Another Word For It Patrick Durusau on Topic Maps and Semantic Diversity

Summary:

Claim 1: Stolen, signed security certificates, require a level of sophistication not observed outside nation-state cyber forces. (Bogus)

Claim 2: Mimikatz is a classic [tactics, techniques and procedures] of Deep Panda. (Bogus)

The details:

Start with Hacking as Offensive Counterintelligence by John Schindler, which reads in part:

The IC is pointing the finger at China, tentatively, apparently at hacking entities that have a “close relationship” with Chinese intelligence. The case for official Chinese culpability is growing.

The “is growing” hyperlink takes us to a tweet by Bill Gertz (that got 8 retweets and 2 favorites) that reads:

Week in Cyber Threat Space: New technical details reveal PLA link to OPM hack http://flashcritic.com/technical-forensics-of-opm-hack-reveal-pla-links-to-cyber-attacks-targeting-americans/

Which takes us to: Technical forensics of OPM hack reveal PLA links to cyber attacks targeting Americans by Bill Gertz.

Evidence for Chinese groups being involved?

Sakula is a Remote Access Tool, or RAT, that employs the use of stolen, signed security certificates, a technique requiring a level of sophistication not observed outside nation-state cyber forces.

The domain names used by the hackers in the OPM attack included OPMsecurity.org and opm-learning.org.

Claim 1:

“…stolen, signed security certificates, a technique requiring a level of sophistication not observed outside nation-state cyber forces.”

Really?

A casual web search uncovers: Bogus AV program uses 12 stolen digital certificates to make the malware look legit by Jeremy Kirk.

Which reads in part:

The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued “by a number of different CAs to software developers in various locations around the world,” the company wrote.

The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.

Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organization or an entity that issues the certificates.

One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating “that the malware’s distributors are regularly stealing new certificates, rather than using certificates from an older stockpile.

The claim that:

“…stolen, signed security certificates, a technique requiring a level of sophistication not observed outside nation-state cyber forces.”

is: BOGUS!

Claim 2:

Another method used by the Chinese in the OPM data breach was Mimikatz, software that allows remote users to learn network administrator log-in credentials through a relatively simple process.

“Mimikatz is a classic [tactics, techniques and procedures] of Deep Panda,” said a security analyst familiar with details of the attack. “This allows the actors to dump password hashes, perform pass the hash and ‘golden ticket’ attacks in the victim environment.”

A “classic…of Deep Panda?”

Mimikatz is the latest, and one of the best, tool to gather credential data from Windows systems. In fact I consider Mimikatz to be the “swiss army knife” of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage.

Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested).

From Mimikatz and Active Directory Kerberos Attacks by Sean Metcalf.

OK, I guess “classic” is the right term for a program that is (3 months on the Internet = 1 Web year) thirty-two (32) Web years old.

I don’t see any basis for claiming that Mimikatz is unique to “Deep Panda,” assuming “Deep Panda” is something other than marketing hype. Mimikatz is available from Github and is used by thousands if not tens of thousands of users.

The claim that:

“Mimikatz is a classic [tactics, techniques and procedures] of Deep Panda,”

is: BOGUS!

The article does have one useful bit of information related to the OPM hack:

The OPM hack involved the compromise of administrator-level access that allowed the hackers to download information, and potentially to alter or corrupt data within the system.

Do you remember item 4 on page 40 of the United States Office of Personnel Management, Agency Financial Report, 2014:

The password length setting for privileged user accounts did not meet minimum OPM password length requirements.

So the OPM hack did not occur because:

the group [was] among the most sophisticated state-sponsored cyber intrusion entities.

but rather because “privileged users” failed to “meet minimum OPM password length requirements.”

No nation states required for the OPM hack, just poorly skilled network administrators.

Five ways to spot a phishing email by Kevin Wright.

I know none of my readers really need this sort of reminder/advice but its a good summary to pass onto others.

Kevin’s list reads (see his post for details):

1. An odd from name/domain
2. Spelling and grammar
3. Over-the-top calls to action
4. Mismatched and masked links
5. A request for personal information

I am guessing from #2, Spelling and grammar, that Kevin hasn’t read many government reports or regulations. Few enough spelling errors but the grammar is atrocious. 😉

BTW, Kevin reports that the stats on phishing emails are grim:

Phishing emails are inexpensive to deploy, and a staggering 156 million are sent every day. Of these, 8 million are opened and 800,000 individuals click on the phishing links inside.

Or to update the alleged P.T. Barnum phrase, “There’s a sucker born every minute,” for the Internet Age:

There’s a sucker born every 0.108 seconds.

Debug like a doctor by Connor Mendenhall.

The crux of Connor’s post, which he then explains very well is:

Differential diagnosis is a systematic method used by doctors to match sets of symptoms with their likely causes. A good differential diagnosis consists of four distinct steps:

1. List all the observed symptoms.
2. List possible causes for the observed symptoms.
3. Rank the list of causes in order of urgency.
4. Conduct test to rule out causes in priority order.

You can contrast that with the FBI method of investigating data breaches:

1. Get incomplete/incoherent account of data loss, requiring data loss updates after months of investigation.
2. Leak to news media anonymous accusations that China is responsible for the data breach.

A lack of cybersecurity talent requires a coarsening of some steps of investigation but I think it has been taken too far. Take the Office of Personnel Management breach, where the estimate of data lose worsens day by day.

Take a tip from the big data people, start with the data and not with the result you want.

The original China Syndrone was a movie about a cover-up of safety hazards at a nuclear power plant, starring Jane Fonda, Michael Douglas, and Jack Lemmon. The idea was that if a nuclear reactor were to melt down, the molten core would be on its way to China, hence “China syndrone.”

There is a new “China Syndrone” that is the current darling of the U.S. government and its toady press following. The new “China Syndrone” blames China for every breach in cybersecurity in the United States, particular of U.S. government sites. The latest round of these specious accusations surround the 2015 data breach at the U.S. Office of Personnel Management.

The Wall Street Journal, was the first to repeat unsubstantiated claims by U.S. governments sources pointing at hackers in China as the source of the attack. From there it has flared into a general parroting contest in the media to see who can repeat the claim the most often. No one from the press it appears, has obtained any evidence to substantiate such a claim. Nor are they likely to since the hack was either months or a year ago (accounts differ).

Even more disturbing, CNN has reported as “news” the following eleven steps (the story headline says ten, but we already knew CNN has trouble with numbers beyond two) to hack the U.S. government:

1. Find Agency X
2. Spam
3. Get a federal worker to reply
4. Focus on Agency X
5. Find more points of entry
6. Spread
7. Discover vulnerabilities
8. Become an admin
9. Create new users
10. Exploit fake users
11. Avoid detection

And…

In April, the U.S. government learned of the ten-step plan to hack it. For two months, the federal government didn’t reveal the information publicly because they had not yet cleaned up the entire system. Nor did federal officials want the Chinese to know they were onto them.

Really? And this “ten step” plan differs from hacking anyone else how? I suspect this is representative of the level of government understanding of cybersecurity. Now you know why the U.S. government is cyberinsecure. Yes?

Did you know that for at least the past two years that privileged users at OPM have not followed rules on password length? Or that staff who no longer work at the agency may still have valid access to data? Or that users may have greater access than necessary for their positions? See U.S. Office of Personnel Management Data Breach for details and sources.

Here’s a five step plan to hack the OPM:

1. Locate likely privileged user on LinkedIn or other social network site. (count on LinkedIn today is over 3,000)
2. Locate network address for OPM login
3. Brute force short password
4. Exploit user’s access
5. Avoid detection

Or if that seems like too much work:

1. Locate likely privileged user on LinkedIn or other social network site. (count on LinkedIn today is over 3,000)
2. Steal user’s laptop
3. Use password save in browser to login the OPM network
4. Exploit user’s access
5. Avoid detection

Either way works.

You don’t have to be a nation state to breach U.S. government security and pretending otherwise annoys potential friends (China) and prevents us from addressing known security issues. Like management incompetence at OPM. How difficult is it to enforce password restrictions. If a privileged user can’t logon because they can use a secure password, then you know they have outlived their usefulness at the agency.

PS: China or at least hackers in China could have been responsible for the OPM hack but then anything is possible. Saving face instead of addressing management and security issues is a very poor cybersecurity strategy.

Have you heard the story about the couple who celebrated their 50th wedding anniversary at an elegant restaurant with their three sons? The father was chagrined to find that none of the sons had given them presents for the occasion. After the meal was over, the father said: “There’s something your mother and I have been meaning to tell you for years. We were never married.” The sons gasped and the youngest son blurted: “You mean we are all bastards?” “Yes,” said the father, “and cheap ones too!”

That story came to mind when I read the Telsa bug bounty program award list:

• XSS: $200–$500

• CSRF: $100–$500

• SQL: $500–$1,000

• Command injection: $1,000

• Business logic issues: $100–$300

• Horizontal privilege escalation: $500

• Vertical privilege escalation: $500–$1,000

• Forceful browsing/Insecure direct object references: $100–$500

• Security misconfiguration: Up to $200

• Sensitive data exposure: Up to $300

Given the education, experience, training, expertise, equipment, resources needed to be a first class hacker, how are you going to make a living at $300 for “sensitive data exposure?”

A hack may only take you a few seconds but it isn’t like you are doing piece work in a garment factory. The time it takes to perform a hack shouldn’t be the measure for payment.

If you are seriously interested in improving cybersecurity, unlike the leadership at the U.S. Office of Personnel Management, then don’t be a “cheap bastard,” when it comes to cybersecurity. If that seems unclear, you know where to find me for further details.

‘prevent encryption above all else’ by Andrea Peterson.

From the post:

The debate over encryption erupted on Capitol Hill again Wednesday, with an FBI official testifying that law enforcement’s challenge is working with tech companies “to build technological solutions to prevent encryption above all else.”

At first glance the comment from Michael B. Steinbach, assistant director in the FBI’s Counterterrorism Division, might appear to go further than FBI Director James B. Comey. Encryption, a technology widely used to secure digital information by scrambling data so only authorized users can decode it, is “a good thing,” Comey has said, even if he wants the government to have the ability get around it.

But Steinbach’s testimony also suggests he meant that companies shouldn’t put their customers’ access to encryption ahead of national security concerns — rather than saying the government’s top priority should be preventing the use of the technology that secures basically everything people do online.

That seems plain enough doesn’t it?

BTW, Michael Steinbach isn’t just a name in a report. He can be identified with this photo:

The picture in Andrea’s post is much more recent but probably also subject to copyright restrictions. I got mine off the FBI website at: http://www.fbi.gov/about-us/executives/steinbach.

Whatever the government says, the goal is to leave you ripe for the rape of identification measures. And that’s only the beginning.

Wikipedia reports the weapon systems of the Lockheed Martin F-35 Lightning II as follows:

• GAU-22/A, a four-barrel version of the 25 mm GAU-12 Equalizer cannon
• AIM-9X Sidewinder
• AIM-132 ASRAAM short-range air-to-air missiles
• AIM-120 AMRAAM BVR AAM
• Storm Shadow cruise missile
• AGM-158 Joint Air to Surface Stand-off Missile (JASSM) cruise missile
• Guided bombs
• air-to-surface missiles
• Joint Direct Attack Munition (JDAM)
• Paveway series of bombs
• Joint Standoff Weapon (JSOW)
• Brimstone anti-tank missiles
• cluster munitions (Wind Corrected Munitions Dispenser
• B61 nuclear bombs (2)
• Solid-state lasers
• High Speed Strike Weapon

Not all options are available on any one flight.

Sean Lyngaas reports in Untold lines of code make Pentagon weapons vulnerable:

Weapons systems remain vulnerable to hacking despite the billions of dollars the Defense Department spends annually on cybersecurity, Pentagon officials have acknowledged. Frank Kendall, the department’s top acquisition official, is taking a stab at the problem through his latest round of guidance, but he appears to be up against formidable foes in the scope of the threat and the cost of addressing it.

There are nine million lines of code in the F-35 joint strike fighter jet, plus 15 million lines in support systems, according to Richard Stiennon, chief research analyst at IT-Harvest. Cleaning up all the code in the weapons systems being produced for DOD would cost hundreds of billions of dollars alone, reckoned Stiennon, who is writing a book on cyber warfare. “In other words, if we ever go to war with a sophisticated adversary, or have a battle, they could pull out their cyber weapons and make us look pretty foolish,” he said.

…

Stiennon of IT-Harvest said cyber vulnerabilities have been baked into the defense acquisition system. “The Pentagon made a mistake common to many manufacturers,” he wrote in an op-ed in November 2014. “They assumed that because their systems were proprietary and distribution was controlled there would be no hacking, no vulnerabilities discovered, and no patch-management cycles to fix them. This is security by obscurity, an approach that always fails over time.”

Let’s see, 9 million lines of code in the F-35 plus 15 million in support systems, what, 24 million lines of code?

Is anyone giving odds on the first zero-day bug being a buffer overflow condition?

Welcome to the Internet of Things! Where potentially hackable things include the F-35 with the weapons systems listed above.

The data scientists keep wailing about a shortage of data scientists. Much more likely to have a shortage of cracker talent.

Better to break an F-35 yourself while it is sitting on the ground, unarmed, that for that to happen in the air while carrying a nuke.

Top cracker talent is going to start attracting baseball like salaries. What did they used to say: “The future is so bright I have to wear shades?”

PS: You do realize that cracking an F-35 without permission of its owner and/or as part of a country’s military is likely a crime in most jurisdictions? Just checking.

Editorial correction:

The original lead sentence read:

The Wikipedia article Lockheed Martin F-35 Lightning II reports that you could gain control over:

which to one close reader implied that Wikipedia stated that hacks of an F-35 would give control over the weapons systems listed.

To clarify that the only reliance on Wikipedia was for the list of weapons systems, the lead sentence now reads:

Wikipedia reports the weapon systems of the Lockheed Martin F-35 Lightning II as follows:

I amended the paragraph that starts: “Welcome to the Internet of Things!” to read:

Welcome to the Internet of Things! Where potentially hackable things include the F-35 with the weapons systems listed above.