Thursday, June 25, 2009

Iranian Traffic Filtering

There's a good couple of articles at Arbor on how Iran is filtering the traffic in and out of the country. The first is an overview of the traffic shaping, the second goes deeper into what seems to be occurring. I've included a picture from the site showing the traffic being blocked.
The most interesting take away that I had was that they are completely ignoring WoW, XBox and some other game-oriented traffic. An amusing (and accurate) conclusion is reached by Craig Labovitz:
"Perhaps games provide a possible source of covert channels (e.g. “Bring your elves to the castle on the island of Azeroth and we’ll plan the next Ahmadinejad protest rally?”)"

Tuesday, June 9, 2009

Exploit against Deep Freeze in the wild

There is a Chinese worm family called W32.SafeSys.Worm floating around the Internet, with over 46,000 infected machines in Vietnam alone according to the Bkis Security Research Blog. It supposedly gets access directly to the disk controller buffer, allowing it to directly modify the hard disk on the targeted machine. This allows it to circumvent system rollback tools such as DeepFreeze.

DeepFreeze has proven to be an effective defensive tool mitigating the damage an attacker can cause on the system, as it allows the owner to roll back to a "known good state". Of course, these states often don't include the latest patches and could always be re-infected at a later state, but it at least makes life difficult for someone trying to maintain a persistent presence on the system to collect passwords, act as part of a bot-net, etc.

Don't have a copy myself, but I'd be interested in examining it to see what it was designed for. According to Bkis it includes a number of various payloads, including "stealing online games passwords, faking gateway, inserting iframe exploiting software flaws to spread via LAN, spreading via USB and automatically updating new variants".

Saturday, June 6, 2009

Shannon's capacity Theorem for Stego

A strong interest area of mine is the convergence of Information Theory and Information Operations. One are of particular interest is creating an equivalent to Claude Shannon's groundbreaking work modeling theoretical channel capacity for communication channels for steganographic channels. Shannon showed that the channel capacity for a communication channel is given by :


He also created a definition to calculate when perfect security for a cryptographic scheme had been achieved. (Most often demonstrated with the one-time pad).

The question is, for a designed steganographic channel, how much data can be passed through the channel while maintaining some equivalent of "perfect secrecy"? Many mathematicians have danced around this topic but only recently has it been addressed.

Ross Anderson and Fabian Petitcolas pointed out in their '96 and '98 papers some of the limits of steganography, notably that the party attempting to protect their communication is bound by their ability to model the channel. They make the claim that it's impossible to model the channel capacity, since you never know if your adversary has a better model of the channel then you do. (If they did, they could compress the data more effectively rendering the effective entropy zero and destroying either the channel or your ability to use it stealthily.) Other papers exist in the area discussing the topic in less detail or more narrowly that I have not included here as well.

The first paper that really broke ground in solving this problem was done by C Cachin in his 1998 workshop “An information-theoretic model for steganography,” and really rounded out in the follow up paper of the same name in 2004. Both papers are available at his site. Rather then focusing on what was hard, he showed how to calculate an equivalent for perfect secrecy given a channel model using a model-independent mathematical approach.

Pierre Moulin wrote some great papers with his student Ying Wang which are available here. His papers are useful to build upon Cachin's and establish an information theoretic general foundation. They also include bounded examples where it is impossible to detect the steganographic implemenation.

Building on the work by Cachin, Moulin, and other contributors, Harmsen and Pearlman have tied it all together with a draft published in 2008 and the final paper released in IEEE Transactions on Information Theory (updated in 2010 to point directly to their home page hosting it) providing a general model for capacity as a function of secrecy. Rather then trying to explain it myself, I'll include an excerpt for why their paper is so useful:
This work differs from previous work in a number of
aspects. Most notable is the use of information-spectrum methods that allow for the analysis of arbitrary detection algorithms and channels. This eliminates the need to restrict interest to detection algorithms that operate on sample averages or behave consistently. Instead, the detection functions may be instantaneous, meaning the properties of a detector for n samples need not have any relation to the same detector for n + 1 samples. Additionally, the typical restriction that the channel under consideration be consistent, ergodic or stationary is also lifted.
Fortunately we didn't listen to the naysayers and give up trying to model covert channel capacity.

From now on, if anyone tell you they've built the solution to stop or detect all covert communications you can prove why they are wrong. It's all about capacity, as I've held for a long time. You can't stop covert communications, only limit capacity. You can limit a lot more if you use an active warden (randomize as much of the entropy as you can to make it difficult for the adversary to utilize the channel), but you cannot eliminate it. Case closed.

Update (February 22nd, 2011): Just found a paper extending the mathematical proof involving types of steganographic channels (active wardens, various statistical distributions, etc.) more comprehensively. It appears this will be massaged a few more times until every case is hammered down and people will move on to more complex scenarios. Nicholas Hopper, Luis von Ahn, and John Langford. "Provably Secure Steganography," IEEE Transactions on Computers 58(5): 662-676, May 2009.. (©2009 IEEE)

Monday, June 1, 2009

Politics and Cyberspace... replayed.

For all the hype that Obama's 60-day security review received, it didn't end up looking much differently than Bush's. No Cyber-czar reporting directly to the president, despite his earlier claim (which I finally found posted here, after some digging). No real changes/re-organizations. Lots of discussions about collaboration, the scary threat, etc.

I liked this comparison that C-Net did between the Bush and Obama reports. Gene Spoffard has a good posting on it if you want an expanded discussion. Bottom line is more of the same... a big political food fight/power struggle between NSA, HSA, DoD, and the other smaller players angling for a piece of the pie.

"Network Attack Weapons"

I had to post this one for some obvious reasons... first, because this is a rather detailed dive (for relatively mainstream press) into some work that's been done in building network attack systems/tools in the defense contractor community.

But secondly, because it's pretty cool seeing something you invented discussed in the Register and Aviation Week. :-)

The article discusses what the author views is the state of the art in offensive CNO systems development. They discuss some of the capabilities of those systems and extrapolate on how they might be employed. An entertaining read that manages to be informative and not stray too far into storyland.

Raytheon Cyberwar activities

Fluffy article in the NYT regurgitating a lot of prior "Cyber" stuff but some new material focused on my friends at SI Govs (Now Raytheon) talking about their work.

Some good quote in there such as these two: "“Everybody’s attacking everybody,” said Scott Chase, a 30-year-old computer engineer who helps run the Raytheon unit here. " and "At a Raytheon facility here... engineers create tools to protect the Pentagon’s computers and crack into the networks of countries that could become adversaries."