The Russians have focused on three related issues, according to American officials involved in the talks that are part of a broader thaw in American-Russian relations known as the "reset" that also include negotiations on a new nuclear disarmament treaty. In addition to continuing efforts to ban offensive cyberweapons, they have insisted on what they describe as an issue of sovereignty calling for a ban on “cyberterrorism.” American officials view the issue differently and describe this as a Russian effort to restrict “politically destabilizing speech.” The Russians have also rejected a portion of the Council of Europe Convention on Cybercrime that they assert violates their Constitution by permitting foreign law enforcement agencies to conduct Internet searches inside Russian borders.If their sources are accurate the Russians are basically trying to get agreement that they can go after internal dissenters, while guaranteeing nobody can track back Russian criminals to Russia and ban the US (and presumably any other developed nation) from developing "offensive cyberweapons". Presumably they would of course stop any development that they have going on... but I don't believe it. I think they're just trying to prey on Obama's desire for dialog and see what they can get out of it while giving nothing up. They have an extensive history of both oppressing free speech in their country while leaving the RBN (Russian Business Network) alone to attack companies, individuals and countries around the globe without consequence. On our part it looks that the US is trying to get the Russians to engage on the International criminal activity in the cyber-domain emanating from within their borders. Good luck to the US officials on that, will be interesting to see what sort of agreements (if any) come out.
Monday, December 14, 2009
International 'cyber' treaties
Wednesday, November 18, 2009
US and Chinese National cyberwar postures
The second report is titled: "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" and was prepared for The US-China Economic and Security Review Commission. Again, it's an unclassified report describing what is available via open source collection, similar to James Mulvenon and other individuals work on the topic. I saw James brief some government people and he's got an interesting take on what's going on and has done his legwork. The Northrop Grumman report is definitely worth reading, it updates prior work to 2009 and includes some good depth in a few areas. I worked with George Bakos (one of the two SMEs) when he was at Dartmouth, he's a technically sharp guy who adds some credibility to their work.
Monday, November 9, 2009
Cyberwar: Power Grid, network attacks and supply chain
60 Minutes has an interesting video segment on cyberwarfare, particularly a focus on the electrical power grid and some discussion of network compromises at CENTCOM and supply chain vulnerabilities: The report is based predominantly on an interview with Booz Allen Hamilton's Mike McConnell, who was until recently the DNI. (Director of National Intelligence).
You can read the text of the article here
Most interesting was the discussion of actual attacks. Particularly the attacks against Brazil that brought down their power grid for a while and the compromise of CENTCOM.
Another article came out today about the process of securing the supply chain
You can see the agenda of recently concluded 2009 session of the US working group trying to address the power grid/SCADA vulnerabilities online: A number of people I know were participating or presenting there... the problem is being looked at, but is also far from solved.
The Aurora story and mentioned video can be seen at CNN among other places.
The "senior government intelligence official" that 60 minutes refers to is presumably Tom Donahue (CIA) and his comments presented at a SANS conference.
Update: Interesting response to the 60 minutes story (and the Tom Donahue one) where the author's believe it's all rumors, not true, and government motivated power grab. I don't buy the Errata rebuttal (he claims HE could easily bring down the power grid, but obviously all these other times must be false examples) but good reminder that rumors, even told 6+ times are still rumors.
Wednesday, September 16, 2009
Vulnerability Research Market
Jared DeMott just emailed me a great briefing from Pedram Amini discussing the 0-day software vulnerability market. Nice survey of the landscape, interesting findings, players, etc. You can find the briefing here: Adventures in buying vulnerabilities. He also gives some quantitative data describing vendor performance, number of bugs, etc.
On this topic, Charlie Miller wrote a nice paper on the economics of vulnerabilities that was published in 2007 here. The market has continued to change/mature since his paper. WabiSabiLabi went out of business (when their founder was arrested on separate charges!) and new players have entered/exited. Companies exist all over the US focused on this problem space. That motivated me to do a little survey and capture here who some of the players are, I haven't seen a great list in one place.
In the process of doing this survey I ran across some interesting papers that I'm also posting here. One is a nice short summary from a company focused on mobile handset/infrastructure vulnerability analysis summarizing some of the technologies/market from their perspective. Bruce Schneier and Marcus Ranum have an interesting debate on the general field of vulnerability research. There's a solid academic paper from a year earlier then Charlie's paper at WEIS someone just pointed me towards. They describe the market in 2006 and provide another perspective on some of the commercial players, some of the models/motivations for sellers and buyers.
Even Pedram's briefing and the below list are certainly not exhaustive, for every entry here there are a couple of people with a small firm or wedged in some large enterprise. I didn't include academic groups or individuals who have gathered acclaim, as I'm really following Pedram's line of thinking about the commercial market and wanted this post to take less then 2 hours (I've already failed!) I attempted to capture some of the major players companies in the American commercial and government contracting communities that have a stated presence/interest in the market. The interested reader should be able to recreate these findings (and probably expand them) by perusing the Blackhat/CansecWest briefings over the last 3 years, job postings, and permutations on Google searches that include "vulnerability research".
Some of the more interesting players in the purely commercial market include:
Tipping Point/DVLabs Sell intelligence/IDS data
IDefense, Sell intelligence/IDS data (see Pedram's briefing for other similar companies)
Vulnerability Research Labs (Couldn't get a logo due to Flash!) Sell intelligence/IDS data?
iSight Partners maintains their Global Vulnerability Partnership and sell vulnerability data to a pool of customers looking for threat intelligence.
Netragard maintains an active vulnerability acquisition program and claim to be the only IT services provider to do so.
Fortify (source code analysis)
Veracode (source/binary code analysis "in the cloud")
The ex-Idefense guys at Endgame Systems. Sell intelligence/IDS data
Immunity Security (and their third party vendors listed on their site). Sell penetration testing tool and perform contracted research
Core Security Sells a penetration testing tool. (Probably Immunity's main competitor).
Charlie Miller's company Independent Security Evaluators. Contracted vulnerability researchers.
Mark Dowd and company at IBM/ISS-Xforce, sell intelligence/IDS data
There are a number of government contractors out there too. They aren't as clear on their business model/portion of the market for vulnerability research usually, probably contracted testing to secure systems or provide advanced threat intelligence data.
SAIC (Kind of tricky as they are so fragmented.) Here's a great job description.
Harris Crucial Security (here's a job writeup)
SRA (check out a posting here)
Mantech (so many postings across the board I didn't bother)
Raytheon (I enjoyed their creatively named job postings)
Those are some companies that seem to have some critical mass and advertise their capabilities/products/personnel in this important area. Let me know if you think some companies are missing off this list by dropping me an email or posting back.
Tuesday, August 25, 2009
Using your cell phone to... cook food
Intriguing possibilities ensue off of this... it would certainly make home automation a lot simpler, although I'm not sure how many people want third party remote access to the ovens. Some interesting ideas I could think of spin out of these Maytag ovens:“Maybe the ringing cellphone turned it on,” Mr. Melnikov suggested to the two men.
They scoffed.
He laid the phone next to the stove. They dialed it. Suddenly, the electronic control on the stovetop beeped. The digital display changed from a clock to the word “high.” As the phone was ringing, the broiler was heating up.
Three other apartments in the building are fitted with the same make and model oven: Maytag Model CGR1425ADW. “My phone turned on all of them,” Mr. Melnikov reported. “One apartment had a General Electric. It didn’t work on that one.”"
- Leave your phone (or buy a special low cost phone for this purpose) next to the stove to turn the pot-roast on when you're away at church so it will be ready before coming home.
- Leave your phone at an adversary's home (ex-girlfriend, bad-guy, etc.) and call it when they aren't there. Or even when they are, if you are the murdering type.
- Copy the magic Maytag design into other household appliances, or better still your car.
Friday, August 7, 2009
Cyberwarfare
In 2003, the Pentagon and American intelligence agencies made plans for a cyberattack to freeze billions of dollars in the bank accounts of Saddam Hussein and cripple his government’s financial system before the United States invaded Iraq. He would have no money for war supplies. No money to pay troops.They don't ever describe in the story how exactly that would occur... given that much of the money is presumably stored in international banks, that would obviously cause some collateral impacts deemed to be "undesirable". But maybe they were Iraqi-only banks, or just disruptions to the bank connection, or modifications of amounts/compromising the accounts to drain them. Lots of options, not enough detail unfortunately. They did have some other interesting Cyber-warfare news to report though:“We knew we could pull it off — we had the tools,” said one senior official who worked at the Pentagon when the highly classified plan was developed.
But the attack never got the green light. Bush administration officials worried that the effects would not be limited to Iraq but would instead create worldwide financial havoc, spreading across the Middle East to Europe and perhaps to the United States.
I am always a bit incredulous reading about classified stories in the press. Either they are making them out to be more then they are, or people should be facing jail time and getting in trouble... Certainly it wouldn't be the first time that a reporter made something sound more secretive then it really is, but if it really is I'd like to know why people with clearances are sharing it and nothing happens.Although the digital attack on Iraq’s financial system was not carried out, the American military and its partners in the intelligence agencies did receive approval to cripple Iraq’s military and government communications systems in the early hours of the war in 2003. And that attack did produce collateral damage.
Besides blowing up cellphone towers and communications grids, the offensive included electronic jamming and digital attacks against Iraq’s telephone networks. American officials also contacted international communications companies that provided satellite phone and cellphone coverage to Iraq to alert them to possible jamming and to ask their assistance in turning off certain channels.
Officials now acknowledge that the communications offensive temporarily disrupted telephone service in countries around Iraq that shared its cellphone and satellite telephone systems. That limited damage was deemed acceptable by the Bush administration.
Another such event took place in the late 1990s, according to a former military researcher. The American military attacked a Serbian telecommunications network and accidentally affected the Intelsat satellite communications system, whose service was hampered for several days.
These missions, which remain highly classified, are being scrutinized today as the Obama administration and the Pentagon move into new arenas of cyberoperations. Few details have been reported previously; mention of the proposal for a digital offensive against Iraq’s financial and banking systems appeared with little notice on Newsmax.com, a news Web site, in 2003.
Anyway, all of this is coming to light while Obama is still ingesting the recently completed 60-day cyber-review and unable to find a cyber-security "czar" (multiple reports coming out that dozens of people have been interviewed with multiple offers being made, all declined so far).
Melissa Hathaway resigned on August 3rd, saying in the Washington Post that
"I wasn't willing to continue to wait any longer, because I'm not empowered right now to continue to drive the change," she said. "I've concluded that I can do more now from a different role," most likely in the private sector.Hathaway noted that it has been two months since President Obama made a highly acclaimed speech on the importance of cybersecurity and pledged to "personally" select a cybersecurity coordinator. A colleague close to Hathaway said she had become dismayed by the delay in the appointment. The colleague, who spoke on condition of anonymity, added that Hathaway had "the sense that this was very political, that she has been too closely tied to the Bush administration."
Monday, July 27, 2009
Mobile malware: Blackberry
Chris Wysopal from Veracode has a short breakdown of the code on his site that's worth perusing. From his conclusion:The update was billed as a “performance-enhancement patch” by the UAE-based phone and internet service provider Etisalat, which issued the patch to its 100,000 subscribers.
The patch only drew attention after numerous users complained that it drained their BlackBerry battery and slowed performance, according to local publication ITP.
Nigel Gourlay, a Qatar-based programmer who examined the patch, told ITP that the patch contained “phone-home” code that instructed the BlackBerries to contact a server to register. But once the patch was installed, thousands of devices tried to contact the server simultaneously, crashing it and causing their batteries to drain.
“When the BlackBerry cannot register itself, it tries again and this causes the battery drain,” he said, noting that the spyware wouldn’t have drawn any attention if the company had simply configured the registration server to handle the load.
The spying part of the patch is switched off by default on installation, but switching it on would be a simple matter of pushing out a command from the server to any device, causing the device to then send a copy of the user’s subsequent e-mail and text messages to the server.
The spyware appears to have been developed by a U.S. company, which markets electronic surveillance software.
Gourlay obtained source code for the patch after someone posted it on a BlackBerry forum. He said the code contained the name “SS8.com,” which belongs to a U.S. company that, according to its web site, provides surveillance solutions for “lawful interception” to ISPs, law enforcement and intelligence agencies around the world.
The best technical breakdown of the code that I've seen is from Zensay labs and available here. The author's blog (company?) is here and talks at length about the whole situation, possibly remedies, future work, etc.The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. "Here I am, software is installed!") got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.
The final thing to mention is that the spyware does appear to be installed in a non-running state by default, where it's not actually exfiltrating data once the initial registration packet has gone out. However, using the command and control mechanism we described earlier, the carrier can remotely start/stop the service at will on a per-device basis.
More interesting from my perspective how little coverage this mass distribution of spyware seems to be getting and the obvious lessons for someone trying to deploy malicious code on this scale. Also of interest is the reasoning behind pushing the code to the client instead of using the network as most other providers are probably doing today. A few people pointed out that this was probably done to circumvent the strong encryption mechanisms that RIM has put in place, which implies that the UAE doesn't have the ability to succesfully crack or MITM (man-in-the-middle) their encrypted data at the network.
Clearly testing these applications before massive field deployments would seem to be a good idea. The application itself, while naive seems to be sufficient for what they wanted to accomplish. But by not properly factoring the network requirements or thinking about various modes of failure the entire thing blew up in their faces. Or not, given that nothing seems to be happening yet.
A much more successful approach to spying on citizens using the cellular network is detailed in the "Athen's Affair", the UAE/Etisalat spying community should have read that first. In the "Athens Affair" an unknown party surrepticiously monitored a number of key government personnel for a good length of time and the personnel behind it remain undetected, it was only stumbled upon by chance.
Client-side spyware is difficult to deploy/monitor on massive scales, and will increase in complexity as people screw up the deployment and allow them to be detected and raise concern for all other future software deployments. And users and defenders have an equal challenge of determining trust... if you can't trust the software from your provider, manufacturer, or government (just found out about this INSLAW thing, some interesting reading/viewing on that one), or open source software, who do you trust?
Mobile malware: Symbian
Symbian:
To give you some background, I'll quote an excerpt from Dancho Danchev:
Earlier this month, a mobile malware known as Transmitter.C, Sexy View, Sexy Space or SYMBOS_YXES.B, slipped through Symbian’s mobile code signing procedure, allowing it to act as a legitimate application with access to device critical functions such as access to the mobile network, and numerous other functions of the handset.What happened was some malicious group slipped one past the automated Symbian mobile code signing process (Express Signature, which doesn't require human analysis), causing a piece of Malware to receive a Symbian-signed digital signature. This problem doesn't scale well, as they currently have over 2,000 applications receieving a signature each month and they are trying to drastically increase that number to compete with Apple's iPhone.Upon notification, the Symbian Foundation quickly revoked the certificate used by the bogus Chinese company XinZhongLi TianJin Co. Ltd, however, due to the fact the revocation check is turned off by default, the effect of the revocation remains questionable.
The problem points to the larger question of code validity, integrity and automated detection of malware in binaries. Even with extensive human analysis, an attacker can hide bad things in legitimate software, or fool/attack legitimate servers providing the code. In the cases we've seen this occuring it's often because the attacker makes a mistake or someone gets lucky and stumbles across it, not because the overall system is robust to attack.
There are numerous papers and projects out there trying to figure out how to automatically catch these types of attacks, (here, here, here, etc. but they are all bounded by the halting problem... it's not possible to build code that automatically determines what other code will do in all cases (as shown in Fred Cohen's 1984 thesis and follow on work by him and others. That said, it is certainly possible to catch lots of things most of the time... the question is how much and how often. DARPA has an interesting problem trying to automatically detect bad things in chips in the TRUST program. I haven't seen anyone try to figure out what the theoretical upper limit of these types of research efforts are, or frankly how to even quantify the problem sufficiently, that's where I'd be spending my energy if engaged in this area.
The other problem that the code signer community has to deal with is trust. Mikko Hyppönen from F-Secure says that "It shows the express signing process is not foolproof, but it's still much better than the apps not being signed at all." While that's probably a true statement, there is a big qualifier that goes with it... by digitally signing something and stating that it's valid/secure/trustworthy, you drastically change the equation on the part of the user when they install something. In today's Wild West model on the Internet most users know they cannot trust any application and they have to be cautious about the source, content, etc. When companies like Symbian are digitally signing applications as valid, when that trust is compromised you have to wonder if they are just doing it to ensure a monopoly/control over the platform and charge the application developers, or what liability they incur by inappropriately validating these third party applications?
Wednesday, July 8, 2009
Korean cyber-activities
"On Saturday and Sunday the attack was consuming 20 to 40 gigabytes of bandwidth per second, about 10 times the rate of a typical DDoS attack, one security expert said after being briefed by the US-CERT on Tuesday. "It's the biggest I've seen," said the expert, who asked not to be identified because he was not authorised to discuss the matter. By Tuesday it was averaging about 1.2 gibabytes per second, he said."The New York Times (and others) quote a South Korean paper: "Although the National Intelligence Service did not identify whom they believed responsible, the South Korean news agency Yonhap reported that the spy agency had implicated North Korea or pro-North Korea groups.A spokesman at the intelligence agency said it could not confirm the Yonhap report, which said that the spy agency briefed lawmakers about their suspicions on Wednesday." Given the targets it seems like an intuitive conclusion, the question of course would be what actual technical intelligence / SIGINT says.
Some other interesting points on this attack is that most of the bots used were located in South Korea, with South Korean officials stating at least 12,000 were in S. Korea. Also of interest is the allegation by unnamed S. Korean intelligence officials that N. Korea routes its attacks through Chinese Internet connections. Again, would seem intuitive, where else are they going to go through?
All sorts of guesses an innuendo out there... some point out a single anti-capitalist controlling the bot-net might have launched the attacks, while the S. Korean National Intelligence service is quoted in the NYT article saying that "“This is not a simple attack by an individual hacker, but appears to be thoroughly planned and executed by a specific organization or on a state level".
What I found interesting in reading all the articles on this story was the lack of tie-in to prior stories on cyber activity on the Korean peninsula. Of particular interest to me were these two stories:
The first, from Kevin Coleman at DefenseTech, claims that "North Korea Poised for Cyber Salvo" He claims in his April 20th, 2009 story that
Most military strategist agree that cyber attacks are an excellent first strike weapon. In these specific circumstances, cyber attacks might be considered by Pyongyang as an appropriate and proportional response to the U.N. Security Council's condemnation and reinforcement of existing sanctions. High probability targets if DPRK launches cyber attacks include South Korea and the fifteen countries that make up the current U.N. Security Council that include -- permanent members-China, France, Russian Federation, the United Kingdom and the United States -- and ten non-permanent members Austria, Japan, Uganda, Burkina Faso, Libyan Arab Jamahiriya, Vietnam, Costa Rica, Mexico, Croatia and Turkey. This calls for increased vigilance by cyber security professionals guarding the critical infrastructure of those targets identified above.He also posts some unsubstantiated but intriguing claims regarding the state of North Korean capabilities:
Unit: 121
Established: 1998
Force Size: 12,000 declining
Cyber Budget: $56+ million.
Goal: To increase their military standing by advancing their asymmetric and cyber warfare capabilities.
Experience: Hacked into South Korea and caused substantial damage; hacked into the U.S. Defense Department Systems.
Threat Rating: North Korea is ranked 8th on the cyber capabilities threat matrix developed in August 2007 and updated February 2009.
Cyber Intelligence/Espionage: Basic to moderately advanced weapons with significant ongoing development into cyber intelligence.
Offensive Cyber Weapons: North Korea now has the technical capability to construct and deploy an array of cyber weapons. They have moderately advanced distributed denial of service (DDoS) capabilities with moderate virus and malicious code capabilities. Hacking capabilities are moderate to strong with an experience rating of limited to moderate.
The second series of articles of interest relate to articles describing North and South Korean plans for military operations in Cyberspace. While there is lots of data out there, some recent articles are interesting. First, an unnamed intelligence official quoted in South Korean Yonhap news service led to this May 5th AP story:
Not even two months later on June 26th news developments came out regarding a South Korean Cyber Command, analogous to recent developments in the US towards a comprehensive Cyber Command, created specifically in response to North Korean Cyber activities. The articles don't say much but mention the creation of the cyber command and some of their staffing plans.SEOUL, South Korea — North Korea runs a cyberwarfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service, a news report said Tuesday.
The North's military has expanded the unit, staffing it with about 100 personnel, mostly graduates of a Pyongyang university that teaches computer skills, Yonhap news agency reported, citing an intelligence agency it didn't identify.South Korea's Defense Ministry said it is aware that Pyongyang has been training hackers in recent years but did not provide details and had no other comment.The National Intelligence Service — South Korea's main spy agency — said it could not immediately confirm the Yonhap report.
While I'm on the topic of communist countries and military operations cyberspace, I stumbled across an article on "Peopledaily" saying that 94% of Chinese "Netizens" favor the creation of a Chinese Cyber Command. Pretty funny... do they not realize how active their government already is? Or maybe they are really saying they just want them to come out of the closet and be more transparent? Either way I found it amusing... (tongue-in-cheek:) hopefully those PRC leaders take this advice to heart and get moving on it!
Update:
The Washington Times reported that according to the mass circulation South Korean newspaper JoongAng Ilb:
The spy agency told lawmakers Friday that a research institute affiliated with the North's Ministry of People's Armed Forces received an order to "destroy the South Korean puppet communications networks in an instant," the mass-circulation JoongAng Ilbo newspaper reported.
The paper, citing unidentified members of parliament's intelligence committee, said the institute, known as Lab 110, specializes in hacking and spreading malicious programs. The Ministry of People's Armed Forces is the secretive nation's defense ministry.
The NIS - South Korea's main spy agency - said it couldn't confirm the report. Calls to several key intelligence committee members went unanswered Saturday. The agency, however, issued a statement late Saturday saying it has "various evidence" of North Korean involvement, though it has not reached a conclusion.
Also on July 10th 2009 the 20,000+ machines that were infected by a bot-net and used to launch the DOS attacks begin wiping themselves out:
This will primarily affect machines in S. Korea, which represents the bulk of the bot-net.The malicious code will attempt to locate files with any of more than 30 different extensions, such as .doc, .pdf, and .xls, copy the data to an encrypted file that's inaccessible to the user, and then overwrite the data in the original files. It targets files associated with office, business, and development applications.
The malicious code is also programmed to modify infected computers' Master Boot Records. The change renders computers inoperable following any attempt to reboot.
And finally, S. Korea was warned in advance of the attacks but both countries (particularly S. Korea) were poorly prepared to deal with the DOS. Potential methods for dealing with the DOS include distributing their sites across multiple nodes, cutting off adversarial IPs/ranges quickly, and adding contingency bandwidth.
More updates:
According to police investigating: "The DDoS attackers hacked two Korean Web sites, based in Seoul and Busan, and switched the program update files of the sites with their malicious codes". Furthermore the zombie computers were primarily infected by those two hacked web servers, according to 21 of the 27 zombie machines that they sampled. The command and control servers were all based in other countries: London, Miami, and others. Still working to identify the sources...
Wednesday, July 1, 2009
China's Green Dam
Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan, published a brief paper describing remotely exploitable vulnerabilities in this mandatory software. Within a short period of time exploit code was on milw0rm and a module had been posted to Metasploit.
At this point China has pulled the mandatory requirement while they spend some time reconsidering their potential creation of a Billion node botnet. Adding an interesting twist to the story is the claim by Solid Oak Software that some of the code for Green Dam was ripped off their CYBERSitter product by "unknown sources"... although something tells me they were Chinese.
UPDATE:
August 14th: After massive blowback, China has changed their mind on mandatory installation of Green Dam, according to several sources... and apparently, the rest of the universe was confused, it was never intended to be mandatory in the first place!
From the WSJ: "Mr. Li said Thursday the software was always intended to be optional and not a mandatory installation, adding that the regulations were unclear when first released by the Ministry of Industry and Information Technology in May.
The regulation "wasn't fully considered, and not expressed clearly, and gave everyone the impression that this is mandatory," he said... Mr. Li said Thursday the ministry's intention was always for the software to be installed on a voluntary basis by individuals or their parents. "The head of the family has the right to choose," he said, adding that China "fully respects everyone's freedom to choose."" Of course they do, who else would think otherwise?
Thursday, June 25, 2009
Iranian Traffic Filtering
The most interesting take away that I had was that they are completely ignoring WoW, XBox and some other game-oriented traffic. An amusing (and accurate) conclusion is reached by Craig Labovitz:
"Perhaps games provide a possible source of covert channels (e.g. “Bring your elves to the castle on the island of Azeroth and we’ll plan the next Ahmadinejad protest rally?”)"
Tuesday, June 9, 2009
Exploit against Deep Freeze in the wild
DeepFreeze has proven to be an effective defensive tool mitigating the damage an attacker can cause on the system, as it allows the owner to roll back to a "known good state". Of course, these states often don't include the latest patches and could always be re-infected at a later state, but it at least makes life difficult for someone trying to maintain a persistent presence on the system to collect passwords, act as part of a bot-net, etc.
Don't have a copy myself, but I'd be interested in examining it to see what it was designed for. According to Bkis it includes a number of various payloads, including "stealing online games passwords, faking gateway, inserting iframe exploiting software flaws to spread via LAN, spreading via USB and automatically updating new variants".
Saturday, June 6, 2009
Shannon's capacity Theorem for Stego
He also created a definition to calculate when perfect security for a cryptographic scheme had been achieved. (Most often demonstrated with the one-time pad).
The question is, for a designed steganographic channel, how much data can be passed through the channel while maintaining some equivalent of "perfect secrecy"? Many mathematicians have danced around this topic but only recently has it been addressed.
Ross Anderson and Fabian Petitcolas pointed out in their '96 and '98 papers some of the limits of steganography, notably that the party attempting to protect their communication is bound by their ability to model the channel. They make the claim that it's impossible to model the channel capacity, since you never know if your adversary has a better model of the channel then you do. (If they did, they could compress the data more effectively rendering the effective entropy zero and destroying either the channel or your ability to use it stealthily.) Other papers exist in the area discussing the topic in less detail or more narrowly that I have not included here as well.
The first paper that really broke ground in solving this problem was done by C Cachin in his 1998 workshop “An information-theoretic model for steganography,” and really rounded out in the follow up paper of the same name in 2004. Both papers are available at his site. Rather then focusing on what was hard, he showed how to calculate an equivalent for perfect secrecy given a channel model using a model-independent mathematical approach.
Pierre Moulin wrote some great papers with his student Ying Wang which are available here. His papers are useful to build upon Cachin's and establish an information theoretic general foundation. They also include bounded examples where it is impossible to detect the steganographic implemenation.
Building on the work by Cachin, Moulin, and other contributors, Harmsen and Pearlman have tied it all together with a draft published in 2008 and the final paper released in IEEE Transactions on Information Theory (updated in 2010 to point directly to their home page hosting it) providing a general model for capacity as a function of secrecy. Rather then trying to explain it myself, I'll include an excerpt for why their paper is so useful:
This work differs from previous work in a number ofFortunately we didn't listen to the naysayers and give up trying to model covert channel capacity.
aspects. Most notable is the use of information-spectrum methods that allow for the analysis of arbitrary detection algorithms and channels. This eliminates the need to restrict interest to detection algorithms that operate on sample averages or behave consistently. Instead, the detection functions may be instantaneous, meaning the properties of a detector for n samples need not have any relation to the same detector for n + 1 samples. Additionally, the typical restriction that the channel under consideration be consistent, ergodic or stationary is also lifted.
From now on, if anyone tell you they've built the solution to stop or detect all covert communications you can prove why they are wrong. It's all about capacity, as I've held for a long time. You can't stop covert communications, only limit capacity. You can limit a lot more if you use an active warden (randomize as much of the entropy as you can to make it difficult for the adversary to utilize the channel), but you cannot eliminate it. Case closed.
Update (February 22nd, 2011): Just found a paper extending the mathematical proof involving types of steganographic channels (active wardens, various statistical distributions, etc.) more comprehensively. It appears this will be massaged a few more times until every case is hammered down and people will move on to more complex scenarios. Nicholas Hopper, Luis von Ahn, and John Langford. "Provably Secure Steganography," IEEE Transactions on Computers 58(5): 662-676, May 2009.. (©2009 IEEE)
Monday, June 1, 2009
Politics and Cyberspace... replayed.
I liked this comparison that C-Net did between the Bush and Obama reports. Gene Spoffard has a good posting on it if you want an expanded discussion. Bottom line is more of the same... a big political food fight/power struggle between NSA, HSA, DoD, and the other smaller players angling for a piece of the pie.
"Network Attack Weapons"
But secondly, because it's pretty cool seeing something you invented discussed in the Register and Aviation Week. :-)
The article discusses what the author views is the state of the art in offensive CNO systems development. They discuss some of the capabilities of those systems and extrapolate on how they might be employed. An entertaining read that manages to be informative and not stray too far into storyland.
Raytheon Cyberwar activities
Some good quote in there such as these two: "“Everybody’s attacking everybody,” said Scott Chase, a 30-year-old computer engineer who helps run the Raytheon unit here. " and "At a Raytheon facility here... engineers create tools to protect the Pentagon’s computers and crack into the networks of countries that could become adversaries."