Saturday, September 29, 2012

Netanyahu Channels Tufte at United Nations

This is not a political blog, and I don't intend for this to be a political post.

I recently watched Israeli Prime Minster Benjamin Netanyahu's speech to the United Nations on Thursday. I watched it because I am worried about Iran's nuclear weapons program and the Iranian security situation, to be sure.

However, what really intrigued me was the red line he actually drew on a diagram, in front of the United Nations. In the video I linked, it takes place at approximately the 26 minute mark. The screen capture at left shows this event.

The reason this caught my attention was that it reminded me of the Best Single Day Class Ever, taught by Edward Tufte. I attended his class in 2008 and continue to recommend it.

I've since blogged about Tufte on several occasions.

Netanyahu's action, to me, seems like pure Tufte. The primary goal of his speech was to tell Iran, and the world, that Israel is setting a "red line" involving Iran's nuclear weapons program. To show that, he literally drew a red line on a diagram representing Iranian progress on uranium enrichment.

Now, there's some confusion about what that red line really means. The point is that people are talking about the red line, and that means Netanyahu at least partially achieved his goal.

This is the take-away for those of us who speak in public: rather than develop Yet Another PowerPoint presentation, determine 1) what message you want your audience to remember, and then 2) figure out how you can escape from flat land to grab your audience's attention.

If you want to learn more about these techniques, take Tufte's course!

You can read a transcript of the speech as well as see the video. Besides the red line segment, I thought it was a powerful speech. I'm convinced that unless Iran changes course, Israel will disable Iran's uranium enrichment capability.

Friday, September 28, 2012

Celebrate Packt Publishing's 1000th Title

I'm pleased to announce a special event involving Packt Publishing. The company told me, as a way to celebrate their 1000th title, that those who have registered at https://www.packtpub.com/login by 30 September will receive one free e-book. To help you make your choice, Packt is also opening its online library for a week for free to members.

I'm interested in two recent titles:

Metasploit Penetration Testing Cookbook by Abhinav Singh

Advanced Penetration Testing for Highly-Secured Environments by Lee Allen

In a few months a third book will arrive:

BackTrack 5 Cookbook

At this point I don't have personal experience with any of these titles, but I plan to take a look.

Thank you Packt for sharing part of your library with us!

Wednesday, September 26, 2012

Top Ten Ways to Stir the Cyber Pot

I spent a few minutes just now thinking about the digital security issues that people periodically raise on their blogs, or on Twitter, or at conferences. We constantly argue about some of these topics. I don't think we'll ever resolve any of them.

If you want to start a debate/argument/flamewar in security, pick any of the following.

  1. "Full disclosure" vs "responsible disclosure" vs whatever else
  2. Threat intelligence sharing
  3. Value of security certifications
  4. Exploit sales
  5. Advanced-ness, Persistence-ness, Threat-ness, Chinese-ness of APT
  6. Reality of "cyberwar"
  7. "Builders vs Breakers"
  8. "Security is an engineering problem," i.e., "building a new Internet is the answer."
  9. "Return on security investment"
  10. Security by mandate or legislation or regulation

Did I miss any subjects people raise to "stir the cyber pot?"

Tuesday, September 25, 2012

Unrealistic "Security Advice"

I just read a blog post (no need to direct traffic there with a link) that included the following content:

This week, I had the opportunity to interview the hacking teams that used zero-day vulnerabilities and clever exploitation techniques to compromise fully patched iPhone 4S and Android 4.0.4 (Samsung S3) and the big message from these hackers was simple: Do not use your mobile device for *anything* of value, especially for work e-mail or the transfer of sensitive business documents.

For many, this is not practical advice. After all, your mobile device is seen as an extension of the computer and there is a legitimate need to access work e-mail on iPhone/iPad, Android and BlackBerry smart phones. However, whether you are a businessman, a celebrity or the average consumer, it's important to start wrapping your mind around the idea of separating work from play on mobile devices.

This author is well-meaning, but he completely misses the bigger picture.

Against a sufficiently motivated and equipped adversary, no device is impenetrable.

Mobile devices are simply the latest platform to be vulnerable. There is no reason to think your corporate laptop is going to survive any better than your iPhone.

Now, I believe that non-mobile devices enjoy some protections that make them more defensible compared to mobile devices. Servers and workstations are generally "wrapped" with multiple defensive layers. Laptops benefit from those layers when connected to a corporate network, but may lose them when mobile. Still, even with those layers, intruders routinely penetrate networks and accomplish their missions.

One might also argue that mobile devices are more likely to be lost or stolen. I agree with that. However, full device encryption and passcodes can mitigate those risks. That's not the same as "zero-day vulnerabilities and clever exploitation techniques" however.

Despite these limitations, we still conduct work on computing devices. If we didn't, what would be the point?

We would be much better served if we accepted that prevention eventually fails, so we need detection, response, and containment for the incidents that will occur.

Software developers and security engineers should of course continue to devise better protection and resistance mechanisms, but we must remember we face an intelligent adversary who will figure out how to defeat those countermeasures.

Sunday, September 23, 2012

To Be Hacked or Not To Be Hacked?

People often ask me how to tell if they might be victims of state-serving adversaries. As I've written before, I don't advocate the position that "everyone is hacked." How then can an organization make informed decisions about their risk profile?

A unique aspect of Chinese targeted threat operations is their tendency to telegraph their intentions. They frequently publish the industry types they intend to target, so it pays to read these announcements.

Adam Segal Tweeted a link to a Xinhua story titled China aims to become world technological power by 2049. The following excerpts caught my attention:

China aims to become a world technological power by 2049 and strives to be a leading nation in innovation and scientific development, according to a government document released on Sunday.

The document, released by the Communist Party of China Central Committee and the State Council, or the Cabinet, namely opinions on "deepening technological system reform and accelerating national innovation system construction," sets the goal for the country to be "in the ranks of innovative nations" by 2020...

In this intro we read two key dates: 2020 for "in the ranks of innovative nations" and 2049 for a "world technological power." As we've seen during the last 10-12 years, one of the ways China pursues these goals is to steal intellectual property from target industries. What are those industries?

The development of strategic emerging industries, such as energy preservation and environmental protection, new-generation information technology, biology, advanced equipment manufacturing, new energy and material as well as green vehicles, should be accelerated, it said.

Major breakthroughs of key technologies should be materialized in sectors including electronic information, energy and environment protection, biological medicine and advanced manufacturing, it said.

Those industries have already been targeted and compromised by Chinese intruders. If you work in these areas but aren't actively seeking to detect and respond to Chinese intruders in your enterprise, I recommend taking a closer look at who is using your network.

Later in the document I was somewhat surprised to read the following:

And technological innovation should be made in industries that were related to people's livelihoods, such as health, food and drug safety, and disaster relief, the document said.

The underlined industries explain some activity I've seen recently, and it may be a warning for those of you in those sectors.

The last part of the document I would like to mention says the following: It called for an enhanced system to integrate the technologies for military use and those for civilian purposes.

The document said the nation's technological plan would be more open to the outside world in terms of cooperation, and international academic institutions and multinational companies would be encouraged to set up R&D centers.

None of that is new, but it shows the Chinese commitment to applying "dual use" technologies to both sides of that equation. It also shows the Chinese think they can still fool Western companies into sending engineers to China, where stealing IP is as easy as setting foot in an office building. Unfortunately plenty of Western companies appear to be falling for this ploy.

Wednesday, September 19, 2012

Understanding Responsible Disclosure of Threat Intelligence

Imagine you're hiking in the woods one day. While stopping for a break you happen to find a mysterious package off to the side of the trail. You open the package and realize you've discovered a "dead drop," a clandestine method to exchange messages.

You notice the contents of the message appear to be encoded in some manner to defy casual inspection. You decide to take pictures of the package and its contents with your phone, then return the items to the place you found them.

Returning home you eagerly examine your photographs. Because you're clever you eventually decode the messages captured in your pictures. Apparently a foreign intelligence service (FIS) is using the dead drop to communicate with spies in your area! You're able to determine the identities of several Americans working for the FIS, as well as the identities of their FIS handlers. You can't believe it. What should you do?

You decide to take this information to the world via your blog. You found the messages on your own, and you did the work to understand what they mean. If the press reads about your discovery, they'll likely take it farther.

You consider going to the press first, but you decide that it won't hurt to drive traffic to your own blog first. You might even be able to launch that small private investigator practice you've always wanted!

After publishing your post, the press indeed notices, and publishes an expose featuring an interview with you. Several US intelligence agencies also notice. They had been monitoring the dead drop themselves for a year, and had been working a complex joint case against all of the parties you identified. Now all of that work is ruined.

Before the intelligence agencies can react to your disclosure, the targets of their investigation disappear. They will likely be replaced by other agents quickly enough, using other modes of communication unknown to the US agencies. The FIS will alter their operation to account for the disclosure, but it will continue in some form.

That is the problem with irresponsible disclosure. To apply the situation to the digital security world, make the following changes.

  • Substitute "command and control server" for "dead drop."
  • Substitute "tools, exploits, and other digital artifacts" for "messages."
  • When the adversary learns of the disclosure, they move to other C2 infrastructure and develop or adopt new tools, tactics, and procedures (TTPs).

What should the hypothetical "security researcher" have done in this case?

It's fairly obvious he should have approached the FBI himself. They would have realized that he had stumbled upon an active investigation, and counseled him to stay quiet for the sake of national security.

What should "security researchers" in the digital world do?

This has been an active topic in a private mailing list in which I participate. We've been frustrated by what many of us consider to be "irresponsible disclosures." We agree that sharing threat intelligence is valuable, but we prefer to keep the information within channels among peers trusted to not alert the adversary to our knowledge of intruder TTPs.

Granted, this is a difficult line to walk, as I Tweeted yesterday:

Responsible security intel teams walk a fine line between sharing for the benefit of peers and risking disclosure to the detriment of all.

The best I can say at this point is to keep this story in mind the next time you stumble upon a package in the woods. The adversary is watching.

Tuesday, September 18, 2012

Over Time, Intruders Improvise, Adapt, Overcome

From TaoSecurity
Today I read a well-meaning question on a mailing list asking for help with the following statement:

"Unpatched systems represent the number one method of system compromise."

This is a common statement and I'm sure many of you can find various reports that claim to corroborate this sentiment.

I'm not going to argue that point. Why am I still aggravated by this statement then? This sentiment reflects static thinking. It ignores activity over time.

For both opportunistic and targeted threats, when exploiting unpatched vulnerabilities no longer works, over time they will escalate to attacks that do work.

I recognize that if you have to start your security program somewhere, addressing vulnerabilities is a good idea. I get that as a Chief Security Officer.

However, the tendency for far too many involved with security, from the CTO or CIO perspective, is to then conclude that "patched = secure."

At best, patching reduces a certain amount of noise because it deflects opportunistic attacks that work against weaker peers. Should patching become more widespread, opportunistic attackers adopt 0-days. We've been seeing that in spades over the last few months, even without widespread adoption of patches.

In the case of targeted attacks, patching drives intruders to try other means of exploitation. I've seen this first hand, with intruders adopting 0-days as a matter of course or trying other attack vectors. Targeted intruders learn not to trip traditional defenses while failing to exploit well-known vulnerabilities.

If someone asks you if "unpatched systems represent the number one method of system compromise," please keep this post in mind. Remember we face an intelligent adversary who, over time, acts to improvise, adapt and overcome.

We must do the same, over time.

Monday, September 17, 2012

Does Anything Really "End" In Digital Security?

Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit. He said in part:

15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end.

Now, I'm not a programmer, and I don't play one at Mandiant. However, Adam's last sentence in the excerpt caught my attention. My observation over the period that Aleph One's historic paper was written is this: we don't seem to "solve" any security problems. Accordingly, no "era" seems to end!

Is this true? To get a slight insight into whether my sense of history is correct, I consulted the Open Source Vulnerability Database and ran queries like the following:

Query for all vulnerabilities of attack type "input manipulation," with "buffer overflow" in the text, from time 1 Aug 96 to 1 Aug 97

I chose to run these "August" periods to capture time as it passed since Aleph One's paper was published in August 1996.

The results were:

Year Vulns
1997 11
1998 10
1999 6
2000 48
2001 41
2002 43
2003 94
2004 127
2005 86
2006 27
2007 29
2008 39
2009 36
2010 48
2011 44
2012 45
As a chart, they looked like this:

I find these results interesting, and I accept I could have run the query wrong by selecting the wrong terms. If I managed to get in the ballpark of the correct query, though, it seems we are not eliminating buffer overflows as a vulnerability.

I suppose one could argue about where researchers are finding the vulnerabilities, but they're still there in software worth reporting to OSVDB, and apparently trending upward.

My bottom line is to remember that security appears to be a game of and, not a game of or. We just add problems, and tend not to substitute them.

Wednesday, September 05, 2012

Encryption Is Not the Answer to Security Problems

I just read Cyber Fail: Why can't the government keep hackers out? Because the public is afraid of letting it, an article in the new Foreign Policy National Security channel. I've Tweeted on Mr Arquilla's articles before, but this new one published today offers a solution to security problems that just won't work.

Consider these excerpts:

Back in President Bill Clinton's first term, the "clipper chip" concept was all about improving the security of private communications. Americans were to enjoy the routine ability to send strongly encoded messages to each other that criminals and snoops would not be able to hack, making cyberspace a lot safer.

I see two errors in this section. First, having lived through that time, and having read Steven Levy's excellent book Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age, I disagree with Mr Arquilla's statement. The Clipper Chip was the government's last attempt to keep tight control of encryption, not "improve the security of private communications."

Second, Mr Arquilla implies that encryption = "making cyberspace a lot safer." That fallacy appears later in the article.

Sadly, industry leaders have never emphasized the value of strong crypto sufficiently either. There are many reasons for this neglect -- the most likely being that encouraging ubiquitous use of strong crypto could weaken sales of the firewalls and anti-viral products that form so much of the cybersecurity business model.

Here is my key issue with this article. An enterprise could encrypt every single piece of information at rest or in transit, and intruders would still win.

The fundamental reality of cryptography in the enterprise is that users and applications must be able to access data in unencrypted form in order to use it.

In other words, if a user can access data, so can an intruder.

Cryptography certainly frustrates some bad guys, such as amateurs who eavesdrop on encrypted communications, or thieves who swipe mobile devices, or intruders who remove encrypted files without bothering to obtain the material necessary to decrypt it.

However, cryptography will not stop your Web app from suffering SQL injection, nor will it keep Java from being exploited by a client-side attack.

The article concludes in part by saying:

But ways ahead do exist. There is a regulatory role: to mandate better security from the chip-level out -- something that Sen. Joseph Lieberman's Cybersecurity Act would only have made voluntary.

This sounds like an advertisement for a chip maker. I've heard their lobbyists use the same terms on Capitol Hill. "Mandating security" at the "chip level" would be as effective as FISMA -- a waste of time.

Mr Arquilla does make a few points I agree with, such as:

[W]e should treat cybersecurity as a foreign-policy issue, not just a domestic one. For if countries, and even some networks, can find a way to agree to norms that discourage cyberwar-making against civilian infrastructure -- much as the many countries that can make chemical and biological weapons have signed conventions against doing so -- then it is just possible that the brave new virtual world will be a little less conflict prone.

However, do not be fooled into thinking that encryption is the answer to our security problems.

Monday, September 03, 2012

Bejtlich Interviewed on This Week in Defense News

Last week Vago Muradian from This Week in Defense News with Vago Muradian interviewed me for his show. You can see the online version here.

The online version is about two minutes longer than the broadcast version. We recorded the extra material separately and the video staff added it in the middle of the session. They were so smooth I didn't originally notice the change!

Vago asked questions about how companies can defend themselves from digital threats. He wanted to know more about state-sponsored intrusions and how to differentiate among different types of threat actors.

In the extra session Vago and I talked about recent SEC activities and how to tell if your organization has been victimized by a targeted attacker.

There's a possibility Vago will invite me back to participate on a panel discussing digital security. I look forward to that if it happens!

If you have any questions on the video, please post a comment and I'll answer. Thank you.