## Archive for the ‘Cybersecurity’ Category

### 4.5 Billion Forced To Boycott ‘Hack the Air Force’ (You Should Too)

Friday, April 28th, 2017

I mentioned in How Do Hackers Live on $53.57? (‘Hack the Air Force’) that only hackers in Australia, Cananda, New Zealand, the United Kingdom and United States can participate in ‘Hack the Air Force.’ For a rough count of those excluded, let’s limit hackers to being between the ages of 15 and 64. The World Bank puts that as 66% of the total population as of 2015. OK, the World Population Clock gives a world population as of 28 April 2017 as 7,500,889,628. Consulting the table for population by country, we find: Australia (25M), Cananda (37M), New Zealand (5M), the United Kingdom (66M) and United States (326M), for a total of 459 million. Rounding the world’s population to 7,501,000,000, 66% of that population is 4,950,660,000 potential hackers world-wide, and from Australia, Cananda, New Zealand, the United Kingdom and United States, 283,140,000 potential hackers. Hmmm,  Worldwide 4,950,660,000 AF Rules 283,140,000 Excluded 4,667,520,000 Not everyone between the ages of 15 and 64 is a hacker but raw numbers indicate a weakness in the US Air Force approach. If ‘Hack the Air Force’ attracts any participants at all (participation is a bad idea, damages the cybersecurity labor market), those participants will be very similar to those who wrote the insecure systems for the Air Force. The few participants will find undiscovered weaknesses. But the weaknesses they find will be those anyone similar to them would find. A lack of diversity in security testing is as serious a flaw as standard root passwords. If you need evidence for the need for diversity in security testing, consider any of the bugs that are found post-appearance of any major software release. One assume that Microsoft, Oracle, Cisco, etc., don’t deliberately ignore major security flaws. Yet the headlines are filled with news of such flaws. My explanation is that different people look for vulnerabilities differently and hence discover different vulnerabilities. What’s yours? As far as the ‘Hack the Air Force’ contest, my counsel is to boycott it along with all those forcibly excluded from participating. The extreme lack of diversity in the hacking pool is a guarantee that post-contest, the public web systems of the US Air Force will remain insecure. Moreover, it’s not in the interest of the cybersecurity defense community to encourage practices that damage the chances cybersecurity defense will become a viable occupation. PS: Appeals to patriotism are amusing. The Air Force spent$billions constructing insecure systems. The people who built and maintain these insecure systems were/are paid a living wage. Having bought damaged goods, repeatedly and likely from the same people, what basis does the Air Force have to seek free advice and labor on its problems?

### Coloring US Hacker Bigotry (Test Your Geographic Ignorance)

Thursday, April 27th, 2017

I failed to mention in How Do Hackers Live on $53.57? (‘Hack the Air Force’) that ‘Hack the Air Force’ is limited to hackers in Australia, Canada, New Zealand, and the United States (blue on the following map). The dreaded North Korean hackers, the omnipresent Russian hackers (of Clinton fame), government associated Chinese hackers, not to mention the financially savvy East European hackers, and many others, are left out of this contest (red on the map). The US Air Force is “fishing in the shallow end of the cybersecurity talent pool.” I say this is “a partial cure for geographic ignorance,” because I started with the BlankMap-World4.svg map and proceeded in Gimp to fill in the outlines with appropriate colors. There are faster map creation methods but going one by one, impressed upon me the need to improve my geographic knowledge! ### How Do Hackers Live on$53.57? (‘Hack the Air Force’)

Wednesday, April 26th, 2017

I ask because once you get past the glowing generalities of USAF Launches ‘Hack the Air Force’:

Let the friendly hacking fly: The US Air Force will allow vetted white hat hackers and other computer security specialists root out vulnerabilities in some of its main public websites.

You find:

Reina Staley, chief of staff for the Defense Digital Service, notes that white-hat hacking and crowdsourced security initiatives are often used used by small businesses and large companies to beef up their security. Payouts for Hack the Air Force will be made based on the severity of the exploit discovered, and there will be only one payout per exploit.

Staley notes that the DoD’s Hack the Pentagon initiative, which was launched in April 2016 by the Defense Digital Service, was the federal government’s first bug bounty program. More than 1,400 hackers registered to participate, and DoD paid $75,000 in bounties. “In the past, we contracted to a security research firm and they found less than 20 unique vulnerabilities,” Staley explains. “For Hack the Pentagon, the 1,400 hackers found 138 unique vulnerabilities, most of them previously unknown.” Kim says Hack the Air Force is all about being more proactive in finding security flaws and fixing them quickly. “While the money is a draw, we’re also finding that people want to participate in the program for patriotic reasons as well. People want to see the Internet and Armed Forces networks become safer,” he says. Let’s see,$75,000 split between 1,400 hackers, that’s $53.57 per hacker, on average. Some got more than average, some got nothing at all. ‘Hack the Air Force’ damages the defensive cybersecurity labor market by driving down the compensation for cybersecurity skills. Skills that take time, hard work, talent to develop, but the Air Force devalues them with chump change. I fully agree with anyone who says government, DoD or Air Force cybersecurity sucks. However, the Air Force chose to spend money on valets, chauffeurs for its generals, fighter jets that randomly burst into flames, etc., just as they chose to neglect cybersecurity. Not my decision, not my problem. Want an effective solution? First step, “…use the free market Luke!” Create an Air Force contact point where hackers can anonymously submit notices of vulnerabilities. Institute a reliable and responsive process that offers compensation (market-based compensation) for those finds. Compensation paid in bitcoins. Bearing in mind that paying market rate and adhering to market reasonable responsiveness will be critical to success of such a portal. Yes, in a “huffy” voice, “you are the US Air Force,” but hackers will have something you need and cannot supply yourself. Live with it. Second step, create a very “lite” contracting process when you need short-term cybersecurity audits or services. That means abandoning the layers of reports and graft of primes, sub-primes and sub-sub-primes, with all the feather nesting of contract officers, etc., along the way. Oh, drug tests as well. You want results, not squeaky clean but so-so hackers. Third step, disclose vulnerabilities in other armed services, both domestic and foreign. Time spent hacking them is time not spent hacking you. Yes? Until the Air Force stops damaging the defensive cybersecurity labor market, boycott the ‘Hack the Air Force’ at HackerOne and all similar efforts. ### Metron – A Fist Full of Subjects Monday, April 24th, 2017 Metron – Apache Incubator From the description: Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. Metron provides capabilities for log aggregation, full packet capture indexing, storage, advanced behavioral analytics and data enrichment, while applying the most current threat-intelligence information to security telemetry within a single platform. Metron can be divided into 4 areas: 1. A mechanism to capture, store, and normalize any type of security telemetry at extremely high rates. Because security telemetry is constantly being generated, it requires a method for ingesting the data at high speeds and pushing it to various processing units for advanced computation and analytics. 2. Real time processing and application of enrichments such as threat intelligence, geolocation, and DNS information to telemetry being collected. The immediate application of this information to incoming telemetry provides the context and situational awareness, as well as the “who” and “where” information that is critical for investigation. 3. Efficient information storage based on how the information will be used: 1. Logs and telemetry are stored such that they can be efficiently mined and analyzed for concise security visibility 2. The ability to extract and reconstruct full packets helps an analyst answer questions such as who the true attacker was, what data was leaked, and where that data was sent 3. Long-term storage not only increases visibility over time, but also enables advanced analytics such as machine learning techniques to be used to create models on the information. Incoming data can then be scored against these stored models for advanced anomaly detection. 4. An interface that gives a security investigator a centralized view of data and alerts passed through the system. Metron’s interface presents alert summaries with threat intelligence and enrichment data specific to that alert on one single page. Furthermore, advanced search capabilities and full packet extraction tools are presented to the analyst for investigation without the need to pivot into additional tools. Big data is a natural fit for powerful security analytics. The Metron framework integrates a number of elements from the Hadoop ecosystem to provide a scalable platform for security analytics, incorporating such functionality as full-packet capture, stream processing, batch processing, real-time search, and telemetry aggregation. With Metron, our goal is to tie big data into security analytics and drive towards an extensible centralized platform to effectively enable rapid detection and rapid response for advanced security threats. Some useful links: Metron (website) Metron wiki Metron Jira Metron Git Security threats aren’t going to assign themselves unique and immutable IDs. Which means they will be identified by characteristics and associated with particular acts (think associations), which are composed of other subjects, such as particular malware, dates, etc. Being able to robustly share such identifications (unlike the “we’ve seen this before at some unknown time, with unknown characteristics,” typical of Russian attribution reports) would be a real plus. Looks like a great opportunity for topic maps-like thinking. Yes? ### Scotland Yard Outsources Violation of Your Privacy Monday, April 24th, 2017 From the post: The existence of a secretive unit within London’s Metropolitan Police that uses hacking to illegally access the emails of hundreds of political campaigners and journalists has been revealed. At least two of the journalists work for the Guardian. Green Party representative in the British House of Lords, Jenny Jones, exposed the unit’s existence in an opinion piece in the Guardian. The facts she revealed are based on a letter written to her by a whistleblower. The letter reveals that through the hacking, Scotland Yard has illegally accessed the email accounts of activists for many years, and this was possible due to help from “counterparts in India.” The letter alleged that the Metropolitan Police had asked police in India to obtain passwords on their behalf—a job that the Indian police subcontracted out to groups of hackers in India. The Indian hackers sent back the passwords obtained, which were then used illegally by the unit within the Met to gather information from the emails of those targeted. Trevor covers a number of other points, additional questions that should be asked, the lack of media coverage over this latest outrage, etc., all of which merit your attention. From my perspective, these abuses by the London Metropolitan Police (Scotland Yard), are examples of the terrorism bogeyman furthering government designs against quarrelsome but otherwise ordinary citizens. Quarrelsome but otherwise ordinary citizens are far safer and easier to spy upon than seeking out actual wrongdoers. And spying justifies part of Scotland Yard’s budget, since everyone “knows” a lack of actionable intelligence means terrorists are hiding successfully, not the more obvious lack of terrorists to be found. As described in Trevor’s post, Scotland Yard, like all other creatures of government, thrives in shadows. Shadows where its decisions are beyond discussion and reproach. In choosing between supporting government spawned creatures that live in the shadows and working to dispel the shadows that foster them, remember they are not, were not and never will be “…on you side.” They have a side, but it most assuredly is not yours. ### Leaking Improves Security – Secrecy Weakens It Monday, April 24th, 2017 If you need a graphic for the point that leaking improves security – secrecy weakens it, consider this one: Ask your audience: Prior to the Shadow Brokers leak of the NSA’s DoublePulsar Malware, how many people were researching a counter to it? Same question, but substitute: After the Shadow Brokers leak …. As the headline says: Leaking Improves Security – Secrecy Weakens It. Image originates from: Over 36,000 Computers Infected with NSA’s DoublePulsar Malware by Catalin Cimpanu. Anyone who suggests otherwise wants you and others to be insecure. ### Anonymous Domain Registration Service [Update: 24 April 2017] Sunday, April 23rd, 2017 Pirate Bay Founder Launches Anonymous Domain Registration Service Does this sound anonymous to you? With Njalla, customers don’t buy the domain names themselves, they let the company do it for them. This adds an extra layer of protection but also requires some trust. A separate agreement grants the customer full usage rights to the domain. This also means that people are free to transfer it elsewhere if they want to. “Think of us as your friendly drunk (but responsibly so) straw person that takes the blame for your expressions,” Njalla notes. Njalla Perhaps I’m being overly suspicious but what is the basis for trusting Njalla? I would feel better if Njalla only possessed a key that would decrypt (read authenticate) messages as arriving from the owner of some.domain. Other than payment, what other interest do they have in an owner’s actual identity? Perhaps I should bump them about that idea. Update: On further inquiry, registration only requires an email or jabber contact point. You can handle being anonymous to Njalla at those points. So, more anonymous than I thought. ### ARM Releases Machine Readable Architecture Specification (Intel?) Saturday, April 22nd, 2017 ARM Releases Machine Readable Architecture Specification by Alastair Reid. From the post: Today ARM released version 8.2 of the ARM v8-A processor specification in machine readable form. This specification describes almost all of the architecture: instructions, page table walks, taking interrupts, taking synchronous exceptions such as page faults, taking asynchronous exceptions such as bus faults, user mode, system mode, hypervisor mode, secure mode, debug mode. It details all the instruction formats and system register formats. The semantics is written in ARM’s ASL Specification Language so it is all executable and has been tested very thoroughly using the same architecture conformance tests that ARM uses to test its processors (See my paper “Trustworthy Specifications of ARM v8-A and v8-M System Level Architecture”.) The specification is being released in three sets of XML files: • The System Register Specification consists of an XML file for each system register in the architecture. For each register, the XML details all the fields within the register, how to access the register and which privilege levels can access the register. • The AArch64 Specification consists of an XML file for each instruction in the 64-bit architecture. For each instruction, there is the encoding diagram for the instruction, ASL code for decoding the instruction, ASL code for executing the instruction and any supporting code needed to execute the instruction and the decode tree for finding the instruction corresponding to a given bit-pattern. This also contains the ASL code for the system architecture: page table walks, exceptions, debug, etc. • The AArch32 Specification is similar to the AArch64 specification: it contains encoding diagrams, decode trees, decode/execute ASL code and supporting ASL code. Alastair provides starting points for use of this material by outlining his prior uses of the same. Raises the question why an equivalent machine readable data set isn’t available for Intel® 64 and IA-32 Architectures? (PDF manuals) The data is there, but not in a machine readable format. Anyone know why Intel doesn’t provide the same convenience? ### Shortfall in Peer Respect and Accomplishment Saturday, April 22nd, 2017 I didn’t expect UK government confirmation of my post: Shortfall in Cypbersecurity Talent or Compensation? so quickly! I argued against the groundless claims of a shortage of cybersecurity talent in the face of escalating cybercrime and hacking statistics. If there were a shortage of cybersecurity talent, cybercrime should be going down. But it’s not. The National Crime Agency reports: The National Crime Agency has today published research into how and why some young people become involved in cyber crime. The report, which is based on debriefs with offenders and those on the fringes of criminality, explores why young people assessed as unlikely to commit more traditional crimes get involved in cyber crime. The report emphasises that financial gain is not necessarily a priority for young offenders. Instead, the sense of accomplishment at completing a challenge, and proving oneself to peers in order to increase online reputations are the main motivations for those involved in cyber criminality. Government agencies, like the FBI for example, are full of lifers who take their breaks at precisely 14:15 PM, have their favorite parking spots, play endless office politics, masters of passive-aggression, who make government and/or corporate work too painful to contemplate for young cybersecurity talent. In short, a lack of meaningful peer respect and a sense of accomplishment is defeating both government and private hiring of cybersecurity talent. Read Pathways Into Cyber Crime and evaluate how the potential young hires in there would react to your staff meetings and organizational structure. That bad? Wow, you are worse off than I thought. So, are you going to keep with your certificate-driven, cubicle-based, Dilbert-like cybersecurity effort? How’s that working out for you? You will have to take risks to find better solutions but you are losing already. Enough to chance a different approach? ### Shortfall in Cypbersecurity Talent or Compensation? Friday, April 21st, 2017 Federal effort is needed to address shortfall in cybersecurity talent by Mike McConnell and Judy Genshaft. If you want to get in on cybersecurity training scam business, there are a number of quotes you can lift from this post. Consider: Our nation is under attack. Every day, thousands of entities – private enterprises, public institutions and individual citizens—have their computer networks breached, their systems hacked and their data stolen, degraded or destroyed. Such critical infrastructure impacts the cyber-sanctity of our banking system and electric power grid, each vital to our national security. We believe systemically developing more skilled cybersecurity defenders is the essential link needed to protect our nation from ‘bad actors’’ who would exploit our vital systems. In its latest global survey, the Information Security Certification Consortium (ISC²) projects a cybersecurity talent shortfall of as much as 1.8 million professionals by 2022­­. This shortage in skilled cybersecurity professionals means that all data and digital systems are at risk. Closing the cyber talent gap will require sustained and concerted efforts of government, the private sector, and educational institutions at all levels. If you don’t already know that hacking increases every year, spend some time at: Hackmageddon. Or with any security report on hacking. Think about it. How does cybercrime keep increase during a shortfall of cybersecurity talent? Answer: It doesn’t. Plenty of cybersecurity talent, just a shortfall on one side of the picture. A “shortfall,” if you want to call it that, caused by low wages and unreasonable working conditions (no weed, even off the job). All calls for more cybersecurity talent emphasize being on the “right side,” protecting your country, the system, etc., all BS that you can’t put in the bank. If you want better cybersecurity, have aggressive compensation packages, very flexible working conditions. The talent is out there, it’s just not free. (Nor should it be.) ### Leak “Threatens Windows Users Around The World?” Thursday, April 20th, 2017 Really? Shadow Brokers leaking alleged NSA malware “threatens users around the world?” Hmmm, I would think that the NSA developing Windows malware is what threatens users around the world. Yes? Unlike the apparent industry concealment of vulnerabilities, the leaking of NSA malware puts all users on an equal footing with regard to those vulnerabilities. In a phrase, users are better off for the NSA malware leak than they were before. They know (or at least it has been alleged) that these leaked vulnerabilities have been patched in supported Microsoft products. By upgrading to those products, they can avoid these particular pieces of NSA malware. Leaking vulnerabilities enables users to avoid perils themselves, in this case by upgrading, and/or to demand patches from vendors responsible for the vulnerabilities. Do you see a downside I don’t? Well, aside from trashing the market for vulnerabilities and gelding security agencies, neither one of which I will lose any sleep over. ### Who Prefers Zero Days over 7 Year Old Bugs? + Legalization of Hacking Thursday, April 20th, 2017 “Who” is not clear but Dan Goodin reports in Windows bug used to spread Stuxnet remains world’s most exploited that: One of the Microsoft Windows vulnerabilities used to spread the Stuxnet worm that targeted Iran remained the most widely exploited software bug in 2015 and 2016 even though the bug was patched years earlier, according to a report published by antivirus provider Kaspersky Lab. In 2015, 27 percent of Kaspersky users who encountered any sort of exploit were exposed to attacks targeting the critical Windows flaw indexed as CVE-2010-2568. In 2016, the figure dipped to 24.7 percent but still ranked the highest. The code-execution vulnerability is triggered by plugging a booby-trapped USB drive into a vulnerable computer. The second most widespread exploit was designed to gain root access rights to Android phones, with 11 percent in 2015 and 15.6 percent last year. A market share of almost 25%, despite being patched in 2010, marks CVE-2010-2568 as one of the top bugs a hacker should have in their toolkit. Not to denigrate finding zero day flaws in vibrators and other IoT devices, or more exotic potential exploits in the Linux kernel but if you approach hacking as an investment, the “best” tools aren’t always the most recent ones. (“Best” defined as the highest return for mastery and use.) Looking forward to the legalization of hacking, unauthorized penetration of information systems, with civil and criminal penalties for owners of those systems who get hacked. I suggest that because hacking being illegal, has done nothing to stem the tide of hacking. Mostly because threatening people you can’t find or who think they won’t be found, is by definition, ineffectual. Making hacking legal and penalizing business interests who get hacked, is a threat against people you can find on a regular basis. They pay taxes, register their stocks, market their products. Speaking of paying taxes, there could be an OS upgrade tax credit. Something to nudge all the Windows XP, Vista, 7 instances out of existence. That alone would be the largest single improvement in cybersecurity since that because a term. Legalized, hackers would provide a continuing incentive (fines and penalties) for better software and more consistent upgrade practices. Take advantage of that large pool of unpaid but enthusiastic labor (hackers). ### Shadow Brokers Compilation Dates Wednesday, April 19th, 2017 ShadowBrokers EquationGroup Compilation Timestamp Observation From the post: I looked at the IOCs @GossiTheDog ‏posted, looked each up in virus total and dumped the compilation timestamp into a spreadsheet. To step back a second, the Microsoft Windows compiler embeds the date and time that the given .exe or .dll was compiled. Compilation time is a very useful characteristic of Portable Executable. Malware authors could zero it or change it to a random value, but I’m not sure there is any indication of that here. If the compilation timestamps are real, then there’s an interesting observation in this dataset. A very clever observation! Check time stamps for patterns! Enables an attentive reader to ask: 1. Where the Shadow Broker exploits stolen prior to 2013-08-22? 2. If no to #1, where are the exploits post 2013-08-22? Have dumps so far been far away lightning that precedes very close thunderclaps? Imagine compilation timestamps in 2014, 2015, or even 2016? Listen for Shadow Brokers to roar! ### More Leveling – Undetectable Phishing Attack Monday, April 17th, 2017 From the post: Browsers such as Chrome, Firefox, and Opera are vulnerable to a new variation of an older attack that allows phishers to register and pass fake domains as the websites of legitimate services, such as Apple, Google, eBay, and others. Discovered by Chinese security researcher Xudong Zheng, this is a variation of a homograph attack, first identified by Israeli researchers Evgeniy Gabrilovich and Alex Gontmakher, and known since 2001. This particular hack depends upon variant characters being available within one language set, which avoids characters from different languages (deemed phishing attempts). To make this work, you will need a domain name written using Punycode (RFC 3492), which enables the writing of Unicode in ASCII. There’s a task for deep learning, scanning the Unicode Code Charts for characters that are easy to confuse with ASCII characters. If you have a link to such results, ping me with it. ### Shadow Brokers Level The Playing Field Monday, April 17th, 2017 The whining and moaning from some security analysts over Shadow Broker dumps is a mystery to me. Apologies for the pie chart, but the blue area represents the widely vulnerable population pre-Shadow Brokers leak: I’m sorry, you can’t really see the 0.01% or less, who weren’t vulnerable pre-Shadow Brokers leak. Try this enlargement: Shadow Brokers, especially if they leak more current tools, are leveling the playing field for the average user/hacker. Instead of 99.99% of users being in danger from people who buy/sell zero-day exploits, some governments and corporations, now it is closer to 100% of all users who are in danger. Listen to them howl! Was was not big deal, since people with power could hack the other 99.99% of us, certainly is now a really big deal. Maybe we will see incentives for more secure software when everyone and I mean everyone is at equal risk. Help Shadow Brokers level the security playing field. A post on discovery policy for vulnerabilities promotes user equality. Do you favor user equality or some other social regime? ### The Line Between Safety and Peril – (patched) “Supported Products” Saturday, April 15th, 2017 Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. “It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.” News of the release has been fanned by non-technical outlets, such as CNN Tech, NSA’s powerful Windows hacking tools leaked online by Selena Larson. Microsoft has responded with: Protecting customers and evaluating risk: Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.  Code Name Solution “EternalBlue” Addressed by MS17-010 “EmeraldThread” Addressed by MS10-061 “EternalChampion” Addressed by CVE-2017-0146 & CVE-2017-0147 “ErraticGopher” Addressed prior to the release of Windows Vista “EsikmoRoll” Addressed by MS14-068 “EternalRomance” Addressed by MS17-010 “EducatedScholar” Addressed by MS09-050 “EternalSynergy” Addressed by MS17-010 “EclipsedWing” Addressed by MS08-067 Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering. … (emphasis in original) You are guaranteed to be in peril if you are not running patched, supported Microsoft products. Even if you are running a supported product, know that 50% of all vulnerabilities are from failure to apply patches. Unlike the hackers who may be in your system right now, liability of vendors for unreasonably poor coding practices or your company for data breaches caused by your practices, such as failure to apply patches, would be incentives for more secure software and better security practices. If you are serious about cybersecurity, focus on people you can reach and not those you encounter at random (hackers). ### Power to the User! + Pull Advertising Friday, April 14th, 2017 From the post: An ad blocker that uses computer vision appears to be the most powerful ever devised and can evade all known anti ad blockers. A team of Princeton and Stanford University researchers has fundamentally reinvented how ad-blocking works, in an attempt to put an end to the advertising versus ad-blocking arms race. The ad blocker they’ve created is lightweight, evaded anti ad-blocking scripts on 50 out of the 50 websites it was tested on, and can block Facebook ads that were previously unblockable. The software, devised by Arvind Narayanan, Dillon Reisman, Jonathan Mayer, and Grant Storey, is novel in two major ways: First, it looks at the struggle between advertising and ad blockers as fundamentally a security problem that can be fought in much the same way antivirus programs attempt to block malware, using techniques borrowed from rootkits and built-in web browser customizability to stealthily block ads without being detected. Second, the team notes that there are regulations and laws on the books that give a fundamental advantage to consumers that cannot be easily changed, opening the door to a long-term ad-blocking solution. … (emphasis in original) How very cool! Putting users in charge of the content they view. What a radical idea! Koebler does the required genuflection towards the “ethics” of blocking ads, but I see no “ethical” issue at all. IBM, Cisco, etc., are wasting their time and mine advertising enterprise scale security solutions to me. Promise. What’s broken is that advertisers, like telephone scammers, must contact millions of people to find those unlucky enough to answer the ad and/or phone. What if instead of a push advertising model we had pull advertising? For example, not this year but in a few years, I’m going to buy a new car. When that time comes, ads and offers on cars of certain types would be welcome. What if I could specify a time period, price range, model of car and for that relevant period of time, I get card ads, etc. Notice I have pre-qualified myself as interested, so the advertisers aren’t talking about hits out of millions but possibly thousands if not hundreds. Depends on how good their offers are. Or if generally I’m interested in books in particular categories or by particular authors? Or when cheese is on sale at Kroger? All of which I could pre-qualify myself. Pull advertising reduces the bandwidth wasted by advertisers who push content never knowing where a mark (sorry, customer) may be found. Such a system would need to protect the privacy of consumers, so they would not be pestered when they had not opted in for ads. But anonymous ad brokerage is certainly doable. (The opposite of finding a subject with topic maps is concealing it.) Interested in ending web-based spam/click-bait? ### Happy Easter From Shadow Brokers! Friday, April 14th, 2017 From the post: On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft’s Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world. The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past. Called “Lost in Translation,” the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo. Cimpanu has a partial list of some of the more interesting hacking tools in the release. Encouragement to grab a copy of the archive for yourself. Assuming any, some or all of these tools are genuine, you can now start peeling banks, corporations and governments like eating an orange. The only thing that’s missing is you. Transparency anyone? ### MS Patch for Zero Day Leaves 56% Of Office Users Exposed Tuesday, April 11th, 2017 From the post: Microsoft on Tuesday released a patch for a zero-day vulnerability that was discovered late last week and used to spread the Dridex banking Trojan. Attacks were spreading via a massive spam campaign where emails contain Microsoft Word documents with malicious attachments that exploited a vulnerability in the way Microsoft handles OLE2Link objects. According to researchers, the attacks were effective at bypassing most mitigation efforts. Err, well, except that Tom goes on to say: However, Microsoft notes “you must have the release version of Service Pack 2 for Office 2010 installed on the computer” to apply the security update. Alternatively, security experts recommend blocking RTF documents in Microsoft Word via the File Block Settings in the Microsoft Office Trust Center. They also recommend using Microsoft Office Protected View, which they say can help prevent exploitation without user interaction. A highly unscientific survey of MS Office users at: http://www.msofficeforums.com/versionchart.php?mon=12, shows the patch leaves 56% of Office users vulnerable. Is that the total you get? Anyone spreading the Dridex malware need not despair about the MS patch. The majority of Office users remain unprotected. ### Pursuing Cybersecurity Wednesday, April 5th, 2017 Reading: should make you realize hunting and punishing hackers a very doubtful approach to improving cybersecurity. Even if flaws are fixed in software, users resist upgrading and in other cases, vulnerabilities persist over decades. To put it bluntly, the opportunities for hacking increase with every software release or patch. Hackers can be and are caught, then tried or plead out with great fanfare, but if security reports are to be credited, cybercrime continues to increase by leaps and bounds. Using a non-cybersecurity example, what if your locality had a burglary problem? Every month, as new homes are built, the burglary rates go up. Upon investigation you discover that builders are not putting locks on doors or windows of new homes. Your policy choices are: 1. Hire more police officers and step up patrols to catch burglars, or 2. Require builders to install and test locks on windows and doors. Option #1, like punishing hackers, requires you to catch the burglars first. A chancy proposition at best, even more so for hackers. The bottom line is you are catching and punishing a minuscule portion of the burglars or hackers. For our example, assume that burglaries continue to increase despite your high conviction rate. Option #2, well, builders are a lot easier to catch than burglars or hackers. They are selling a commercial product that depends upon repeat business so we can not only set requirements, we can also monitor if those requirements are being met. Setting the standards for legal liability for flaws in software won’t be easy, but consider that despite the liabilities imposed on pharmaceutical companies: Last year, five pharmaceutical companies made a profit margin of 20% or more – Pfizer, Hoffmann-La Roche, AbbVie, GlaxoSmithKline (GSK) and Eli Lilly. … (from Pharmaceutical industry gets high on fat profits) Ask your CFO when was the last time your company made a 20% profit, after liabilities and R&D, etc.? Vendors can compete to produce more secure software (less liability) or compete to race to market with insecure software (feeding hackers). Which approach do you think leads to greater cybersecurity overall? ### Targeting Tuesday: 600,000 Windows Server 2003 Installations Tuesday, April 4th, 2017 From the post: A vulnerability has been discovered in Windows Server 2003 running IIS6 by two security researchers at the South China University of Technology, but Microsoft said it won’t issue a patch even though up to 600,000 servers could be running the unsupported software. The researchers posted a proof-of-concept exploit for the zero-day to Github. The flaw is a zero-day buffer overflow vulnerability (CVE-2017-7269) which has been traced to an improper validation of an ‘IF’ header in a PROPFIND request. The researchers said it’s not a theoretical risk as the flaw was exploited in the wild in July or August 2016. It was disclosed to the public this week. “A remote attacker could exploit this vulnerability in the IIS WebDAV Component with a crafted request using PROPFIND method. Successful exploitation could result in denial of service condition or arbitrary code execution in the context of the user running the application,” said Virendra Bisht, a vulnerability researcher at Trend Micro. He added that other threat actors are now in the stages of creating malicious code based on the original proof-of-concept (PoC). No patch from Microsoft so this vulnerability will be around for quite some time. Long enough to test your skills at working from a PoC or a CVE (CVE-2017-7269) to develop working code. Test against your local Windows Server 2003 installation on a VM. If you are serious about security research, start collecting OS editions and their patches. Refresh your storage media on a regular schedule. ### Encouraging ATM Security Upgrades Monday, April 3rd, 2017 The cost of potential future losses from ATMs is baked into every bank fee. Good planning for banks because 95% of ATMs are still running Windows XP. The losses are coming, just not there, yet. Mail this image to your local bank, ditto for members of board of directors: I can’t promise your bank will upgrade its ATM software but pass any reduction in anticipated future costs along to you. However, the staff and directors are likely to give their Errors and Omission (E&O) policies a close review. 😉 Come to think of it, you should pass this along to any insurance agents selling E&O coverage. Great technique to drive their business and perhaps result in better security for banking customers. ### Eroding the Presumption of Innocence in USA Saturday, April 1st, 2017 You may be laboring under the false impression that people charged with crimes in the USA are presumed innocence until proven guilty beyond a reasonable doubt in a court of law. I regret to inform you that presumption is being eroded away. Kevin Poulsen has a compelling read in FBI Arrests Hacker Who Hacked No One about the case of Taylor Huddleston was arraigned on March 31, 2017 in the Federal District Court for the Eastern District of Virginia, docket number: 1:2017 cr 34. Kevin’s crime? He wrote a piece of software that has legitimate uses, such as sysadmins trouble shooting a user’s computer remotely. That tool was pirated by others and put to criminal use. Now the government wants to take his freedom and his home. Compare Kevin’s post to the indictment, which I have uploaded for your reading pleasure. There is a serious disconnect between Poulsen’s post and the indictment, as the government makes much out of a lot of hand waving and very few specifics. Taylor did obtain a Release on Personal Recognizance or Unsecured Bond, which makes you think the judge isn’t overly impressed with the government’s case. I would have jumped at such a release as well but I find it disturbing, from a presumption of innocence perspective, that the judge also required: My transcription: No access to internet through any computer or other data capable device including smart phones Remember that Taylor Huddleston is presumed innocence so how is that consistent with prohibiting him from a lawful activity, such as access to the internet? Simple response: It’s not. As I said, I would have jumped at the chance for a release on personal recognizance too. Judges are eroding the presumption of innocence with the promise of temporary freedom. Wishing Huddleson the best of luck and that this erosion of the presumption of innocence won’t go unnoticed/unchallenged. ### Wikileaks Marble – 676 Source Code Files – Would You Believe 295 Unique (Maybe) Friday, March 31st, 2017 Wikileaks released Marble Framework, described as: Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA. Effective leaking doesn’t seem to have recommended itself to Wikileaks. Marble-Framework-ls-lRS-devworks.txt, is an ls -lRS listing of the devworks directory. After looking for duplicate files and starting this post, I discovered entirely duplicated directories: Compare: devutils/marbletester/props with devutils/marble/props. devutils/marbletester/props/internal with devutils/marble/props/internal devutils/marbleextensionbuilds/Marble/Deobfuscators with devutils/marble/Shared/Deobfuscators That totals to 182 entirely duplicated files. In Marble-Framework-ls-lRS-devworks-annotated.txt I separated files on the basis of file size. Groups of duplicate files are separated from other files with a blank line and headed by the number of duplicate copies. I marked only exact file size matches as duplicates, even though files close in size could be the result of insignificant whitespace. After removing the entirely duplicated directories, there remain 199 duplicate files. With 182 files in entirely duplicated directories and 199 remaining duplicates brings us to a grand total of 381 duplicate files. Or the quicker way to say it: Vault 7 Marble — 295 unique source code files for the CIA’s secret anti-forensic Marble Framework. Wikileaks may be leaking the material just as it was received. But that’s very poor use of your time and resources. Leak publishers should polish leaks until they have a fire-hardened point. ### 4 Billion “Records” Leaked In 2016 – How Do You Define Record? Wednesday, March 29th, 2017 The IBM X-Force Treat Intelligence Index 2017 report leaves the impression hackers are cutting through security like a hot knife through butter: With Internet-shattering distributed-denial-of-service (DDoS) attacks, troves of records leaked through data breaches, and a renewed focus by organized cybercrime on business targets, 2016 was a defining year for security. Indeed, in 2016 more than 4 billion records were leaked, more than the combined total from the two previous years, redefining the meaning of the term “mega breach.” In one case, a single source leaked more than 1.5 billion records.1 (page 3) The report helpfully defines terms at page 3 and in the glossary (page 29) but never defines “record.” The 4 billion records “fact” will appear in security blogs, Twitter, business zines, mainstream media, all without asking: “What is a record?” Here are some things that could be records: • account, username, password • medical record (1 or more pages) • financial record (1 or more pages) • CIA document (1 or more pages) • Tax records (1 or more pages) • Offshore bank data (spreadsheet, 1 or more pages • Presentations (PPT, 1 or more pages) • Accounting records (1 or more pages) • Emails (1 or more pages) • Photos, nude or otherwise IBM’s “…4 billion records were leaked…,” is a marketing statement for IBM security services. Not a statement of fact. Don’t make your readers dumber by repeating IBM marketing slogans without critical comments. PS: I haven’t checked the other “facts” claimed in this document. The failure to define “record” was enough to discourage further reading. ### How Not To Lose A Community’s Trust Tuesday, March 28th, 2017 From the post: The author of the Nuclear Bot banking trojan has leaked the source code of his own malware in a desperate attempt to regain trust and credibility in underground cybercrime forums. Nuclear Bot, also known as NukeBot and more recently as Micro Banking Trojan and TinyNuke, is a new banking trojan that appeared on the malware scene in December 2016, when its author, a malware coder known as Gosya, started advertising it on an underground malware forum. According to Gosya's ad, this new banking trojan was available for rent and included several features, such as: • Formgrabber and Web-Injection modules (Firefox, Chrome, IE, and Opera) • A SOCKS proxy module • Remote EXE file launcher module • Hidden VNC module that worked on Windows versions between XP and 10 • Rootkit for 32-bit and 64-bit architectures • UAC bypass • Windows Firewall bypass • IBM Trusteer firewall bypass • Bot-killer – a mini anti-virus meant to remove all competing malware from the infected machine Subsequent analysis from both Arbor Networks and Sixgill confirmed the trojan's deadly features. In spite of these favorable reports, Gosya's Nuclear Bot saw little adoption among cybercrime gangs, as the malware's author miserably failed to gain their trust. See Catalin’s post for the most impressive list of social fails I have seen in years. Seriously. More importantly, for hacker and other forums, learn the local customs. Always. Enjoy! ### Hacking vs. Buying Passwords – Which One For You? Monday, March 27th, 2017 You remember the Dilbert cartoon on corporate security where the pointed haired boss asks what Dilbert would do if a stranger offered to buy company secrets. Dilbert responds asking how much is the stranger offering? See the strip for the boss’ answer and Wally’s follow up question. Danny Palmer reports the price point for employees who would sell their access, maybe less than you think. From the post: A cyberattack could cost an organisation millions, but an employee within your company might be willing to give an outsider access to sensitive information via their login credentials for under £200. According to a report examining insider threats by Forcepoint, 14 percent of European employees claimed they would sell their work login credentials to an outsider for £200. And the researchers found that, of those who’d sell their credentials to an outsider, nearly half would do it for less. That’s about$260.00 U.S. at today’s exchange rates.

Only you know your time and expense of hacking passwords and/or buying them on the dark web.

I suspect the price point is even lower in government agencies with unpopular leadership.

I haven’t seen any surveys of US employees, but I suspect employees of companies, suppliers, contractors, banks, etc., involved in oil pipeline construction are equally open to selling passwords. Given labor conditions in the US, perhaps even more so.

Not that anyone opposing a multi-generational environmental crime like an oil pipeline would commit a crime when there are so many lawful and completely ineffectual means to oppose it at hand.

PS: As recent CIA revelations demonstrate, the question isn’t if government will betray the public’s interest but when. The same is true for environmental, health and other concerns.

### Looking For Installed Cisco Routers?

Saturday, March 25th, 2017

News of 300 models of Cisco Catalyst switches being vulnerable to a simple Telnet attack, Cisco issues critical warning after CIA WikiLeaks dump bares IOS security weakness by Michael Cooney, for example, has piqued interest in installed Cisco routers.

You already know that Nmap can uncover and identify routers.

What you may not know is government hemorrhaging of IT information may be a useful supplement to Nmap.

Consider GovernmentBids.com for example.

You can search by federal government bid types and/or one or more of the fifty states. Up to 999 prior to the current date, for bids, which includes the bids as well as the winning vendor.

If you are routinely searching for IT vulnerability information, I would not begrudge them the \$131/month fee for full information on bids.

From a topic map perspective, pairing IT bid information with vulnerability reports, would be creative and valuable intelligence.

How much IT information is your office/department hemorrhaging?

### Attn: Zero-Day Hunters, ATMs Running Windows XP Have Cash

Friday, March 24th, 2017

Kimberly Crawley reprises her Do ATMs running Windows XP pose a security risk? You can bank on it! as a reminder that bank ATMs continue to run Windows XP.

Her post was three years old in February, 2017 and just as relevant as the first day of its publication.

Rather than passing even more unenforceable hacking legislation, states and congress should impose treble damages with mandatory attorney’s fees on commercial victims of hacking attacks.

Insecurity will become a cost center in their budgets, justifying realistic spending and demand for more secure software.

In the meantime, remember ATMs running Windows XP dispense cash.

### The New Handbook For Cyberwar Is Being Written By Russia

Wednesday, March 22nd, 2017

From the post:

One US intelligence officer currently involved in cyber ops said, “It’s not that the Russians are doing something others can’t do. It’s not as though, say, the US wouldn’t have the technical skill level to carry out those types of attacks. It’s that Russian hackers are willing to go there, to experiment and carry out attacks that other countries would back away from,” said the officer, who asked not to be quoted by name due to the sensitivity of the subject. “It’s audacious, and reckless. They are testing things out in the field and refining them, and a lot of it is very, very messy and some is very smart.”

Well, “…testing things out in the field and refining them…” is the difference between a potential weapon on a dry erase board and a working weapon in practice. Yes?

Personally I favor the working weapon in practice.

It’s an interesting read despite the repetition of the now debunked claim of Wikileaks releasing 8,761 CIA documents (Fact Checking Wikileaks’ Vault 7: CIA Hacking Tools Revealed (Part 1))

Frenkel of course covers the DNC hack:

The hack on the DNC, which US intelligence agencies have widely attributed to Russia, could be replicated by dozens of countries around the world, according to Robert Knake, a former director of cybersecurity policy in the Obama administration.

“Russia has laid out the playbook. What Russia did was relatively unsophisticated and something that probably about 60 countries around the world have the capability of doing — which is to target third parties, to steal documents and emails, and to selectively release them to create unfavorable conditions for that party,” Knake told the BBC’s Today. “It’s unsubtle interference. And it’s a violation of national sovereignty and customary law.”

Kanke reflects the failure of major powers to understand the leveling potential of cyberwarfare. Sixty countries? You think? How about every kid that can run a phishing scam to steal John Podesta’s password? How many? 600,000 maybe? More than that?

None of who care about “…national sovereignty and customary law.”

Are you going to write or be described in a chapter of the new book on cyberwar?