## Archive for the ‘Security’ Category

### How Do Hackers Live on $53.57? (‘Hack the Air Force’) Wednesday, April 26th, 2017 I ask because once you get past the glowing generalities of USAF Launches ‘Hack the Air Force’: Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites. You find: Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit. Staley notes that the DoD’s Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government’s first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid$75,000 in bounties.

“In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities,” Staley explains. “For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown.”

Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. “While the money is a draw, we’re also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer,” he says.

Let’s see, $75,000 split between 1,400 hackers, that’s$53.57 per hacker, on average. Some got more than average, some got nothing at all.

‘Hack the Air Force’ damages the defensive cybersecurity labor market by driving down the compensation for cybersecurity skills. Skills that take time, hard work, talent to develop, but the Air Force devalues them with chump change.

I fully agree with anyone who says government, DoD or Air Force cybersecurity sucks.

However, the Air Force chose to spend money on valets, chauffeurs for its generals, fighter jets that randomly burst into flames, etc., just as they chose to neglect cybersecurity.

Not my decision, not my problem.

Want an effective solution?

First step, “…use the free market Luke!” Create an Air Force contact point where hackers can anonymously submit notices of vulnerabilities. Institute a reliable and responsive process that offers compensation (market-based compensation) for those finds. Compensation paid in bitcoins.

Bearing in mind that paying market rate and adhering to market reasonable responsiveness will be critical to success of such a portal. Yes, in a “huffy” voice, “you are the US Air Force,” but hackers will have something you need and cannot supply yourself. Live with it.

Second step, create a very “lite” contracting process when you need short-term cybersecurity audits or services. That means abandoning the layers of reports and graft of primes, sub-primes and sub-sub-primes, with all the feather nesting of contract officers, etc., along the way. Oh, drug tests as well. You want results, not squeaky clean but so-so hackers.

Third step, disclose vulnerabilities in other armed services, both domestic and foreign. Time spent hacking them is time not spent hacking you. Yes?

Until the Air Force stops damaging the defensive cybersecurity labor market, boycott the ‘Hack the Air Force’ at HackerOne and all similar efforts.

### Metron – A Fist Full of Subjects

Monday, April 24th, 2017

Metron – Apache Incubator

From the description:

Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat-intelligence information to security telemetry within a single platform.

Metron can be divided into 4 areas:

1. A mechanism to capture, store, and normalize any type of security telemetry at extremely high rates. Because security telemetry is constantly being generated, it requires a method for ingesting the data at high speeds and pushing it to various processing units for advanced computation and analytics.
2. Real time processing and application of enrichments such as threat intelligence, geolocation, and DNS information to telemetry being collected. The immediate application of this information to incoming telemetry provides the context and situational awareness, as well as the “who” and “where” information that is critical for investigation.
3. Efficient information storage based on how the information will be used:
1. Logs and telemetry are stored such that they can be efficiently mined and analyzed for concise security visibility
2. The ability to extract and reconstruct full packets helps an analyst answer questions such as who the true attacker was, what data was leaked, and where that data was sent
3. Long-term storage not only increases visibility over time, but also enables advanced analytics such as machine learning techniques to be used to create models on the information. Incoming data can then be scored against these stored models for advanced anomaly detection.
4. An interface that gives a security investigator a centralized view of data and alerts passed through the system. Metron’s interface presents alert summaries with threat intelligence and enrichment data specific to that alert on one single page. Furthermore, advanced search capabilities and full packet extraction tools are presented to the analyst for investigation without the need to pivot into additional tools.

Big data is a natural fit for powerful security analytics. The Metron framework integrates a number of elements from the Hadoop ecosystem to provide a scalable platform for security analytics, incorporating such functionality as full-packet capture, stream processing, batch processing, real-time search, and telemetry aggregation. With Metron, our goal is to tie big data into security analytics and drive towards an extensible centralized platform to effectively enable rapid detection and rapid response for advanced security threats.

Metron (website)

Metron wiki

Metron Jira

Metron Git

Security threats aren’t going to assign themselves unique and immutable IDs. Which means they will be identified by characteristics and associated with particular acts (think associations), which are composed of other subjects, such as particular malware, dates, etc.

Being able to robustly share such identifications (unlike the “we’ve seen this before at some unknown time, with unknown characteristics,” typical of Russian attribution reports) would be a real plus.

Looks like a great opportunity for topic maps-like thinking.

Yes?

### Anonymous Domain Registration Service [Update: 24 April 2017]

Sunday, April 23rd, 2017

Pirate Bay Founder Launches Anonymous Domain Registration Service

Does this sound anonymous to you?

With Njalla, customers don’t buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust.

A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to.

“Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions,” Njalla notes.

Njalla

Perhaps I’m being overly suspicious but what is the basis for trusting Njalla?

I would feel better if Njalla only possessed a key that would decrypt (read authenticate) messages as arriving from the owner of some.domain.

Other than payment, what other interest do they have in an owner’s actual identity?

Perhaps I should bump them about that idea.

Update: On further inquiry, registration only requires an email or jabber contact point. You can handle being anonymous to Njalla at those points. So, more anonymous than I thought.

### Leak “Threatens Windows Users Around The World?”

Thursday, April 20th, 2017

Really? Shadow Brokers leaking alleged NSA malware “threatens users around the world?”

Hmmm, I would think that the NSA developing Windows malware is what threatens users around the world.

Yes?

Unlike the apparent industry concealment of vulnerabilities, the leaking of NSA malware puts all users on an equal footing with regard to those vulnerabilities.

In a phrase, users are better off for the NSA malware leak than they were before.

They know (or at least it has been alleged) that these leaked vulnerabilities have been patched in supported Microsoft products. By upgrading to those products, they can avoid these particular pieces of NSA malware.

Leaking vulnerabilities enables users to avoid perils themselves, in this case by upgrading, and/or to demand patches from vendors responsible for the vulnerabilities.

Do you see a downside I don’t?

Well, aside from trashing the market for vulnerabilities and gelding security agencies, neither one of which I will lose any sleep over.

### Who Prefers Zero Days over 7 Year Old Bugs? + Legalization of Hacking

Thursday, April 20th, 2017

“Who” is not clear but Dan Goodin reports in Windows bug used to spread Stuxnet remains world’s most exploited that:

One of the Microsoft Windows vulnerabilities used to spread the Stuxnet worm that targeted Iran remained the most widely exploited software bug in 2015 and 2016 even though the bug was patched years earlier, according to a report published by antivirus provider Kaspersky Lab.

In 2015, 27 percent of Kaspersky users who encountered any sort of exploit were exposed to attacks targeting the critical Windows flaw indexed as CVE-2010-2568. In 2016, the figure dipped to 24.7 percent but still ranked the highest. The code-execution vulnerability is triggered by plugging a booby-trapped USB drive into a vulnerable computer. The second most widespread exploit was designed to gain root access rights to Android phones, with 11 percent in 2015 and 15.6 percent last year.

A market share of almost 25%, despite being patched in 2010, marks CVE-2010-2568 as one of the top bugs a hacker should have in their toolkit.

Not to denigrate finding zero day flaws in vibrators and other IoT devices, or more exotic potential exploits in the Linux kernel but if you approach hacking as an investment, the “best” tools aren’t always the most recent ones. (“Best” defined as the highest return for mastery and use.)

Looking forward to the legalization of hacking, unauthorized penetration of information systems, with civil and criminal penalties for owners of those systems who get hacked.

I suggest that because hacking being illegal, has done nothing to stem the tide of hacking. Mostly because threatening people you can’t find or who think they won’t be found, is by definition, ineffectual.

Making hacking legal and penalizing business interests who get hacked, is a threat against people you can find on a regular basis. They pay taxes, register their stocks, market their products.

Speaking of paying taxes, there could be an OS upgrade tax credit. Something to nudge all the Windows XP, Vista, 7 instances out of existence. That alone would be the largest single improvement in cybersecurity since that because a term.

Legalized, hackers would provide a continuing incentive (fines and penalties) for better software and more consistent upgrade practices. Take advantage of that large pool of unpaid but enthusiastic labor (hackers).

### More Leveling – Undetectable Phishing Attack

Monday, April 17th, 2017

From the post:

Browsers such as Chrome, Firefox, and Opera are vulnerable to a new variation of an older attack that allows phishers to register and pass fake domains as the websites of legitimate services, such as Apple, Google, eBay, and others.

Discovered by Chinese security researcher Xudong Zheng, this is a variation of a homograph attack, first identified by Israeli researchers Evgeniy Gabrilovich and Alex Gontmakher, and known since 2001.

This particular hack depends upon variant characters being available within one language set, which avoids characters from different languages (deemed phishing attempts).

To make this work, you will need a domain name written using Punycode (RFC 3492), which enables the writing of Unicode in ASCII.

There’s a task for deep learning, scanning the Unicode Code Charts for characters that are easy to confuse with ASCII characters.

If you have a link to such results, ping me with it.

### Shadow Brokers Level The Playing Field

Monday, April 17th, 2017

The whining and moaning from some security analysts over Shadow Broker dumps is a mystery to me.

Apologies for the pie chart, but the blue area represents the widely vulnerable population pre-Shadow Brokers leak:

I’m sorry, you can’t really see the 0.01% or less, who weren’t vulnerable pre-Shadow Brokers leak. Try this enlargement:

Shadow Brokers, especially if they leak more current tools, are leveling the playing field for the average user/hacker.

Instead of 99.99% of users being in danger from people who buy/sell zero-day exploits, some governments and corporations, now it is closer to 100% of all users who are in danger.

Listen to them howl!

Was was not big deal, since people with power could hack the other 99.99% of us, certainly is now a really big deal.

Maybe we will see incentives for more secure software when everyone and I mean everyone is at equal risk.

Help Shadow Brokers level the security playing field.

A post on discovery policy for vulnerabilities promotes user equality.

Do you favor user equality or some other social regime?

### The Line Between Safety and Peril – (patched) “Supported Products”

Saturday, April 15th, 2017

Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks.

Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.
“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

News of the release has been fanned by non-technical outlets, such as CNN Tech, NSA’s powerful Windows hacking tools leaked online by Selena Larson.

Microsoft has responded with: Protecting customers and evaluating risk:

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.
… (emphasis in original)

You are guaranteed to be in peril if you are not running patched, supported Microsoft products.

Even if you are running a supported product, know that 50% of all vulnerabilities are from failure to apply patches.

Unlike the hackers who may be in your system right now, liability of vendors for unreasonably poor coding practices or your company for data breaches caused by your practices, such as failure to apply patches, would be incentives for more secure software and better security practices.

If you are serious about cybersecurity, focus on people you can reach and not those you encounter at random (hackers).

### Power to the User! + Pull Advertising

Friday, April 14th, 2017

From the post:

An ad blocker that uses computer vision appears to be the most powerful ever devised and can evade all known anti ad blockers.

A team of Princeton and Stanford University researchers has fundamentally reinvented how ad-blocking works, in an attempt to put an end to the advertising versus ad-blocking arms race. The ad blocker they’ve created is lightweight, evaded anti ad-blocking scripts on 50 out of the 50 websites it was tested on, and can block Facebook ads that were previously unblockable.

The software, devised by Arvind Narayanan, Dillon Reisman, Jonathan Mayer, and Grant Storey, is novel in two major ways: First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware, using techniques borrowed from rootkits and built-in web browser customizability to stealthily block ads without being detected. Second, the team notes that there are regulations and laws on the books that give a fundamental advantage to consumers that cannot be easily changed, opening the door to a long-term ad-blocking solution.
… (emphasis in original)

How very cool! Putting users in charge of the content they view. What a radical idea!

Koebler does the required genuflection towards the “ethics” of blocking ads, but I see no “ethical” issue at all.

IBM, Cisco, etc., are wasting their time and mine advertising enterprise scale security solutions to me. Promise.

What’s broken is that advertisers, like telephone scammers, must contact millions of people to find those unlucky enough to answer the ad and/or phone.

For example, not this year but in a few years, I’m going to buy a new car. When that time comes, ads and offers on cars of certain types would be welcome.

What if I could specify a time period, price range, model of car and for that relevant period of time, I get card ads, etc. Notice I have pre-qualified myself as interested, so the advertisers aren’t talking about hits out of millions but possibly thousands if not hundreds. Depends on how good their offers are.

Or if generally I’m interested in books in particular categories or by particular authors? Or when cheese is on sale at Kroger? All of which I could pre-qualify myself.

Pull advertising reduces the bandwidth wasted by advertisers who push content never knowing where a mark (sorry, customer) may be found.

Such a system would need to protect the privacy of consumers, so they would not be pestered when they had not opted in for ads. But anonymous ad brokerage is certainly doable. (The opposite of finding a subject with topic maps is concealing it.)

Interested in ending web-based spam/click-bait?

### Happy Easter From Shadow Brokers!

Friday, April 14th, 2017

From the post:

On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft’s Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.

The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past.

Called “Lost in Translation,” the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo.

Cimpanu has a partial list of some of the more interesting hacking tools in the release.

Encouragement to grab a copy of the archive for yourself.

Assuming any, some or all of these tools are genuine, you can now start peeling banks, corporations and governments like eating an orange.

The only thing that’s missing is you.

Transparency anyone?

### MS Patch for Zero Day Leaves 56% Of Office Users Exposed

Tuesday, April 11th, 2017

From the post:

Microsoft on Tuesday released a patch for a zero-day vulnerability that was discovered late last week and used to spread the Dridex banking Trojan.

Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a vulnerability in the way Microsoft handles OLE2Link objects. According to researchers, the attacks were effective at bypassing most mitigation efforts.

Err, well, except that Tom goes on to say:

However, Microsoft notes “you must have the release version of Service Pack 2 for Office 2010 installed on the computer” to apply the security update. Alternatively, security experts recommend blocking RTF documents in Microsoft Word via the File Block Settings in the Microsoft Office Trust Center. They also recommend using Microsoft Office Protected View, which they say can help prevent exploitation without user interaction.

A highly unscientific survey of MS Office users at: http://www.msofficeforums.com/versionchart.php?mon=12, shows the patch leaves 56% of Office users vulnerable.

Is that the total you get?

Anyone spreading the Dridex malware need not despair about the MS patch. The majority of Office users remain unprotected.

### Garden Variety Terrorism

Thursday, April 6th, 2017

If you haven’t seen images from the I-85 fire in Atlanta, which caused a 100 foot section of a bridge to collapse, consider:

resulted in:

HPDE coils burn at 341 degrees, according to its manufacturer.

One more fact you need:

Q: What is the temperature of a Bic lighter flame?
A: The temperature of a Bic lighter can reach nearly 1,977 degrees Celsius or 3,590.6 degrees Fahrenheit. The temperature of a lighter’s flame depends on what type of fuel the lighter uses. Bic lighters use butane and are called butane lighters.

It has been alleged a mentally ill crackhead (there’s some other kind?) set furniture on fire, which spread to other materials and then the HPDE coils.

I mention this after having read I write thrillers. My research showed me how easily terrorists can strike us by Matthew Quirk.

Quirk writes in part:

A gray SUV idled across the street from the chemical plant. Gas storage tanks, four stories tall, towered over the low-slung neighborhood. It was a hot, dry Sunday in southeast Los Angeles.

The plant’s front gate was open. The driver tapped the throttle, then cut into the facility, past the “no trespassing” notices and the signs demanding that all trucks stop and check in with a guard. He pointed the car straight at three trailers loaded with compressed hydrogen. Behind them, on the other side of a rusting chain-link fence, rail tankers sat outside a facility that uses chlorine to manufacture bleach. One tanker car of chlorine, if ruptured (by, say, a nearby hydrogen explosion), could reach 4.9 million people in the Los Angeles Basin and kill 10,000 under worst-case conditions.

The driver veered away from the gas tanks, then stopped the car and waited. No one came to check on him as he took a few photos on his phone. After five minutes, he pulled away.

That was me. I write thrillers for a living. For my latest novel, “Dead Man Switch,” I spent a lot of time researching the materials lying around the United States that terrorists could use to kill tens of thousands of people. I like to think my books are pretty tense, but they have nothing on reality: More than 15 years after 9/11, we have failed to take basic steps to address glaring threats that have already cost American lives.

With its ongoing attempts to enact a ban on many Muslim travelers and “extreme vetting” for visitors to the United States, the Trump administration has treated terrorism as a political cudgel rather than the grave and present threat it truly represents. In the years after 9/11, there was extraordinary bipartisan momentum to identify threats and safeguard against them, but the work is unfinished. With terrorism back atop the agenda, we should spend our time and money addressing the obvious risks, not the hypothetical or concocted ones.

I disagree with Quirk and Washington Post on their assessment of the risk of terrorist attacks but have to second addressing actual risks and not imaginary ones.

Security speakers who wax eloquently about smallpox infected travelers and weaponized anthrax, fail to recognize a good Mission Impossible plot when they see one. Things like HPDE coils, Interstate bridges and Bic lighters escape their notice.

Terrorism doesn’t require elaborate cell infrastructures, much and unfairly maligned encrypted cellphone apps, or any of the highly convoluted schemes in popular fiction (read Homeland Security reports).

No, if I were concerned about terrorism, it would be over garden variety terrorism. The sort that uses no tool or implement not readily available to the average home owner.

Perhaps using those tools/implements in unexpected ways, in combination with open data to create, what did the American general say about Tet (1968)? Oh, yes, “to create maximum consternation.”

### Pursuing Cybersecurity

Wednesday, April 5th, 2017

should make you realize hunting and punishing hackers a very doubtful approach to improving cybersecurity.

Even if flaws are fixed in software, users resist upgrading and in other cases, vulnerabilities persist over decades. To put it bluntly, the opportunities for hacking increase with every software release or patch.

Hackers can be and are caught, then tried or plead out with great fanfare, but if security reports are to be credited, cybercrime continues to increase by leaps and bounds.

Using a non-cybersecurity example, what if your locality had a burglary problem? Every month, as new homes are built, the burglary rates go up. Upon investigation you discover that builders are not putting locks on doors or windows of new homes.

1. Hire more police officers and step up patrols to catch burglars, or
2. Require builders to install and test locks on windows and doors.

Option #1, like punishing hackers, requires you to catch the burglars first. A chancy proposition at best, even more so for hackers. The bottom line is you are catching and punishing a minuscule portion of the burglars or hackers. For our example, assume that burglaries continue to increase despite your high conviction rate.

Option #2, well, builders are a lot easier to catch than burglars or hackers. They are selling a commercial product that depends upon repeat business so we can not only set requirements, we can also monitor if those requirements are being met.

Setting the standards for legal liability for flaws in software won’t be easy, but consider that despite the liabilities imposed on pharmaceutical companies:

Last year, five pharmaceutical companies made a profit margin of 20% or more – Pfizer, Hoffmann-La Roche, AbbVie, GlaxoSmithKline (GSK) and Eli Lilly.
… (from Pharmaceutical industry gets high on fat profits)

Vendors can compete to produce more secure software (less liability) or compete to race to market with insecure software (feeding hackers).

Which approach do you think leads to greater cybersecurity overall?

### Targeting Tuesday: 600,000 Windows Server 2003 Installations

Tuesday, April 4th, 2017

From the post:

A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won’t issue a patch even though up to 600,000 servers could be running the unsupported software.

The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF’ header in a PROPFIND request.

The researchers said it’s not a theoretical risk as the flaw was exploited in the wild in July or August 2016. It was disclosed to the public this week.

“A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro.

He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC).

No patch from Microsoft so this vulnerability will be around for quite some time. Long enough to test your skills at working from a PoC or a CVE (CVE-2017-7269) to develop working code.

Test against your local Windows Server 2003 installation on a VM.

If you are serious about security research, start collecting OS editions and their patches. Refresh your storage media on a regular schedule.

### The Upside To Overturning Internet Privacy Rules

Monday, April 3rd, 2017

From the post:

President Trump has signed a Congressional resolution overturning Federal Communications Commission rules that would have required internet providers to get their customers’ permission before sharing personal data like browsing history with advertisers. The rules had yet to go into effect.

Sure, but there is an upside.

You have already seen media reports urging everyone to start using VPNs and the like to protect their privacy from ISP predators.

What happens if VPNs come into everyday use by the average user? Aside from greater profits for VPN vendors.

Hmmm, several orders of magnitude more VPN connections than are being tracked by the usual alphabet soup agencies.

Encourage every user you know to use a VPN connection. Hell, offer them as swag at conferences.

Teacher and library conferences. Church camps. Oh, yeah, technical conferences too.

Hackers in the mist? 😉

Monday, April 3rd, 2017

The cost of potential future losses from ATMs is baked into every bank fee. Good planning for banks because 95% of ATMs are still running Windows XP. The losses are coming, just not there, yet.

Mail this image to your local bank, ditto for members of board of directors:

I can’t promise your bank will upgrade its ATM software but pass any reduction in anticipated future costs along to you.

However, the staff and directors are likely to give their Errors and Omission (E&O) policies a close review. 😉

Come to think of it, you should pass this along to any insurance agents selling E&O coverage. Great technique to drive their business and perhaps result in better security for banking customers.

### 4 Billion “Records” Leaked In 2016 – How Do You Define Record?

Wednesday, March 29th, 2017

The IBM X-Force Treat Intelligence Index 2017 report leaves the impression hackers are cutting through security like a hot knife through butter:

With Internet-shattering distributed-denial-of-service (DDoS) attacks, troves of records leaked through data breaches, and a renewed focus by organized cybercrime on business targets, 2016 was a defining year for security. Indeed, in 2016 more than 4 billion records were leaked, more than the combined total from the two previous years, redefining the meaning of the term “mega breach.” In one case, a single source leaked more than 1.5 billion records.1 (page 3)

The report helpfully defines terms at page 3 and in the glossary (page 29) but never defines “record.”

The 4 billion records “fact” will appear in security blogs, Twitter, business zines, mainstream media, all without asking: “What is a record?”

Here are some things that could be records:

• medical record (1 or more pages)
• financial record (1 or more pages)
• CIA document (1 or more pages)
• Tax records (1 or more pages)
• Offshore bank data (spreadsheet, 1 or more pages
• Presentations (PPT, 1 or more pages)
• Accounting records (1 or more pages)
• Emails (1 or more pages)
• Photos, nude or otherwise

IBM’s “…4 billion records were leaked…,” is a marketing statement for IBM security services. Not a statement of fact.

PS: I haven’t checked the other “facts” claimed in this document. The failure to define “record” was enough to discourage further reading.

### How Not To Lose A Community’s Trust

Tuesday, March 28th, 2017

From the post:

The author of the Nuclear Bot banking trojan has leaked the source code of his own malware in a desperate attempt to regain trust and credibility in underground cybercrime forums.

Nuclear Bot, also known as NukeBot and more recently as Micro Banking Trojan and TinyNuke, is a new banking trojan that appeared on the malware scene in December 2016, when its author, a malware coder known as Gosya, started advertising it on an underground malware forum.

According to Gosya's ad, this new banking trojan was available for rent and included several features, such as:

• Formgrabber and Web-Injection modules (Firefox, Chrome, IE, and Opera)
• A SOCKS proxy module
• Remote EXE file launcher module
• Hidden VNC module that worked on Windows versions between XP and 10
• Rootkit for 32-bit and 64-bit architectures
• UAC bypass
• Windows Firewall bypass
• IBM Trusteer firewall bypass
• Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine

Subsequent analysis from both Arbor Networks and Sixgill confirmed the trojan's deadly features. In spite of these favorable reports, Gosya's Nuclear Bot saw little adoption among cybercrime gangs, as the malware's author miserably failed to gain their trust.

See Catalin’s post for the most impressive list of social fails I have seen in years. Seriously.

More importantly, for hacker and other forums, learn the local customs. Always.

Enjoy!

Monday, March 27th, 2017

You remember the Dilbert cartoon on corporate security where the pointed haired boss asks what Dilbert would do if a stranger offered to buy company secrets. Dilbert responds asking how much is the stranger offering? See the strip for the boss’ answer and Wally’s follow up question.

Danny Palmer reports the price point for employees who would sell their access, maybe less than you think.

From the post:

A cyberattack could cost an organisation millions, but an employee within your company might be willing to give an outsider access to sensitive information via their login credentials for under £200.

According to a report examining insider threats by Forcepoint, 14 percent of European employees claimed they would sell their work login credentials to an outsider for £200. And the researchers found that, of those who’d sell their credentials to an outsider, nearly half would do it for less.

That’s about $260.00 U.S. at today’s exchange rates. Only you know your time and expense of hacking passwords and/or buying them on the dark web. I suspect the price point is even lower in government agencies with unpopular leadership. I haven’t seen any surveys of US employees, but I suspect employees of companies, suppliers, contractors, banks, etc., involved in oil pipeline construction are equally open to selling passwords. Given labor conditions in the US, perhaps even more so. Not that anyone opposing a multi-generational environmental crime like an oil pipeline would commit a crime when there are so many lawful and completely ineffectual means to oppose it at hand. PS: As recent CIA revelations demonstrate, the question isn’t if government will betray the public’s interest but when. The same is true for environmental, health and other concerns. ### Peeping Toms Jump > 16,000 In UK Monday, March 27th, 2017 The ranks of peeping toms swells by at least 16,000 in the UK: From the post: More than 16,000 staff in the public sector and its agencies have been empower by Section 4 of the Investigatory Powers Act to snoop on people’s internet connection records. And that’s before the estimated 4,000 staff at security agency MI5, the 5,500 at GCHQ and 2,500 at MI6 are taken into account. That’s according to the responses from a series of almost 100 Freedom of Information (FOI) requests made in a bid to find out exactly who has the power to snoop on ordinary people’s web browsing histories under the Act. GCHQ, the Home Office, MI6, the National Crime Agency, the Ministry of Justice, all three armed forces and Police Service of Scotland all failed to respond to the FOI requests – so the total could be much higher. My delusion that the UK has a mostly rational government was shattered by passage of the Investigatory Powers Act. Following web browsing activity, hell, even tracking everyone and their conversations, 24 x 7, isn’t going to stop random acts of violence. What part of random acts of violence being exactly that, random, seems to be unclear? Are there no UK academics to take up the task of proving prediction of random events is possible? Unless and until the UK Parliament comes to its senses, the best option for avoiding UK peeping toms is to move to another country. If re-location isn’t possible, use a VPN and a Tor browser for all web activity. ### Looking For Installed Cisco Routers? Saturday, March 25th, 2017 News of 300 models of Cisco Catalyst switches being vulnerable to a simple Telnet attack, Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness by Michael Cooney, for example, has piqued interest in installed Cisco routers. You already know that Nmap can uncover and identify routers. What you may not know is government hemorrhaging of IT information may be a useful supplement to Nmap. Consider GovernmentBids.com for example. You can search by federal government bid types and/or one or more of the fifty states. Up to 999 prior to the current date, for bids, which includes the bids as well as the winning vendor. If you are routinely searching for IT vulnerability information, I would not begrudge them the$131/month fee for full information on bids.

From a topic map perspective, pairing IT bid information with vulnerability reports, would be creative and valuable intelligence.

How much IT information is your office/department hemorrhaging?

### Attn: Zero-Day Hunters, ATMs Running Windows XP Have Cash

Friday, March 24th, 2017

Kimberly Crawley reprises her Do ATMs running Windows XP pose a security risk? You can bank on it! as a reminder that bank ATMs continue to run Windows XP.

Her post was three years old in February, 2017 and just as relevant as the first day of its publication.

Rather than passing even more unenforceable hacking legislation, states and congress should impose treble damages with mandatory attorney’s fees on commercial victims of hacking attacks.

Insecurity will become a cost center in their budgets, justifying realistic spending and demand for more secure software.

In the meantime, remember ATMs running Windows XP dispense cash.

### The New Handbook For Cyberwar Is Being Written By Russia

Wednesday, March 22nd, 2017

From the post:

One US intelligence officer currently involved in cyber ops said, “It’s not that the Russians are doing something others can’t do. It’s not as though, say, the US wouldn’t have the technical skill level to carry out those types of attacks. It’s that Russian hackers are willing to go there, to experiment and carry out attacks that other countries would back away from,” said the officer, who asked not to be quoted by name due to the sensitivity of the subject. “It’s audacious, and reckless. They are testing things out in the field and refining them, and a lot of it is very, very messy and some is very smart.”

Well, “…testing things out in the field and refining them…” is the difference between a potential weapon on a dry erase board and a working weapon in practice. Yes?

Personally I favor the working weapon in practice.

It’s an interesting read despite the repetition of the now debunked claim of Wikileaks releasing 8,761 CIA documents (Fact Checking Wikileaks’ Vault 7: CIA Hacking Tools Revealed (Part 1))

Frenkel of course covers the DNC hack:

The hack on the DNC, which US intelligence agencies have widely attributed to Russia, could be replicated by dozens of countries around the world, according to Robert Knake, a former director of cybersecurity policy in the Obama administration.

“Russia has laid out the playbook. What Russia did was relatively unsophisticated and something that probably about 60 countries around the world have the capability of doing — which is to target third parties, to steal documents and emails, and to selectively release them to create unfavorable conditions for that party,” Knake told the BBC’s Today. “It’s unsubtle interference. And it’s a violation of national sovereignty and customary law.”

Kanke reflects the failure of major powers to understand the leveling potential of cyberwarfare. Sixty countries? You think? How about every kid that can run a phishing scam to steal John Podesta’s password? How many? 600,000 maybe? More than that?

None of who care about “…national sovereignty and customary law.”

Are you going to write or be described in a chapter of the new book on cyberwar?

### When To Worry About CIA’s Zero-Day Exploits

Wednesday, March 22nd, 2017

Chris McNab’s Alexsey’s TTPs (.. Tactics, Techniques, and Procedures) post on Alexsey Belan provides a measure for when to worry about Zero-Day exploits held by the CIA.

McNab lists:

• Belan’s 9 offensive characteristics
• 5 defensive controls
• WordPress hack – 12 steps
• LinkedIn targeting – 11 steps
• Third victim – 11 steps

McNab observes:

Consider the number of organizations that provide services to their users and employees over the public Internet, including:

• Web portals for sales and marketing purposes
• Mail access via Microsoft Outlook on the Web and Google Mail
• Collaboration via Slack, HipChat, SharePoint, and Confluence
• DevOps and support via GitHub, JIRA, and CI/CD utilities

Next, consider how many enforce 2FA across their entire attack surface. Large enterprises often expose domain-joined systems to the Internet that can be leveraged to provide privileged network access (via Microsoft IIS, SharePoint, and other services supporting NTLM authentication).

Are you confident safe 2FA is being enforced over your entire attack surface?

If not, don’t worry about potential CIA held Zero-Day exploits.

You’re in danger from script kiddies, not the CIA (necessarily).

Alexsey Belan made the Most Wanted list at the FBI.

Crimes listed:

Conspiring to Commit Computer Fraud and Abuse; Accessing a Computer Without Authorization for the Purpose of Commercial Advantage and Private Financial Gain; Damaging a Computer Through the Transmission of Code and Commands; Economic Espionage; Theft of Trade Secrets; Access Device Fraud; Aggravated Identity Theft; Wire Fraud

His FBI poster runs two pages but you could edit off the bottom of the first page to make it suitable for framing.

😉

Try hanging that up in your local university computer lab to test their support for free speech.

### New Wiper Malware – A Path To Involuntary Transparency

Tuesday, March 14th, 2017

From the press release:

The Kaspersky Lab Global Research and Analysis Team has discovered a new sophisticated wiper malware, called StoneDrill. Just like another infamous wiper, Shamoon, it destroys everything on the infected computer. StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal. In addition to targets in the Middle East, one StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.

Besides the wiping module, Kaspersky Lab researchers have also found a StoneDrill backdoor, which has apparently been developed by the same code writers and used for espionage purposes. Experts discovered four command and control panels which were used by attackers to run espionage operations with help of the StoneDrill backdoor against an unknown number of targets.

Perhaps the most interesting thing about StoneDrill is that it appears to have connections to several other wipers and espionage operations observed previously. When Kaspersky Lab researchers discovered StoneDrill with the help of Yara-rules created to identify unknown samples of Shamoon, they realised they were looking at a unique piece of malicious code that seems to have been created separately from Shamoon. Even though the two families – Shamoon and StoneDrill – don’t share the exact same code base, the mind-set of the authors and their programming “style” appear to be similar. That’s why it was possible to identify StoneDrill with the Shamoon-developed Yara-rules.

Code similarities with older known malware were also observed, but this time not between Shamoon and StoneDrill. In fact StoneDrill uses some parts of the code previously spotted in the NewsBeef APT, also known as Charming Kitten – another malicious campaign which has been active in the last few years.

For details beyond the press release, see: From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond by Costin Raiu, Mohamad Amin Hasbini, Sergey Belov, Sergey Mineev or the full report, same title, version 1.05.

Wipers can impact corporate and governmental operations but they may be hiding crimes and misdeeds at the same time.

Of greater interest are the espionage operations enabled by StoneDrill.

If you are interested in planting false flags, pay particular attention to the use of language analysis in the full report.

Taking a clue from Lakoff on framing, would you opinion of StoneDrill change if instead of “espionage” it was described as a “corporate/government transparency” tool?

I don’t recall anyone saying that transparency is by definition voluntary.

Perhaps that’s the ticket. Malware can bring about involuntary transparency.

Yes?

### That CIA exploit list in full: … [highlights]

Wednesday, March 8th, 2017

From the post:

We’re still going through the 8,761 CIA documents published on Tuesday by WikiLeaks for political mischief, although here are some of the highlights.

First, though, a few general points: one, there’s very little here that should shock you. The CIA is a spying organization, after all, and, yes, it spies on people.

Two, unlike the NSA, the CIA isn’t mad keen on blanket surveillance: it targets particular people, and the hacking tools revealed by WikiLeaks are designed to monitor specific persons of interest. For example, you may have seen headlines about the CIA hacking Samsung TVs. As we previously mentioned, that involves breaking into someone’s house and physically reprogramming the telly with a USB stick. If the CIA wants to bug you, it will bug you one way or another, smart telly or no smart telly. You’ll probably be tricked into opening a dodgy attachment or download.

That’s actually a silver lining to all this: end-to-end encrypted apps, such as Signal and WhatsApp, are so strong, the CIA has to compromise your handset, TV or computer to read your messages and snoop on your webcam and microphones, if you’re unlucky enough to be a target. Hacking devices this way is fraught with risk and cost, so only highly valuable targets will be attacked. The vast, vast majority of us are not walking around with CIA malware lurking in our pockets, laptop bags, and living rooms.

Thirdly, if you’ve been following US politics and WikiLeaks’ mischievous role in the rise of Donald Trump, you may have clocked that Tuesday’s dump was engineered to help the President pin the hacking of his political opponents’ email server on the CIA. The leaked documents suggest the agency can disguise its operations as the work of a foreign government. Thus, it wasn’t the Russians who broke into the Democrats’ computers and, by leaking the emails, helped swing Donald the election – it was the CIA all along, Trump can now claim. That’ll shut the intelligence community up. The President’s pet news outlet Breitbart is already running that line.

Iain does a good job of picking out some of the more interesting bits from the CIA (alleged) file dump. No, you will have to read Iain’s post for those.

I mention Iain’s post primarily as a way to entice you into reading the all the files in hopes of discovering more juicy tidbits.

Read the files. Your security depends on the indifference of the CIA and similar agencies. Is that your model for privacy?

### Gap Analysis Resource – Electrical Grid

Wednesday, March 8th, 2017

Electricity – Federal Efforts to Enhance Grid Resilience Government Accounting Office (GAO) (January 2017)

What GAO Found

The Department of Energy (DOE), the Department of Homeland Security (DHS), and the Federal Energy Regulatory Commission (FERC) reported implementing 27 grid resiliency efforts since 2013 and identified a variety of results from these efforts. The efforts addressed a range of threats and hazards—including cyberattacks, physical attacks, and natural disasters—and supported different types of activities (see table). These efforts also addressed each of the three federal priorities for enhancing the security and resilience of the electricity grid: (1) developing and deploying tools and technologies to enhance awareness of potential disruptions, (2) planning and exercising coordinated responses to disruptive events, and (3) ensuring actionable intelligence on threats is communicated between government and industry in a time-sensitive manner. Agency officials reported a variety of results from these efforts, including the development of new technologies—such as a rapidly-deployable large, highpower transformer—and improved coordination and information sharing between the federal government and industry related to potential cyberattacks.

(table omitted)

Federal grid resiliency efforts were fragmented across DOE, DHS, and FERC and overlapped to some degree but were not duplicative. GAO found that the 27 efforts were fragmented in that they were implemented by three agencies and addressed the same broad area of national need: enhancing the resilience of the electricity grid. However, DOE, DHS, and FERC generally tailored their efforts to contribute to their specific missions. For example, DOE’s 11 efforts related to its strategic goal to support a more secure and resilient U.S. energy infrastructure. GAO also found that the federal efforts overlapped to some degree but were not duplicative because none had the same goals or engaged in the same activities. For example, three DOE and DHS efforts addressed resiliency issues related to large, high-power transformers, but the goals were distinct—one effort focused on developing a rapidly deployable transformer to use in the event of multiple large, high-power transformer failures; another focused on developing next-generation transformer components with more resilient features; and a third focused on developing a plan for a national transformer reserve. Moreover, officials from all three agencies reported taking actions to coordinate federal grid resiliency efforts, such as serving on formal coordinating bodies that bring together federal, state, and industry stakeholders to discuss resiliency issues on a regular basis, and contributing to the development of federal plans that address grid resiliency gaps and priorities. GAO found that these actions were consistent with key practices for enhancing and sustaining federal agency coordination.
…(emphasis in original)

A high level view of efforts to “protect” the electrical grid (grid) in the United States.

Most of the hazards, massive solar flares, the 1859 Carrington Event, or a nuclear EMP, would easily overwhelm many if not all current measures to harden the grid.

Still, participants get funded to talk about hazards and dangers they can’t prevent nor easily remedy.

What dangers do you want to protect the grid against?

### Headless Raspberry Pi Hacking Platform Running Kali Linux

Wednesday, March 8th, 2017

From the post:

The Raspberry Pi is a credit card-sized computer that can crack Wi-Fi, clone key cards, break into laptops, and even clone an existing Wi-Fi network to trick users into connecting to the Pi instead. It can jam Wi-Fi for blocks, track cell phones, listen in on police scanners, broadcast an FM radio signal, and apparently even fly a goddamn missile into a helicopter.

The key to this power is a massive community of developers and builders who contribute thousands of builds for the Kali Linux and Raspberry Pi platforms. For less than a tank of gas, a Raspberry Pi 3 buys you a low-cost, flexible cyberweapon.

Of course, it’s important to compartmentalize your hacking and avoid using systems that uniquely identify you, like customized hardware. Not everyone has access to a supercomputer or gaming tower, but fortunately one is not needed to have a solid Kali Linux platform.

With over 10 million units sold, the Raspberry Pi can be purchased in cash by anyone with \$35 to spare. This makes it more difficult to determine who is behind an attack launched from a Raspberry Pi, as it could just as likely be a state-sponsored attack flying under the radar or a hyperactive teenager in high school coding class.

Blogging while I wait for the Wikileaks Vault7 Part 1 files to load into an XML database. The rhyme or reason (or the lack thereof) behind Wikileaks releases continues to escape me.

Within a day or so I will drop what I think is a more useful organization of that information.

While you wait, this is a particularly good post on using a Raspberry Pi “for reconnaissance and attacking Wi-Fi networks” in the author’s words.

Although a Raspberry Pi is easy to conceal, both on your person and on location, the purpose of such a device isn’t hard to discern.

If you are carrying a Raspberry Pi, avoid being searched until after you can dispose of it. Make sure that your fingerprints or biological trace evidence is not on it.

I say “your fingerprints or biological trace evidence” because it would be amusing if fingerprints or biological trace evidence implicated some resident of the facility where it is found.

The results of being suspected of possessing a Kali Linux equipped Raspberry Pi versus being proven to have possessed such a device, may differ by years.

Go carefully.

Tuesday, March 7th, 2017

If you want to avoid mirroring Vault 7: CIA Hacking Tools Revealed for yourself, check out: https://archive.org/details/wikileaks.vault7part1.tar.

Enjoy!

### Covert FM Radio Stations For Activists – Thumb In Eye Of Stingray Devices

Thursday, March 2nd, 2017

From the post:

They overlaid the audio and data on top of ambient news signals from a local NPR radio station. “FM radio signals are everywhere. You can listen to music or news in your car and it’s a common way for us to get our information,” said co-author and UW computer science and engineering doctoral student Anran Wang. “So what we do is basically make each of these everyday objects into a mini FM radio station at almost zero power.

”Such ubiquitous low-power connectivity can also enable smart fabric applications such as clothing integrated with sensors to monitor a runner’s gait and vital signs that transmits the information directly to a user’s phone. In a second demonstration, the researchers from the UW Networks & Mobile Systems Lab used conductive thread to sew an antenna into a cotton T-shirt, which was able to use ambient radio signals to transmit data to a smartphone at rates up to 3.2 kilobits per second.

The system works by taking an everyday FM radio signal broadcast from an urban radio tower. The “smart” poster or T-shirt uses a low-power reflector to manipulate the signal in a way that encodes the desired audio or data on top of the FM broadcast to send a “message” to the smartphone receiver on an unoccupied frequency in the FM radio band.

For the details:

The UW team has — for the first time — demonstrated how to apply a technique called “backscattering” to outdoor FM radio signals. The new system transmits messages by reflecting and encoding audio and data in these signals that are ubiquitous in urban environments, without affecting the original radio transmissions. Results are published in a paper to be presented in Boston at the 14th USENIX Symposium on Networked Systems Design and Implementation in March.

So government agents can cover cellphone frequencies with Stingray (“cell site simulators”) devices.

Wonder if they can cover the entire FM band? 😉

I’m guessing not. You?

Imagine a phone or shirt that is tuned to the frequency of a covert FM transmitter at a particular location. The information is just hanging out there but unless the “right” receiver walks by, its never known to anyone.

Ideal for messages directing public gatherings with near zero risk of interception by, shall we say, unfriendly parties?

Or other types of messages, imagine a singing dead drop as it were. You move away, the song goes away.

Enjoy!