Monday, December 14, 2009

International 'cyber' treaties

Interesting article in the NYT covering Obama's discussion with Russia over Internet security. The paragraph I found most interesting was near the end:

The Russians have focused on three related issues, according to American officials involved in the talks that are part of a broader thaw in American-Russian relations known as the "reset" that also include negotiations on a new nuclear disarmament treaty. In addition to continuing efforts to ban offensive cyberweapons, they have insisted on what they describe as an issue of sovereignty calling for a ban on “cyberterrorism.” American officials view the issue differently and describe this as a Russian effort to restrict “politically destabilizing speech.” The Russians have also rejected a portion of the Council of Europe Convention on Cybercrime that they assert violates their Constitution by permitting foreign law enforcement agencies to conduct Internet searches inside Russian borders.
If their sources are accurate the Russians are basically trying to get agreement that they can go after internal dissenters, while guaranteeing nobody can track back Russian criminals to Russia and ban the US (and presumably any other developed nation) from developing "offensive cyberweapons". Presumably they would of course stop any development that they have going on... but I don't believe it. I think they're just trying to prey on Obama's desire for dialog and see what they can get out of it while giving nothing up. They have an extensive history of both oppressing free speech in their country while leaving the RBN (Russian Business Network) alone to attack companies, individuals and countries around the globe without consequence. On our part it looks that the US is trying to get the Russians to engage on the International criminal activity in the cyber-domain emanating from within their borders. Good luck to the US officials on that, will be interesting to see what sort of agreements (if any) come out.

Wednesday, November 18, 2009

US and Chinese National cyberwar postures

Two fairly thorough analyses came out recently. One from National Journal Magazine describing the US cyberwar plan. Much of it repeats things heard in various places, but I hadn't seen one with the level of depth/coverage in one place (particularly the emphasis on the telecommunications aspect), and it was better written then much of the earlier work. I do have to take exception to the comment: "Mostly younger officers, who received their early combat education through video games and Dungeons & Dragons, wage these battles". I'm known plenty of commercial industry hackers and government officers and not necessarily a whole lot of D&D out there... nor is that even remotely relevant. Video games definitely, both prevalent in the industry and relevant if they are trying to make the point that GenX and later grew up with video games/PCs in the home and are more comfortable in the domain then many of their senior counterparts.

The second report is titled: "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" and was prepared for The US-China Economic and Security Review Commission. Again, it's an unclassified report describing what is available via open source collection, similar to James Mulvenon and other individuals work on the topic. I saw James brief some government people and he's got an interesting take on what's going on and has done his legwork. The Northrop Grumman report is definitely worth reading, it updates prior work to 2009 and includes some good depth in a few areas. I worked with George Bakos (one of the two SMEs) when he was at Dartmouth, he's a technically sharp guy who adds some credibility to their work.

Monday, November 9, 2009

Cyberwar: Power Grid, network attacks and supply chain

60 Minutes has an interesting video segment on cyberwarfare, particularly a focus on the electrical power grid and some discussion of network compromises at CENTCOM and supply chain vulnerabilities:  The report is based predominantly on an interview with Booz Allen Hamilton's Mike McConnell, who was until recently the DNI. (Director of National Intelligence).

You can read the text of the article here

Most interesting was the discussion of actual attacks. Particularly the attacks against Brazil that brought down their power grid for a while and the compromise of CENTCOM.

Another article came out today about the process of securing the supply chain

You can see the agenda of recently concluded 2009 session of the US working group trying to address the power grid/SCADA vulnerabilities online:  A number of people I know were participating or presenting there... the problem is being looked at, but is also far from solved.

The Aurora story and mentioned video can be seen at CNN among other places.

The "senior government intelligence official" that 60 minutes refers to is presumably Tom Donahue (CIA) and his comments presented at a SANS conference.

Update: Interesting response to the 60 minutes story (and the Tom Donahue one) where the author's believe it's all rumors, not true, and government motivated power grab. I don't buy the Errata rebuttal (he claims HE could easily bring down the power grid, but obviously all these other times must be false examples) but good reminder that rumors, even told 6+ times are still rumors.

Wednesday, September 16, 2009

Vulnerability Research Market

Jared DeMott just emailed me a great briefing from Pedram Amini discussing the 0-day software vulnerability market. Nice survey of the landscape, interesting findings, players, etc. You can find the briefing here: Adventures in buying vulnerabilities. He also gives some quantitative data describing vendor performance, number of bugs, etc.

On this topic, Charlie Miller wrote a nice paper on the economics of vulnerabilities that was published in 2007 here. The market has continued to change/mature since his paper. WabiSabiLabi went out of business (when their founder was arrested on separate charges!) and new players have entered/exited. Companies exist all over the US focused on this problem space. That motivated me to do a little survey and capture here who some of the players are, I haven't seen a great list in one place.

In the process of doing this survey I ran across some interesting papers that I'm also posting here. One is a nice short summary from a company focused on mobile handset/infrastructure vulnerability analysis summarizing some of the technologies/market from their perspective. Bruce Schneier and Marcus Ranum have an interesting debate on the general field of vulnerability research. There's a solid academic paper from a year earlier then Charlie's paper at WEIS someone just pointed me towards. They describe the market in 2006 and provide another perspective on some of the commercial players, some of the models/motivations for sellers and buyers.

Even Pedram's briefing and the below list are certainly not exhaustive, for every entry here there are a couple of people with a small firm or wedged in some large enterprise. I didn't include academic groups or individuals who have gathered acclaim, as I'm really following Pedram's line of thinking about the commercial market and wanted this post to take less then 2 hours (I've already failed!) I attempted to capture some of the major players companies in the American commercial and government contracting communities that have a stated presence/interest in the market. The interested reader should be able to recreate these findings (and probably expand them) by perusing the Blackhat/CansecWest briefings over the last 3 years, job postings, and permutations on Google searches that include "vulnerability research".

Some of the more interesting players in the purely commercial market include:

Tipping Point/DVLabs Sell intelligence/IDS data

IDefense, Sell intelligence/IDS data (see Pedram's briefing for other similar companies)

Vulnerability Research Labs (Couldn't get a logo due to Flash!) Sell intelligence/IDS data?

iSight Partners maintains their Global Vulnerability Partnership and sell vulnerability data to a pool of customers looking for threat intelligence.  

Netragard maintains an active vulnerability acquisition program and claim to be the only IT services provider to do so.

Fortify (source code analysis)

Veracode (source/binary code analysis "in the cloud")

The ex-Idefense guys at Endgame Systems. Sell intelligence/IDS data

Immunity Security (and their third party vendors listed on their site). Sell penetration testing tool and perform contracted research

Core Security Sells a penetration testing tool. (Probably Immunity's main competitor).

Charlie Miller's company Independent Security Evaluators. Contracted vulnerability researchers.

Mark Dowd and company at IBM/ISS-Xforce, sell intelligence/IDS data

There are a number of government contractors out there too. They aren't as clear on their business model/portion of the market for vulnerability research usually, probably contracted testing to secure systems or provide advanced threat intelligence data.

SAIC (Kind of tricky as they are so fragmented.) Here's a great job description.

Harris Crucial Security (here's a job writeup)

SRA (check out a posting here)

Mantech (so many postings across the board I didn't bother)

Raytheon (I enjoyed their creatively named job postings)

Those are some companies that seem to have some critical mass and advertise their capabilities/products/personnel in this important area. Let me know if you think some companies are missing off this list by dropping me an email or posting back.

Tuesday, August 25, 2009

Using your cell phone to... cook food

This is a little outside the focus of most of my posts, but it was too interesting to pass up. The New York Times ran an article that was quoted several places regarding a Maytag oven that will turn itself on and automatically go to "high" whenever a nearby cellular phone is called:

“Maybe the ringing cellphone turned it on,” Mr. Melnikov suggested to the two men.

They scoffed.

He laid the phone next to the stove. They dialed it. Suddenly, the electronic control on the stovetop beeped. The digital display changed from a clock to the word “high.” As the phone was ringing, the broiler was heating up.

Three other apartments in the building are fitted with the same make and model oven: Maytag Model CGR1425ADW. “My phone turned on all of them,” Mr. Melnikov reported. “One apartment had a General Electric. It didn’t work on that one.”"
Intriguing possibilities ensue off of this... it would certainly make home automation a lot simpler, although I'm not sure how many people want third party remote access to the ovens. Some interesting ideas I could think of spin out of these Maytag ovens:
  • Leave your phone (or buy a special low cost phone for this purpose) next to the stove to turn the pot-roast on when you're away at church so it will be ready before coming home.
  • Leave your phone at an adversary's home (ex-girlfriend, bad-guy, etc.) and call it when they aren't there. Or even when they are, if you are the murdering type.
  • Copy the magic Maytag design into other household appliances, or better still your car.
I'd be interested in hearing your comments (below) regarding other applications, or maybe why it's really happening. I don't buy simple EM interference, as it triggers when the phone is called, not when it emits energy to make a call. Maybe the noise itself? Does the phone really ramp up EM emissions when receiving a call that much to trigger it? From the article: "Mr. Melnikov, 35, who emigrated from Russia in 2000, runs a company that sets up computers, networks and security systems. His apartment is crowded with electronics gear. " Coincidence? Or maybe Melnikov rigged it, or some of his other equipment is causing the interference.

Friday, August 7, 2009


Good article in the NY Times regarding a possible plan by the Bush administration to topple Iraqi banking in 2003. From the Times article:
In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the United States invaded Iraq. He would have no money for war supplies. No money to pay troops.

“We knew we could pull it off — we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.

But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the United States.
They don't ever describe in the story how exactly that would occur... given that much of the money is presumably stored in international banks, that would obviously cause some collateral impacts deemed to be "undesirable". But maybe they were Iraqi-only banks, or just disruptions to the bank connection, or modifications of amounts/compromising the accounts to drain them. Lots of options, not enough detail unfortunately. They did have some other interesting Cyber-warfare news to report though:

Although the digital attack on Iraq’s financial system was not carried out, the American military and its partners in the intelligence agencies did receive approval to cripple Iraq’s military and government communications systems in the early hours of the war in 2003. And that attack did produce collateral damage.

Besides blowing up cellphone towers and communications grids, the offensive included electronic jamming and digital attacks against Iraq’s telephone networks. American officials also contacted international communications companies that provided satellite phone and cellphone coverage to Iraq to alert them to possible jamming and to ask their assistance in turning off certain channels.

Officials now acknowledge that the communications offensive temporarily disrupted telephone service in countries around Iraq that shared its cellphone and satellite telephone systems. That limited damage was deemed acceptable by the Bush administration.

Another such event took place in the late 1990s, according to a former military researcher. The American military attacked a Serbian telecommunications network and accidentally affected the Intelsat satellite communications system, whose service was hampered for several days.

These missions, which remain highly classified, are being scrutinized today as the Obama administration and the Pentagon move into new arenas of cyberoperations. Few details have been reported previously; mention of the proposal for a digital offensive against Iraq’s financial and banking systems appeared with little notice on, a news Web site, in 2003.
I am always a bit incredulous reading about classified stories in the press. Either they are making them out to be more then they are, or people should be facing jail time and getting in trouble... Certainly it wouldn't be the first time that a reporter made something sound more secretive then it really is, but if it really is I'd like to know why people with clearances are sharing it and nothing happens.

Anyway, all of this is coming to light while Obama is still ingesting the recently completed 60-day cyber-review and unable to find a cyber-security "czar" (multiple reports coming out that dozens of people have been interviewed with multiple offers being made, all declined so far).

Melissa Hathaway resigned on August 3rd, saying in the Washington Post that

"I wasn't willing to continue to wait any longer, because I'm not empowered right now to continue to drive the change," she said. "I've concluded that I can do more now from a different role," most likely in the private sector.

Hathaway noted that it has been two months since President Obama made a highly acclaimed speech on the importance of cybersecurity and pledged to "personally" select a cybersecurity coordinator. A colleague close to Hathaway said she had become dismayed by the delay in the appointment. The colleague, who spoke on condition of anonymity, added that Hathaway had "the sense that this was very political, that she has been too closely tied to the Bush administration."

Monday, July 27, 2009

Mobile malware: Blackberry

Also in July we have the UAE's mobile cellular provider Etisalat serving up hostile Blackberry updates to their subscribers that includes interception code. From Wired:

The update was billed as a “performance-enhancement patch” by the UAE-based phone and internet service provider Etisalat, which issued the patch to its 100,000 subscribers.

The patch only drew attention after numerous users complained that it drained their BlackBerry battery and slowed performance, according to local publication ITP.

Nigel Gourlay, a Qatar-based programmer who examined the patch, told ITP that the patch contained “phone-home” code that instructed the BlackBerries to contact a server to register. But once the patch was installed, thousands of devices tried to contact the server simultaneously, crashing it and causing their batteries to drain.

“When the BlackBerry cannot register itself, it tries again and this causes the battery drain,” he said, noting that the spyware wouldn’t have drawn any attention if the company had simply configured the registration server to handle the load.

The spying part of the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server.

The spyware appears to have been developed by a U.S. company, which markets electronic surveillance software.

Gourlay obtained source code for the patch after someone posted it on a BlackBerry forum. He said the code contained the name “,” which belongs to a U.S. company that, according to its web site, provides surveillance solutions for “lawful interception” to ISPs, law enforcement and intelligence agencies around the world.

Chris Wysopal from Veracode has a short breakdown of the code on his site that's worth perusing. From his conclusion:

The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. "Here I am, software is installed!") got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.

The final thing to mention is that the spyware does appear to be installed in a non-running state by default, where it's not actually exfiltrating data once the initial registration packet has gone out. However, using the command and control mechanism we described earlier, the carrier can remotely start/stop the service at will on a per-device basis.

The best technical breakdown of the code that I've seen is from Zensay labs and available here. The author's blog (company?) is here and talks at length about the whole situation, possibly remedies, future work, etc.

More interesting from my perspective how little coverage this mass distribution of spyware seems to be getting and the obvious lessons for someone trying to deploy malicious code on this scale. Also of interest is the reasoning behind pushing the code to the client instead of using the network as most other providers are probably doing today. A few people pointed out that this was probably done to circumvent the strong encryption mechanisms that RIM has put in place, which implies that the UAE doesn't have the ability to succesfully crack or MITM (man-in-the-middle) their encrypted data at the network.

Clearly testing these applications before massive field deployments would seem to be a good idea. The application itself, while naive seems to be sufficient for what they wanted to accomplish. But by not properly factoring the network requirements or thinking about various modes of failure the entire thing blew up in their faces. Or not, given that nothing seems to be happening yet.

A much more successful approach to spying on citizens using the cellular network is detailed in the "Athen's Affair", the UAE/Etisalat spying community should have read that first. In the "Athens Affair" an unknown party surrepticiously monitored a number of key government personnel for a good length of time and the personnel behind it remain undetected, it was only stumbled upon by chance.

Client-side spyware is difficult to deploy/monitor on massive scales, and will increase in complexity as people screw up the deployment and allow them to be detected and raise concern for all other future software deployments. And users and defenders have an equal challenge of determining trust... if you can't trust the software from your provider, manufacturer, or government (just found out about this INSLAW thing, some interesting reading/viewing on that one), or open source software, who do you trust?

Mobile malware: Symbian

Interesting developments in the mobile community this month. First I wanted to highlight the Symbian-signed trojan and I'll discuss the interceptor software deployed on the Blackberry phones in the UAE in another post

To give you some background, I'll quote an excerpt from Dancho Danchev:
Earlier this month, a mobile malware known as Transmitter.C, Sexy View, Sexy Space or SYMBOS_YXES.B, slipped through Symbian’s mobile code signing procedure, allowing it to act as a legitimate application with access to device critical functions such as access to the mobile network, and numerous other functions of the handset.

Upon notification, the Symbian Foundation quickly revoked the certificate used by the bogus Chinese company XinZhongLi TianJin Co. Ltd, however, due to the fact the revocation check is turned off by default, the effect of the revocation remains questionable.

What happened was some malicious group slipped one past the automated Symbian mobile code signing process (Express Signature, which doesn't require human analysis), causing a piece of Malware to receive a Symbian-signed digital signature. This problem doesn't scale well, as they currently have over 2,000 applications receieving a signature each month and they are trying to drastically increase that number to compete with Apple's iPhone.

The problem points to the larger question of code validity, integrity and automated detection of malware in binaries. Even with extensive human analysis, an attacker can hide bad things in legitimate software, or fool/attack legitimate servers providing the code. In the cases we've seen this occuring it's often because the attacker makes a mistake or someone gets lucky and stumbles across it, not because the overall system is robust to attack.

There are numerous papers and projects out there trying to figure out how to automatically catch these types of attacks, (here, here, here, etc. but they are all bounded by the halting problem... it's not possible to build code that automatically determines what other code will do in all cases (as shown in Fred Cohen's 1984 thesis and follow on work by him and others. That said, it is certainly possible to catch lots of things most of the time... the question is how much and how often. DARPA has an interesting problem trying to automatically detect bad things in chips in the TRUST program. I haven't seen anyone try to figure out what the theoretical upper limit of these types of research efforts are, or frankly how to even quantify the problem sufficiently, that's where I'd be spending my energy if engaged in this area.

The other problem that the code signer community has to deal with is trust. Mikko Hyppönen from F-Secure says that "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all." While that's probably a true statement, there is a big qualifier that goes with it... by digitally signing something and stating that it's valid/secure/trustworthy, you drastically change the equation on the part of the user when they install something. In today's Wild West model on the Internet most users know they cannot trust any application and they have to be cautious about the source, content, etc. When companies like Symbian are digitally signing applications as valid, when that trust is compromised you have to wonder if they are just doing it to ensure a monopoly/control over the platform and charge the application developers, or what liability they incur by inappropriately validating these third party applications?

Wednesday, July 8, 2009

Korean cyber-activities

Ahn Young-joon/Associated Press
Employees of the Korea Internet Security Center inside a monitoring room in Seoul on Wednesday.

Over the fourth of July weekend 14 government web sites in the United States including the The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web and 11 in South Korea were attacked by an unattributed Distributed Denial of Service (DDOS) attack. The sites in South Korea included the Presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank and other well known sites. According to an article by Robert McMillan,
"On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of bandwidth per second, about 10 times the rate of a typical DDoS attack, one security expert said after being briefed by the US-CERT on Tuesday. "It's the biggest I've seen," said the expert, who asked not to be identified because he was not authorised to discuss the matter. By Tuesday it was averaging about 1.2 gibabytes per second, he said."
The New York Times (and others) quote a South Korean paper: "Although the National Intelligence Service did not identify whom they believed responsible, the South Korean news agency Yonhap reported that the spy agency had implicated North Korea or pro-North Korea groups.A spokesman at the intelligence agency said it could not confirm the Yonhap report, which said that the spy agency briefed lawmakers about their suspicions on Wednesday." Given the targets it seems like an intuitive conclusion, the question of course would be what actual technical intelligence / SIGINT says.

Some other interesting points on this attack is that most of the bots used were located in South Korea, with South Korean officials stating at least 12,000 were in S. Korea. Also of interest is the allegation by unnamed S. Korean intelligence officials that N. Korea routes its attacks through Chinese Internet connections. Again, would seem intuitive, where else are they going to go through?

All sorts of guesses an innuendo out there... some point out a single anti-capitalist controlling the bot-net might have launched the attacks, while the S. Korean National Intelligence service is quoted in the NYT article saying that "“This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level".

What I found interesting in reading all the articles on this story was the lack of tie-in to prior stories on cyber activity on the Korean peninsula. Of particular interest to me were these two stories:

The first, from Kevin Coleman at DefenseTech, claims that "North Korea Poised for Cyber Salvo" He claims in his April 20th, 2009 story that
Most military strategist agree that cyber attacks are an excellent first strike weapon. In these specific circumstances, cyber attacks might be considered by Pyongyang as an appropriate and proportional response to the U.N. Security Council's condemnation and reinforcement of existing sanctions. High probability targets if DPRK launches cyber attacks include South Korea and the fifteen countries that make up the current U.N. Security Council that include -- permanent members-China, France, Russian Federation, the United Kingdom and the United States -- and ten non-permanent members Austria, Japan, Uganda, Burkina Faso, Libyan Arab Jamahiriya, Vietnam, Costa Rica, Mexico, Croatia and Turkey. This calls for increased vigilance by cyber security professionals guarding the critical infrastructure of those targets identified above.
He also posts some unsubstantiated but intriguing claims regarding the state of North Korean capabilities:
  • Unit: 121

  • Established: 1998

  • Force Size: 12,000 declining

  • Cyber Budget: $56+ million.

  • Goal: To increase their military standing by advancing their asymmetric and cyber warfare capabilities.

  • Experience: Hacked into South Korea and caused substantial damage; hacked into the U.S. Defense Department Systems.

  • Threat Rating: North Korea is ranked 8th on the cyber capabilities threat matrix developed in August 2007 and updated February 2009.

  • Cyber Intelligence/Espionage: Basic to moderately advanced weapons with significant ongoing development into cyber intelligence.

  • Offensive Cyber Weapons: North Korea now has the technical capability to construct and deploy an array of cyber weapons. They have moderately advanced distributed denial of service (DDoS) capabilities with moderate virus and malicious code capabilities. Hacking capabilities are moderate to strong with an experience rating of limited to moderate.

I'm guessing he nailed it on the head. There's some garbage in the talk back section of his article, but a posting this his speech for the hearing before the U.S.-CHINA economic and security review commission on "CHINA’S PROPAGANDA AND INFLUENCE OPERATIONS, ITS INTELLIGENCE ACTIVITIES THAT TARGET THE UNITED STATES, AND THE RESULTING IMPACTS ON U.S. NATIONAL SECURITY". I've included a link to the transcribed notes here. If you look into it he's a Senior Fellow at Technolytics, which focuses on policy type work in cyberspace. In his testimony he said he was formerly the Chief Strategist at Netscape, so he appears to be a technically sharp guy who can follow where Internet/technology trends are heading. It could always be a random group or individual but I believe his prediction appears to have been prescient.

The second series of articles of interest relate to articles describing North and South Korean plans for military operations in Cyberspace. While there is lots of data out there, some recent articles are interesting. First, an unnamed intelligence official quoted in South Korean Yonhap news service led to this May 5th AP story:

SEOUL, South Korea — North Korea runs a cyberwarfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service, a news report said Tuesday.

The North's military has expanded the unit, staffing it with about 100 personnel, mostly graduates of a Pyongyang university that teaches computer skills, Yonhap news agency reported, citing an intelligence agency it didn't identify.South Korea's Defense Ministry said it is aware that Pyongyang has been training hackers in recent years but did not provide details and had no other comment.The National Intelligence Service — South Korea's main spy agency — said it could not immediately confirm the Yonhap report.

Not even two months later on June 26th news developments came out regarding a South Korean Cyber Command, analogous to recent developments in the US towards a comprehensive Cyber Command, created specifically in response to North Korean Cyber activities. The articles don't say much but mention the creation of the cyber command and some of their staffing plans.

While I'm on the topic of communist countries and military operations cyberspace, I stumbled across an article on "Peopledaily" saying that 94% of Chinese "Netizens" favor the creation of a Chinese Cyber Command. Pretty funny... do they not realize how active their government already is? Or maybe they are really saying they just want them to come out of the closet and be more transparent? Either way I found it amusing... (tongue-in-cheek:) hopefully those PRC leaders take this advice to heart and get moving on it!

The Washington Times reported that according to the mass circulation South Korean newspaper JoongAng Ilb:

The spy agency told lawmakers Friday that a research institute affiliated with the North's Ministry of People's Armed Forces received an order to "destroy the South Korean puppet communications networks in an instant," the mass-circulation JoongAng Ilbo newspaper reported.

The paper, citing unidentified members of parliament's intelligence committee, said the institute, known as Lab 110, specializes in hacking and spreading malicious programs. The Ministry of People's Armed Forces is the secretive nation's defense ministry.

The NIS - South Korea's main spy agency - said it couldn't confirm the report. Calls to several key intelligence committee members went unanswered Saturday. The agency, however, issued a statement late Saturday saying it has "various evidence" of North Korean involvement, though it has not reached a conclusion.

Also on July 10th 2009 the 20,000+ machines that were infected by a bot-net and used to launch the DOS attacks begin wiping themselves out:

The malicious code will attempt to locate files with any of more than 30 different extensions, such as .doc, .pdf, and .xls, copy the data to an encrypted file that's inaccessible to the user, and then overwrite the data in the original files. It targets files associated with office, business, and development applications.

The malicious code is also programmed to modify infected computers' Master Boot Records. The change renders computers inoperable following any attempt to reboot.

This will primarily affect machines in S. Korea, which represents the bulk of the bot-net.

And finally, S. Korea was warned in advance of the attacks but both countries (particularly S. Korea) were poorly prepared to deal with the DOS. Potential methods for dealing with the DOS include distributing their sites across multiple nodes, cutting off adversarial IPs/ranges quickly, and adding contingency bandwidth.

More updates:
According to police investigating: "The DDoS attackers hacked two Korean Web sites, based in Seoul and Busan, and switched the program update files of the sites with their malicious codes". Furthermore the zombie computers were primarily infected by those two hacked web servers, according to 21 of the 27 zombie machines that they sampled. The command and control servers were all based in other countries: London, Miami, and others. Still working to identify the sources...

Wednesday, July 1, 2009

China's Green Dam

China has mandated in early June of 2009 that all PC's sold in the PRC as of July 1st, 2009 must have their Censorware software, known as "Green Dam", installed before delivery to a customer. This software (shown below) is ostensibly to protect the innocent youth of China from pornography, violent video games, homosexual topics and drug information, but could easily be used to prevent access to foreign news sources or other "undesirable" web sites. It was also shown that it intercepted and blocked certain queries on the Falun Gong and other politically oriented topics.

Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan, published a brief paper describing remotely exploitable vulnerabilities in this mandatory software. Within a short period of time exploit code was on milw0rm and a module had been posted to Metasploit.

At this point China has pulled the mandatory requirement while they spend some time reconsidering their potential creation of a Billion node botnet. Adding an interesting twist to the story is the claim by Solid Oak Software that some of the code for Green Dam was ripped off their CYBERSitter product by "unknown sources"... although something tells me they were Chinese.

August 14th:
After massive blowback, China has changed their mind on mandatory installation of Green Dam, according to several sources... and apparently, the rest of the universe was confused, it was never intended to be mandatory in the first place!

From the WSJ: "Mr. Li said Thursday the software was always intended to be optional and not a mandatory installation, adding that the regulations were unclear when first released by the Ministry of Industry and Information Technology in May.

The regulation "wasn't fully considered, and not expressed clearly, and gave everyone the impression that this is mandatory," he said... Mr. Li said Thursday the ministry's intention was always for the software to be installed on a voluntary basis by individuals or their parents. "The head of the family has the right to choose," he said, adding that China "fully respects everyone's freedom to choose."" Of course they do, who else would think otherwise?

Thursday, June 25, 2009

Iranian Traffic Filtering

There's a good couple of articles at Arbor on how Iran is filtering the traffic in and out of the country. The first is an overview of the traffic shaping, the second goes deeper into what seems to be occurring. I've included a picture from the site showing the traffic being blocked.
The most interesting take away that I had was that they are completely ignoring WoW, XBox and some other game-oriented traffic. An amusing (and accurate) conclusion is reached by Craig Labovitz:
"Perhaps games provide a possible source of covert channels (e.g. “Bring your elves to the castle on the island of Azeroth and we’ll plan the next Ahmadinejad protest rally?”)"

Tuesday, June 9, 2009

Exploit against Deep Freeze in the wild

There is a Chinese worm family called W32.SafeSys.Worm floating around the Internet, with over 46,000 infected machines in Vietnam alone according to the Bkis Security Research Blog. It supposedly gets access directly to the disk controller buffer, allowing it to directly modify the hard disk on the targeted machine. This allows it to circumvent system rollback tools such as DeepFreeze.

DeepFreeze has proven to be an effective defensive tool mitigating the damage an attacker can cause on the system, as it allows the owner to roll back to a "known good state". Of course, these states often don't include the latest patches and could always be re-infected at a later state, but it at least makes life difficult for someone trying to maintain a persistent presence on the system to collect passwords, act as part of a bot-net, etc.

Don't have a copy myself, but I'd be interested in examining it to see what it was designed for. According to Bkis it includes a number of various payloads, including "stealing online games passwords, faking gateway, inserting iframe exploiting software flaws to spread via LAN, spreading via USB and automatically updating new variants".

Saturday, June 6, 2009

Shannon's capacity Theorem for Stego

A strong interest area of mine is the convergence of Information Theory and Information Operations. One are of particular interest is creating an equivalent to Claude Shannon's groundbreaking work modeling theoretical channel capacity for communication channels for steganographic channels. Shannon showed that the channel capacity for a communication channel is given by :

He also created a definition to calculate when perfect security for a cryptographic scheme had been achieved. (Most often demonstrated with the one-time pad).

The question is, for a designed steganographic channel, how much data can be passed through the channel while maintaining some equivalent of "perfect secrecy"? Many mathematicians have danced around this topic but only recently has it been addressed.

Ross Anderson and Fabian Petitcolas pointed out in their '96 and '98 papers some of the limits of steganography, notably that the party attempting to protect their communication is bound by their ability to model the channel. They make the claim that it's impossible to model the channel capacity, since you never know if your adversary has a better model of the channel then you do. (If they did, they could compress the data more effectively rendering the effective entropy zero and destroying either the channel or your ability to use it stealthily.) Other papers exist in the area discussing the topic in less detail or more narrowly that I have not included here as well.

The first paper that really broke ground in solving this problem was done by C Cachin in his 1998 workshop “An information-theoretic model for steganography,” and really rounded out in the follow up paper of the same name in 2004. Both papers are available at his site. Rather then focusing on what was hard, he showed how to calculate an equivalent for perfect secrecy given a channel model using a model-independent mathematical approach.

Pierre Moulin wrote some great papers with his student Ying Wang which are available here. His papers are useful to build upon Cachin's and establish an information theoretic general foundation. They also include bounded examples where it is impossible to detect the steganographic implemenation.

Building on the work by Cachin, Moulin, and other contributors, Harmsen and Pearlman have tied it all together with a draft published in 2008 and the final paper released in IEEE Transactions on Information Theory (updated in 2010 to point directly to their home page hosting it) providing a general model for capacity as a function of secrecy. Rather then trying to explain it myself, I'll include an excerpt for why their paper is so useful:
This work differs from previous work in a number of
aspects. Most notable is the use of information-spectrum methods that allow for the analysis of arbitrary detection algorithms and channels. This eliminates the need to restrict interest to detection algorithms that operate on sample averages or behave consistently. Instead, the detection functions may be instantaneous, meaning the properties of a detector for n samples need not have any relation to the same detector for n + 1 samples. Additionally, the typical restriction that the channel under consideration be consistent, ergodic or stationary is also lifted.
Fortunately we didn't listen to the naysayers and give up trying to model covert channel capacity.

From now on, if anyone tell you they've built the solution to stop or detect all covert communications you can prove why they are wrong. It's all about capacity, as I've held for a long time. You can't stop covert communications, only limit capacity. You can limit a lot more if you use an active warden (randomize as much of the entropy as you can to make it difficult for the adversary to utilize the channel), but you cannot eliminate it. Case closed.

Update (February 22nd, 2011): Just found a paper extending the mathematical proof involving types of steganographic channels (active wardens, various statistical distributions, etc.) more comprehensively. It appears this will be massaged a few more times until every case is hammered down and people will move on to more complex scenarios. Nicholas Hopper, Luis von Ahn, and John Langford. "Provably Secure Steganography," IEEE Transactions on Computers 58(5): 662-676, May 2009.. (©2009 IEEE)

Monday, June 1, 2009

Politics and Cyberspace... replayed.

For all the hype that Obama's 60-day security review received, it didn't end up looking much differently than Bush's. No Cyber-czar reporting directly to the president, despite his earlier claim (which I finally found posted here, after some digging). No real changes/re-organizations. Lots of discussions about collaboration, the scary threat, etc.

I liked this comparison that C-Net did between the Bush and Obama reports. Gene Spoffard has a good posting on it if you want an expanded discussion. Bottom line is more of the same... a big political food fight/power struggle between NSA, HSA, DoD, and the other smaller players angling for a piece of the pie.

"Network Attack Weapons"

I had to post this one for some obvious reasons... first, because this is a rather detailed dive (for relatively mainstream press) into some work that's been done in building network attack systems/tools in the defense contractor community.

But secondly, because it's pretty cool seeing something you invented discussed in the Register and Aviation Week. :-)

The article discusses what the author views is the state of the art in offensive CNO systems development. They discuss some of the capabilities of those systems and extrapolate on how they might be employed. An entertaining read that manages to be informative and not stray too far into storyland.

Raytheon Cyberwar activities

Fluffy article in the NYT regurgitating a lot of prior "Cyber" stuff but some new material focused on my friends at SI Govs (Now Raytheon) talking about their work.

Some good quote in there such as these two: "“Everybody’s attacking everybody,” said Scott Chase, a 30-year-old computer engineer who helps run the Raytheon unit here. " and "At a Raytheon facility here... engineers create tools to protect the Pentagon’s computers and crack into the networks of countries that could become adversaries."