities/">the blogosphere</a> and increasingly even the <a bitly="BITLY_PROCESSED" href="http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant">mainstream media</a>. Of course, depending on how unique the target fingerprinting is (and the fact there are confirmed to be at least four variants) it's possible the answer is both of them. </li>
<li>Israel was connected due to their obvious interest in delaying/destroying/disrupting the Iranian nuclear program, their <a bitly="BITLY_PROCESSED" href="http://www.ynetnews.com/articles/0,7340,L-3742960,00.html">cyberwarfare capabilities</a> (also articles <a bitly="BITLY_PROCESSED" href="http://www.strategypage.com/htmw/htiw/articles/20100920.aspx">here</a> and <a bitly="BITLY_PROCESSED" href="http://www.aviationweek.com/aw/generic/story_generic.jsp?channel=awst&id=news/dti/2010/09/01/DT_09_01_2010_p42-248207.xml&headline=Cyber-Attack%20Deploys%20In%20Israeli%20Forces">here</a>) and cyber security expertise and a clue in the code. Specifically, the word "<a bitly="BITLY_PROCESSED" href="http://www.securelist.com/en/blog/272/Myrtus_and_Guava_Episode_3">myrtus</a>" (meaning "myrtle") is the name of the root directory for the exploit code. That was picked up by Kaspersky but they didn't grasp the meaning. However, the guys at DigitalBond <a bitly="BITLY_PROCESSED" href="http://www.digitalbond.com/index.php/2010/09/16/stuxnet-target-theory/">noticed that in Hebrew</a> this was the <a bitly="BITLY_PROCESSED" href="http://en.wikipedia.org/wiki/Esther">original name of the Biblical character Esther</a>, who saved the Jewish race from extinction from a hostile (Persian) nation. <a bitly="BITLY_PROCESSED" href="http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html?_r=1&src=twt&twt=nytimesscience">NYT picked up on this recently as well</a>. Could always be a false lead as well, but a rather advanced one if so. <b>Update</b>: At the VB2010 Liam Murchu presented a more detailed analysis which included the "already infected" registry key that Stuxnet uses to prevent multiple infections. <a bitly="BITLY_PROCESSED" href="http://threatpost.com/en_us/blogs/stuxnet-analysis-supports-iran-israel-connections-093010">The marker was 19790509</a>. Wikipedia points out that that was the date that Habib (Habibollah) Elghanian, an Israeli businessman, was <a bitly="BITLY_PROCESSED" href="http://en.wikipedia.org/wiki/Elghanian">killed by the new Islamic Iranian</a> regime for "corruption", "contacts with Israel and Zionism", "friendship with the enemies of God", "warring with God and his emissaries", and "economic imperialism". He was the first jew and one of the first civilians killed by the new government.</li>
</ul>It appears that the world is seeing the a major salvo in real nation-nation cyber warfare activity. (As opposed to all of the intelligence/espionage activities that have gone in the past, which are not acts of war). Numerous, subtle signs point towards an Israeli originated attack against Iranian nuclear facilities. But it is certainly possible these indications could be placed there on purpose, hoping people would discover them and point towards Israel. Either way, it is highly unlikely that if anyone does know what the target was, AND validate where the attack originated, that it will ever be published for various geopolitical reasons. In the mean time, it provides plenty of fodder for armchair analysts and conspiracy theorists to speculate regarding the true intent and origin of Stuxnet.<br />
<br />
One final note: Stuxnet is probably NOT the first acknowledged/published nation-nation cyber attack. Rumors have been around for quite a while regarding the <a bitly="BITLY_PROCESSED" href="http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage">US providing a "trojan horse" to the Russians, resulting in a Siberian pipeline explosion</a>, but it sounds like it's moved into the acknowledged realm now.<br />
<br />
December 7th, 2010 Update: At this point the rest of the post has been essentially validated by public research and acknowledgments. There is no speculation that Stuxnet was designed to affect a particular high frequency drive designed in Iran, deployed in Iran for their nuclear program. And that it had at least moderate success. And it appears clear that well organized individuals remain motivated to attack the Iranian nuclear program, via more traditional means. I'll probably update this one last time in 3-4 months with any of the more interesting fallout implications. The specific new evidence/events:<br />
<ul><li><a href="http://www.symantec.com/connect/blogs/stuxnet-breakthrough">Symantec</a>, with some help from a Dutch company completed the analysis of the PLC payload and published the results on November 12th. It found that it was targeted at very specific high frequency drive controllers manufactured in Finland and Iran. These devices have limited applications, (with centrifuges being one of them), causing them to be on the list of export controlled devices as a result. The Finnish company denies exporting them. The payload is, as was assumed, designed to render the targeted devices unreliable and cause them to malfunction in a way that would degrade/destroy the targeted drive and manufacturing process. </li>
<li>Iran's leader Mahmoud Ahmadinejad confirmed on November 29th that its centrifuges were indeed hit and<a href="http://www.cbsnews.com/stories/2010/11/29/world/main7100197.shtml"> negatively impacted by Stuxnet</a>. <a href="http://online.wsj.com/article/SB10001424052748704369304575633083063905598.html">IAEA confirmed</a> that enrichment activities<a href="http://www.jpost.com/IranianThreat/News/Article.aspx?id=196481"> were shut down</a> (at least temporarily). </li>
<li>On the same day, the top Iranian expert for Stuxnet (and one of their most senior nuclear researchers) was <a href="http://www.debka.com/article/20406/">assassinated November 29th</a>. A second researcher was <a href="http://www.washingtonpost.com/wp-dyn/content/article/2010/11/29/AR2010112901560.html">targeted that same day</a> but the attack did not kill him or his wife and only caused injuries. Iran has developed a <a href="http://debka.com/article/20429/">special security service</a> to attempt to mitigate these physical attacks in the future. </li>
</ul>Jason Syversenhttp://www.blogger.com/profile/02286897339381321030noreply@blogger.com