Monday, April 13, 2015

Example of Chinese Military Converging on US Military

We often hear of vulnerabilities in the US military introduced by net-centric warfare and a reliance on communications network. As the Chinese military modernizes, it will introduce similar vulnerabilities.

I found another example of this phenomenon courtesy of Chinascope:

PLA Used its Online Purchasing Website for its First Online Purchase

Written by LKY and AEF   

Xinhua reported that on, April 7, the PLA announced that five manufacturers won the bidding, totaling 90 million yuan (US$14.48 million), to supply general and maintenance equipment to the PLA. The article said that these were the first purchase orders that the PLA received since it launched its military equipment purchasing website in January. The site is at http://www.weain.mil.cn/. 

The PLA claimed that it saved close to 12 million yuan (US$1.93 million) compared to the list price. The purchase order consisted of items such as containers for maintenance equipment and tools, gas masks, carrier cases, and army field lighting. The article said that the PLA equipment purchasing website was launched on January 4. On February 25, the PLA General and Maintenance department made a public announcement on the website calling for bids. On March 19, the public bidding was held at Ordnance Engineering College in Shijiazhuang City of Hebei Province. 

Over 20 manufacturers submitted bids and 5 of them, including some privately owned companies, won the bidding.

Source: Xinhua, April 12, 2015
http://news.xinhuanet.com/info/2015-04/12/c_134143641.htm

(emphasis added)

You can imagine the sorts of opportunities this story presents to adversaries, including impersonating the Chinese Web site, phishing either party (supplier or purchaser), and so on.

I expect other militaries to introduce similar vulnerabilities as they modernize, presenting more opportunities for their adversaries.

Network Security Monitoring Remains Relevant

Cylance blogged today about a Redirect to SMB problem found in many Windows applications. Unfortunately, it facilitates credential theft. Steve Ragan wrote a good story discussing the problem. Note this issue does not rely on malware, at least not directly. It's a problem with Microsoft's Server Message Block protocol, with deep historical roots.

(Mitigating Service Account Credential Theft on Windows [pdf] is a good paper on mitigation techniques for a variety of SMB problems.)

Rather than discussing the technical problem, I wanted to make a different point. After reading about this technique, you probably want to know when an intruder uses it against you, so you can see it and preferably stop it.

However, you should be wondering if an intruder has already used it against you.

If you are practicing network security monitoring (described most recently in my newest book), then you should already be collecting network-based evidence of this attack.

  • You could check session data and infer that outbound traffic on using traditional SMB ports like 139 or 445 TCP are likely evidence of attack. 
  • You could review transaction data for artifacts of SMB traffic, looking for requests and replies. 
  • Best of all, you could review full content data directly for SMB traffic, and see exactly what happened. 

Whenever you see a discussion of a new attack vector, you will likely think "how do I stop it, or at least see it?"

Don't forget to think about ways to determine if an attacker has already used it against you. Chances are that certain classes of intruders have been exercising it for days, weeks, months, or perhaps years before it surfaced in the media.

PS: This post may remind you of my late 2013 post Linux Covert Channel Explains Why NSM Matters.

Sunday, April 12, 2015

Please Support OpenNSM Group

Do you believe in finding and removing intruders on the network before they cause damage? Do you want to support like-minded people? If you answered "yes," I'd like to tell you about a group that shares your views and needs your help.

In August 2014, Jon Schipp started the Open (-Source) Network Security Monitoring Group (OpenNSM). Jon is a security engineer at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. In his announcement on the project's mailing list, Jon wrote:

The idea for this group came from a suggestion in Richard Bejtlich's most recent book, where he mentions it would be nice to see NSM groups spawn up all over much like other software user groups and for the same reasons.

Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. It is an operational campaign supporting a strategy of identifying and removing intruders before they accomplish their mission, thereby implementing a policy of minimizing loss due to intrusions. At the tactical and tool level, NSM relies on instrumenting the network and applying hunting and matching to find intruders.

Long-time blog readers know that I have developed and advocated NSM since the late 1990s, when I learned the practice at the Air Force Computer Emergency Response Team (AFCERT).

I am really pleased to see this group holding weekly meetings, which are available live or as recordings at YouTube.

The group is seeking funding and sponsorship to build a NSM laboratory and conduct research projects. They want to give students and active members hands-on experience with NSM tools and tactics to conduct defensive operations. They outline their plans for funding in this Google document.

I decided to support this group first as an individual, so I just donated $100 to the cause. If you are a like-minded individual, or perhaps represent an organization or company, please consider donating via GoFundMe to support this OpenNSM group and their project. You can also follow them @opennsm and Facebook, and check out their notes at code at GitHub. Thank you!

Friday, March 27, 2015

The Attack on GitHub Must Stop

For many years, private organizations in the West have endured attacks by the Chinese government, its proxies, and other parties. These intruders infiltrated private organizations to steal data. Those not associated with the targeted organizations were generally not directly affected.

Today an action by the Chinese government is affecting millions of users around the world. This is unacceptable.

You may be aware that an American technology company, GitHub, is suffering a massive distributed denial of service attack, at the time of writing.

According to Insight Labs, Internet traffic within China is being manipulated, such that users are essentially attacking GitHub. They are unwittingly requesting two sites hosted by GitHub. The first is a mirror of the Chinese edition of the New York Times (blocked for several years). The other is a mirror of the GreatFire.org Web site, devoted to discovering and exposing Internet filtering by China's "Great Firewall."

As noted in this Motherboard story, it's unlikely a party other than the Chinese government could sustain this attack, given the nature of the traffic injection within the country's routing infrastructure. Even if somehow this is not a state-executed or state-ordered attack, according to the spectrum of state responsibility, the Chinese government is clearly responsible in one form or another.

It is reprehensible that the censorship policies and actions of a nation-state are affecting "over 3.4 million users and with 16.7 million repositories... the largest code host in the world." (Source)

The Chinese government is forcing GitHub to expend its private resources in order to continue serving its customers. I call on the US government, and like-minded governments and their associates, to tell the Chinese to immediately stop this activity. I also believe companies like IBM, who are signing massive IT deals with "Chinese partners," should reconsider these associations.

Tuesday, March 24, 2015

Can Interrogators Teach Digital Security Pros?

Recently Bloomberg published an article titled The Dark Science of Interrogation. I was fascinated by this article because I graduated from the SERE program at the US Air Force Academy in the summer of 1991, after my freshman year there. SERE teaches how to resist the interrogation methods used against prisoners of war. When I attended the school, the content was based on techniques used by Korea and Vietnam against American POWs in the 1950s-1970s.

As I read the article, I realized the subject matter reminded me of another aspect of my professional life.

In intelligence, as in the most mundane office setting, some of the most valuable information still comes from face-to-face conversations across a table. In police work, a successful interrogation can be the difference between a closed case and a cold one. Yet officers today are taught techniques that have never been tested in a scientific setting. For the most part, interrogators rely on nothing more than intuition, experience, and a grab bag of passed-down methods.

“Most police officers can tell you how many feet per second a bullet travels. They know about ballistics and cavity expansion with a hollow-point round,” says Mark Fallon, a former Naval Criminal Investigative Service special agent who led the investigation into the USS Cole attack and was assistant director of the federal government’s main law enforcement training facility. “What as a community we have not yet embraced as effectively is the behavioral sciences...”

Christian Meissner, a psychologist at Iowa State University, coordinates much of HIG’s research. “The goal,” he says, “is to go from theory and science, what we know about human communication and memory, what we know about social influence and developing cooperation and rapport, and to translate that into methods that can be scientifically validated.” Then it’s up to Kleinman, Fallon, and other interested investigators to test the findings in the real world and see what works, what doesn’t, and what might actually backfire.

Does this sound familiar? Security people know how many flags to check in a TCP header, or how many bytes to offset when writing shell code, but we don't seem to "know" (in a "scientific" sense) how to "secure" data, networks, and so on.

One point of bright light is the Security Metrics community. The mailing list is always interesting for those trying to bring counting and "science" to the digital security profession. Another great project is the Index of Cyber Security run by Dan Geer and Mukul Pareek.

I'm not saying there is a "science" of digital security. Others will disagree. I also don't have any specific recommendations based on what I read in the interrogation article. However, I did resonate with the article's message that "street wisdom" needs to be checked to see if it actually works. Scientific methods can help.

I am taking small steps in that direction with my PhD in the war studies department at King's College London.

Monday, March 02, 2015

Why Would Iran Welcome Western Tech?

I noticed an AFP story posted by Al Jazeera America titled Iran could allow in Google, other tech companies if they follow rules. It included the following:

Iran could allow Internet giants such as Google to operate in the the country if they respect its "cultural" rules, Fars news agency said on Sunday, quoting a senior official.

"We are not opposed to any of the entities operating in global markets who want to offer services in Iran," Deputy Telecommunications and Information Technology Minister Nasrollah Jahangard reportedly told Fars.

"We are ready to negotiate with them and if they accept our cultural rules and policies they can offer their services in Iran," he said.

Jahangard said Iran is "also ready to provide Google or any other company with facilities" that could enable them to provide their services to the region.


These statements caught my eye because they contrast with China's actions, in the opposite direction. For example, on Friday the Washington Post published China removes top U.S. tech firms from government purchasing list, which said in part:

China has dropped several top U.S. technology companies, including Cisco and Apple, from a list of brands that are approved for state purchases, amid a widening rift with the United States about cyberspace...

Other companies dropped included Apple, Intel’s McAfee security software firm, and network and server software company Citrix Systems. Hewlett-Packard and Dell products remained on the list.

“The main reason for dropping foreign brands is out of national security. It’s the effect of Snowden and PRISM,” said Mei Xinyu, a researcher with the Ministry of Commerce. “When it comes to national security, no country should let their guard down.”

So why would Iran "let their guard down," to use Mei Xinyu's suggestion?

It's possible Iran is trying to encourage a favorable resolution to the nuclear power negotiations currently underway. I don't think its stance on technology is going to move the negotiations one way or another, however.

It's more likely that Iran recognizes that it lacks the sorts of national champions found in China. Iran isn't at the point where a local version of Cisco or Apple could replace the American brands. China, in contrast, has Huawei and ZTE for telecoms and Xiaomi (and others) for smartphones.

Iran might also be smart enough to realize that American brands could be the "safest" and most "secure" brands available, given the resistance of American tech companies to perceptions that they work on behalf of the US intelligence community.

At the New America cyber event last week, Bruce Schneier noted that the Cold War mission of the NSA was to "attack their stuff, and defend our stuff." However, when we "all use the same stuff," it's tougher for the NSA to follow its Cold War methodology.

I stated several times last week in various locations that countries like China who adopt their own national tech champions are essentially restoring the Cold War situation. If China rejects American technology, and runs its own, it will once again be possible for the NSA to "attack their stuff, and defend our stuff."

In that respect, I encourage the Chinese to run their own gear.

Thursday, February 19, 2015

Boards Not Briefed on Strategy?

I'd like to make a quick note on strategy, after reading After high-profile hacks, many companies still nonchalant about cybersecurity in the Christian Science Monitor today. The article says:

In a survey commissioned by defense contractor Raytheon of 1,006 chief information officers, chief information security officers, and other technology executives, 78 percent said their boards had not been briefed even once on their organization’s cybersecurity strategy over the past 12 months...

The findings are similar to those reported by PricewaterhouseCoopers in its Global State of Information Security Survey last year in which fewer that 42 percent of respondents said their board actively participates in overall security strategy.

Does this worry you? Do you want to introduce strategic thinking into your board discussion? If the answer is yes, consider these resources.

1. Check out my earlier blog posts on strategy, especially the first two articles.

2. Watch the keynote I delivered at ArchC0n last year. My section starts around 8:30.

3. For those who want to apply strategic thought to network security monitoring, I addressed that in a Webcast for O'Reilly last year.

At the end of the day, we need to be talking in strategic terms with business leaders, not technical terms. They are not having the conversations they need, and too few of us know how to speak a language that aligns with their interests and goals.

We need to convince boards and CxOs that we are understand their goals, and that security teams are implementing the correct strategy and running the right campaigns to achieve business objectives. We should not be talking to them about the tactics and tools to support the strategy and campaigns. Sell executives on your strategy, not your technical knowledge.

Elevating the Discussion on Security Incidents

I am not a fan of the way many media sources cite "statistics" on digital security incidents. I've noted before that any "statistic" using the terms "millions" or "billions" to describe "attacks" is probably worthless.

This week, two articles on security incidents caught my attention. First, I'd like to discuss the story at left, published 17 February in The Japan Times, titled Cyberattacks detected in Japan doubled to 25.7 billion in 2014. It included the following:

The number of computer attacks on government and other organizations detected in Japan doubled in 2014 from the previous year to a record 25.66 billion, a government agency said Tuesday.

The National Institute of Information and Communications Technology used around 240,000 sensors to detect cyberattacks...

Among countries to which perpetrators’ Internet Protocol addresses were traced, China accounted for the largest share at 40 percent, while South Korea, Russia and the United States also ranked high.

NICT launched a survey on cyberattacks in Japan in 2005, when the number of such incidents stood at around 310 million. The number rose to about 5.65 billion in 2010 and to 7.79 billion in 2012.

25.66 billion "computer attacks"? That seems ridiculous at first glance. Based on observations from "around 240,000 sensors," that's over 100,000 "attacks" per sensor per year, or nearly 300 per sensor per day. That still seems excessive, although getting closer to an order of magnitude that might make sense.

You might find the trend line more interesting, i.e., 310 million to 5.65 billion to 7.79 billion to 25.66 billion. However, it is important to adjust for increased visibility at each point. I doubt that 240,000 sensors were operating prior to 2014.

(On a secondary note, I'm not thrilled by the section saying that Chinese IP addresses accounted for 40% of the "attacks." While that may be a "fact," it doesn't say anything by itself that helps with attribution.)

Nevertheless, talking about individual "attacks," especially when counting them discretely, is outmoded thinking, in my opinion. "Attacks" could include anything from transmitting a TCP segment to a specific port, to attempting SQL injection on a Web site, to sending a phishing email.

If properly defined, "attacks" become somewhat interesting, but their value as indicators should extend beyond being simple atomic events.

I was much more encouraged by the second article, at right, published 18 February by Reuters, titled Lockheed sees double-digit growth in cyber business. It included the following:

[Chief Executive Officer Marillyn] Hewson told the company's annual media day that Lockheed had faced 50 "coordinated, sophisticated campaign" attacks by hackers in 2014 alone, and she expected those threats to continue growing.

The use of the term "campaign" is significant here. Campaign aligns with the operational level of war, between Tactics and Strategy. (Tactics are employed as actions at the individual battle or skirmish level, while Strategy describes matching ways and means to achieve specific ends. See my posts on strategy for more.)

Campaigns are sets of activities pursued over days, weeks, months, and even years to accomplish strategic and policy goals. The term campaign indicates purpose, applied over an extended period of time. When the LM CEO speaks in these terms, she shows that her security team is thinking at an advanced level, likely aligning campaigns with specific threat actors and motives.

When a CEO talks about 50 campaigns, she can have a more meaningful discussion with the executives and board. She can talk about threat actors behind the campaigns, what happened during each campaign, and how the team detected and responded to them. The term Campaign also matches well with business operations; think of "marketing campaigns," "sales campaigns," etc.

I would very much like to see security teams, officials, and others think and talk about campaigns in the future, and place statistics on "attacks" in proper context. Note that some threat researchers talk about campaigns when they write reports on adversary activity, so that is a good sign already.

Saturday, February 14, 2015

Five Reasons Digital Security Is Like American Football

Butler's Interception (left) Made Brady's Touchdowns (right) Count
In Kara Swisher's interview on cyber security with President Obama, he makes the following comment:

"As I mentioned in the CEO roundtable, a comment that was made by one of my national security team — this is more like basketball than football in the sense that there’s no clear line between offense and defense. Things are going back and forth all the time,” he said.

I understand why someone on the President's national security team would use a basketball analogy; we all know the President is a big hoops fan. In this post I will take exception with the President's view, although I am glad he is involved in this topic.

The following are five reasons why digital security is like American football, not basketball.

1. Different groups of athletes play offense, defense, and special teams in football. It is rare to see a single player appear on more than one squad. (It does happen, though. Julian Edelman is a punt returner and wide receiver. JJ Watt has caught touchdowns a few times. And so on...) In basketball, five players are on the court, and they play both offense and defense. In digital security, it is exceptionally rare to find professionals who routinely work offensive and defensive operations. I recommend that they do, but daily life is generally not a mix of these disciplines. Digital security pros are more like American football players due to these groupings of expertise.

2. Digital security is highly specialized. There are simply too many areas of expertise to expect any single person to master more than one aspect. This is true within American football. It is rare for a player to routinely fill multiple positions, whether on the offense or defense. A few athletes come to mind, like Kordell Stewart, but they are exceptions. Basketball has positions and specialties as well, but they are not as distinct as football.

3. Lines and direction of activity in digital security are more like American football than basketball. It is rare for defenders to "score points," compared to the points scored by the offense. This is true for digital security and American football. Basketball, like ice hockey, is much more fluid, with the flow of play going back and forth. Now, some players in basketball and hockey are more offensive-minded than defensive minded, and vice-versa, but the idea of the "defense" scoring points against the "offense" doesn't really make sense in those sports.

Sources: Business Insider, Arizona Cardinals
4. Digital security is really complicated. Similarly, American football is extremely complicated compared to basketball. There are 22 players on the field compared to 10, for starters. I found examples of real NFL plays from an old copy of the Arizona Cardinals playbook. It reminds me of the gyrations an intruder might have execute in order to accomplish his mission. Obviously basketball has plays, but they are not as intricate as those in football.

5. Digital security involves progression across territory, in a manner more like football than basketball. Most of the action in a basketball game occurs in either team's half-court. In football, teams spend time across most of the field. This reminds me more of the progression of actions that must take place for an intruder to accomplish his mission.

Now, those of you with long memories of this blog may remember my 2006 post Digital Security Lessons from Ice Hockey. In that story I emphasized the benefits of "being well-rounded..." having "knowledge and capability in offense and defense." I still advocate that position, but I recognize that it is really tough to achieve it.

Those with slightly longer memories may remember my 2005 post Soccer-Goal Security, showing a player kicking the ball into a goal, while the goalie looks elsewhere. The point of that post was to focus one's defense on actual attacks, not theoretical concerns.

Bejtlich's Mandiant Helmet
My hope with this post is to offer a counter-example to the views of the President and some of his staff. As with all analogies, they are open to interpretation, and some fail more quickly and spectacularly than others. Please try not to get too twisted out of shape or take offense. It's only a game, and this is only a blog post.

Given that we used to get football helmets at Mandiant, you might have predicted this post...


Learning the Tufte Way to Present Information

Source: The Economist, 31 Jan 2015

TaoSecurity Blog readers know I am a fan of Edward Tufte. When I see a diagram that I believe captures the tenets of his philosophy of presenting information, I try to share it with readers.

Two weeks ago in its 31 January 2015 edition, The Economist newspaper published Saudi Arabia: Keeping It in the Family. The article discussed the ascension of King Salman to the Saudi crown. The author emphasized the advanced age of Saudi kings since the founding of the monarchy in 1932.

To make the point graphically, the article included the graphic at left. It captured the start and end of the reigns of the monarchs, their ages at the beginning and end of their reigns, and the median age of the population.

Readers are able to quickly compare the duration of each monarch's reign, the monarch's ages, and the trend toward older monarchs. Readers can see the traditional widening gap in ages of rulers compared to the population, as well as the recent closing of that gap as the population becomes slightly older.

I would have preferred to have seen King Abdel Aziz, founder of Saudi Arabia, included beyond the abbreviated line and asterisk. Perhaps the sources for the image didn't include median population age prior to 1950?

Nevertheless, this is an excellent example of a Tufte-esque graphic, in my opinion.

I strongly recommend attending Tufte's one-day class, which will occur in the DC area at the end of March.