Tag Archives: china

How did China weaponize every citizen’s browser to DDoS censored content topics at GitHub

jdeluccia_github_china

A Nation State modified it’s users’ web traffic to overload the deployed servers of a Silicon Valley start-up. The business, GitHub, allows businesses to store files online.

Why this matters…

This was done to bring offline content that was against their censorship policies. Such an attack is possible against any business, service, or organization. This could be done against something as harmless as taking offline any website in the planet, but could also be applied to any critical infrastructure sensor and set of systems – think Internet of Things, Nuclear power plants, 911 phone systems, etc ..

Cisco IoT graphic (link in article)

The business and nation state security implications are quite severe here. The reason for the attack was about the 2 types of content – New York Times (banned in China) and information on bypassing the Chinese censorship firewall. Clearly these are not aligned to China leadership.

This attack was executed in the following manner: 

the attack was due to HTTP hijacking, and “a certain device at the border of China’s inner network and the Internet has hijacked the HTTP connections went into China, replaced some javascript files from Baidu with malicious ones that would load every two seconds.” Block code execution was also apparently used to prevent looping.

via GitHub suffers ‘largest DDoS’ attack in site’s history | ZDNet.

Despite a good deal of articles the common media (WSJ, Bloomberg, etc..) and political response has been lacking compared to the response and support provided to Sony.

My true concern here is that this minor attack (only a few citizens of China are unknowingly having their traffic used to attack a small technology company) is an excellent BETA TEST for a full scale modification of all 1.4B Chinese citizen traffic against critical infrastructure (46% of population was used for GibHub).

Other thoughts?

James

Passwords are Dead – a collaborative research effort, being presented at RSA 2013 P1

The advent of user created, managed and handled passwords as the sole means of authenticating is coming to an end. The utility of these was defined in an era based on assumptions of brute force capability, system computing power and pro-active security teams.   – After much debate and analysis … there is the thesis

Screen Shot 2013-02-04 at 3.36.28 PMThis topic came up for me last year as I was working through some large amorphous business processes. The question of credentials was raised, and we challenged it. This is interesting as we had some pretty serious brains in the room from the house of auditing, security, risk, and business leaders. I am sharing my thoughts here to seek input and additional alternate perspectives – seeking more ‘serious brains’.  

I will update as feedback comes in … this and other posts will serve as workspaces to share the analysis and perspectives to consider.  I am breaking this topic across different posts to allow for edits and pointed (critical perhaps) feedback on a topic basis.  This is LIVE research, so understand impressions today may change tomorrow based on information and insight. Looking forward to collaborating, and with that … lets jump right in!

————————————————————————

Passwords are designed to restrict access by establishing confirmation that the entity accessing the system is in-fact authorized. This is achieved by authenticating that user. Passwords / pass phrases have been the ready steady tool. The challenges to this once golden child cross the entire sphere, and I’ll be seeking your collaboration through the journey up to my RSA presentation in SFO at the end of February 2013!

  • False premise one – Passwords are good because they cannot be cracked
  • False premise two – Password strength should transcend devices – mobile, tablets (iPad, surface)
  • False premise three – Password control objectives are disassociated from the origination and intent

FALSE PREMISE ONE: (Updated Jan.31.2013)

  • Passwords are great because they are difficult to break?

The idea here is that users are trained (continuously) to use complex, difficult, long, and unique passwords. The concept was that these attributes made it difficult for a password to be broken.

Lets explore what that meant… When a password was X characters long using Y variety of symbols it would take a computer Z time to break it. Pretty straight forward. (This example drawn is for a password hash that is being brute force attacked offline) This analogy and logic is also true with encryption, but it is based on poor premise:

  1. Password cracking CPU cycles for a single machine are far more powerful than yesteryear, AND if we focus ONLY only on computing power, well the use of Cloud Armies to attack represent the new advantage for the cracking team
  2. Password cracking by comparison pretty much made the CPU argument (and length of time to hack) moot. There exists databases FULL of every single password hash (for each type of encryption / hash approach) that can be compared against recovered passwords – think 2 excel tables .. search for hash in column A and find real world password in column B.

Interesting selective supporting facts:

  • A $3000 computer running appropriate algorithms can make 33 billion password guesses every second with a tool such as whitepixel
  • A researcher from Carnegie Mellon developed an algorithm designed for cracking long passwords that are made up of combined set of words in a phrase (a common best practice advice) – “Rao’s algorithm makes guesses by combining words and phrases from password-cracking databases into grammatically correct phrases.” This is research is being presented in San Antonio at the “Conference on Data and Application Security & Privacy” – New Scientist

Humans also pick awful passwords …

  • Based on habit
  • We trend towards the same passwords
  • Based on grammer
  • Our punctuation and writing habits also lend towards identification and passwords

To be continued ….. Part 2 and 3 will be shared soon, looking forward to more collaboration!

Keep seeking, everything.

– James DeLuccia IV

@JDELUCCIA

Who will be the Jamaica Ginger of Information Security?

I read a short section in Bruce Schneier’s book Liars and Outliers that tells the tale of Jamaica Ginger:

“an epidemic of paralysis occurred as a result of Jamaica Ginger… it was laced with a nerve poison… and the company was vilified”, but not until 10s of thousands were victims, this resulted in the creation of the FDA.

To date, throughout most industries there is no absolute requirement with meaningful incentives to introduce and sustain operational information technology safeguards. There are isolated elements focused on particular threats and fraud (such as, PCI for the credit card industry, CIP for the Energy sector, etc…). So what will result in the Jamaica Ginger of information security?

Some portend that a cyber-war (a real one) that creates such societal disruption; a long enough sustained negative impact to survive the policy development process, and driven enough motivation to be complete. OSHA, FDA, and other such entities exist as a result of such events.

The best action enterprises can follow is to mature and engage sufficient operations that address their information technology concerns in the marketplace. As a means of self preservation; selfish (perhaps) demonstration of a need to NOT have legislation or a body established (such as the Federal Security Bureau), and ultimately preparedness should such a requirement be introduced the changes to your business would be incremental at best.

Other thoughts?

James DeLuccia

When Cryptography is irrelevant, bypassing key card security

A malware executed attack was highlighted by ActivClient that provides technology for secure authentication (smart cards to comply with the GSC-IS 2.1).  The attack is described in detail in a number of sites, such as Security Week here, and I would encourage reading the explanation of the attack by AlienVault here.

What is interesting here and relevant to all security practitioners and sectors is that cryptography at some levels can be made irrelevant.  The immense sophistication of the crytography and hardware manufacturing placed within these keycards and their infrastructure, in this case, are countered simply by capturing the pin that is associated with the key.  That allows an attacker to access the protected resources the card was designed to restrict.  Specifically the attack works because the attacker gets the PIN through a key logger, then binds it to the local computers certificate, and finally attacks remote resources protected by key card whenever the card is connected.

In all, a pretty elegant way of defeating what would be a complex and low-return attack vector (hacking the crytography).

The takeaway is that, as always it seems, the old assumptions that hardware / cryptography / and standard processes are enough is wrong.  A practice of continually evaluating the impact of new attack types (variants) and the new ability of attacker.  Plus, the recent ongoing attack on the underlying security safeguards as a means of attacking an organization has reached a critical level.  In the past 12 months anti-virus source code has been stolen; 2 factor authentication tokens perceived as insecure due to the RSA breach; Certificate Authorities breached and poisoned, and this demonstration of bypassing card security.

The malware yes, could be detected through malware and behavioral IPS type technology on the network and host.  The increased activity / parallel queries of a user could yes be detected.  The vulnerabilities allowing the installation in this particular case could also be patched.  The result though is still an ongoing need to evolve security practices; monitor and respond rapidly to suspect activity, and reduce / limit access as much as possible.

Other thoughts and avenues?

Kind regards,

James DeLuccia IV

 

 

What does the SCADA water pump attack mean to your business…

The ability to attack, compromise, and cause damage has existed since the utility industry began connecting these systems on the Internet.  Examples, including the European nation that was attacked 24+ months ago, are easy to locate.  Yesterday an attack (more proof of concept than anything it could have really been) occurred.  The current public awareness of cyber attacks, the nation state theater risks, and transparency of this action has raised the resulting awareness beyond the closed professional circles within Information Security.    There is a number of interesting writeups and I would suggest carefully reading a few for a balanced perspective.  Two that I would recommend include:

What this means for your Utility company is that the abstract threat modeling exercise that considers these attack vectors should be conducted more thoroughly with real risk and mitigation decisions progressing up to the Board of Directors.

As for everyone else who is a customer of such utility companies, the BCP/DR plans should be updated to reflect the possibility of such a loss of services.  Business enterprise information security / risk management programs (+vendor management) should elevate utility service providers (including cellular operators).  These actions should directly impact the annual/ongoing risk assessments and establish an expectation of security assessment and assurance on a regular basis from these service providers.

It is an interesting quandry that Cloud service providers are vetted and assessed more rigorously than that of Utility service providers, the original cloud.

Thoughts .. challenges?

James DeLuccia iV

Other thoughts?

James

Analysis of McAfee’s Operation Shady RAT Report and highlights

Tis Blackhat & Defcon, so follows are my thoughts …
McAfee released yesterday their Operation Shady RAT paper.  It focuses on data captured from a command and control server that had logs over a 6 year period.  They go into nice detail breaking down the attacks; timeframe; and elude to the motivations of the (single) attacker.  What does this mean for organizations and safeguarding information.  I think this paragraph articles the value crisply:

“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

Interesting details:

“…key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification…”

<– As we have progressed from freelance and curious to now the motivation has changed, but so has the economic model.  These attackers were concerned with the long term and therefore were financed for the long haul too.  This is a key assumption of the threat landscape that must change from prior models.  The fun days of watching attack patterns change with the annual summer school break and DefCon are over.  Businesses and models must change accordingly.

Interesting … the 14 geographic regions listed are missing one particular nation…

The description of the organizations that were breached and captured in these logs certainly is across the board.  Given the author’s mention that virtually all organization’s have been breached based on his insight it is hard to look at the list hoping to not be on the list – everyone is ..  What is interesting to me is the continued deep penetration at what I term ‘Infrastructure Level Attacks”.  Systemic attacks designed to bypass the base assumptions and safeguards – such as the encryption certificates; tokens of the 2-factor authentication; the cellphone and voicemail systems; and (as highlighted here) Communications technology company, international trade organizations that are privy to competitive information, satellite operators, and defense contractors (perhaps creating the opportunity for the recent influx of malicious control chips shipped out of China).

There have been a rich number of papers produced over the past few years that present and provide greater information on this threat.  I would encourage reading these intelligence reports as time permits.  A good site that continually has actionable information is here.

A short note on the flurry of posts and messages:

It’s Blackhat and Defcon week which means copious amounts of reports, presentations, and sometimes seismic events within the information security and intelligence space.  As interesting bits come to my attention I am posting them via twitter, and will try and post any excerpts that catch my eye.  I strongly encourage reading the full presentations and research papers.  Massive efforts went into these works, and it is now our opportunity to apply that knowledge appropriately.  I do look forward to others sharing their opinion, research, and links.

Other thoughts?

James

RSA SFO 2011 is done

This week has been a blitz of sessions, one-on-one deep discussions, and random swarms of passionate people descending on any table to discuss all things information security.  The sessions were good, the products somewhat interesting, and the networking was fantastic.  I did my best to tweet as much as I could from sessions throughout the conference, but there is a theme I saw and wanted to share for debate and consumption.

The risks are severe and quite frankly the offensive capability of attackers (individuals, attack teams like Anonymous, and nation state sponsored groups) is excellent.  Organizations are suffering from exfiltrated data at an alarming scale, and lack of maturity in managing these threats is ad-hoc.

A single vendor this would come across as F.U.D., but this was expressed by the Director of the NSA, and at nearly every session and keynote.

So what does this mean?  Well, much like at RSA there is a need to translate and form an opinion, or lovingly called the ‘Apply Slide’.  Below are the points that resonated for me – in no particular priority order:

  • There is a need for a more meaningful appreciation of what is valuable to every organization.  This discussion needs to happen with the management, legal, risk management, internal audit, and technology leadership.  A primary effort of bringing these individuals together is to ascertain what is valuable and what forms may it exist throughout the business.
  • A sophisticated incident handling process is needed.  This is a topic highlighted by the likes of Google and Signal Intelligence experts.  The point though was lost I feel to the majority of attendees.  The need is not simply to have trained team members with tools to be activated in the case of a breach.  That is needed, but there is a much deeper need:
    • The maturing and sustaining of a firmwide global effort to respond to every infection / malware-instance / behavioral anomaly.  Here is the thesis:  Today most of these are addressed through a help desk function that follows a decade old process of risk identification and remediation.  The common response is to update patches and have the behavior cease (removal of the error is considered a “fix”).  It is widely accepted that the attackers and infection tools are highly sophisticated, and removal is not a linear path nor a guarantee of a “clean” system.  In addition the statistics reinforce this fact when we look at the effectiveness of the anti-virus tools, the amount of malware that is unique and unknown, and the percentage of exfiltration events that occur resulting from this code.  Finally, there is a stigma to ‘activating an incident response’ team in many organizations.  Together these create an atmosphere where keyloggers / botnets / stuxnet / and similar malware toolsets can infect, avoid destruction, increase infiltration, and have intelligent exfiltration of desired data.
  • Cloud was a very popular topic all week, and despite professional annoyance of the media focusing on a single aspect of information technology one simple fact remains true.  These sessions were packed.  The information provided was not clear and visibility remains beyond immediate grasp.  So – my response here is … these sessions were packed and the term is everywhere, because we do not have this at a state of understanding.  I foresee this will be a long and great area to continue developing.

Thank to everyone and hope to see you again  – soon!

James DeLuccia