Saturday, May 23, 2015

An Irrelevant Thesis

This week The Diplomat published an article by Dr Greg Austin titled What the US Gets Wrong About Chinese Cyberespionage. The subtitle teases the thesis: "Is it government policy in China to pass on commercial secrets obtained via cyberespionage to civil sector firms?" As you might expect (because it prompted me to write this post), the author's answer is "no."

The following contains the argument:

"Chinese actors may be particularly adept in certain stages of economic espionage, but it is almost certainly not Chinese government policy to allow the transfer of trade secrets collected by highly classified intelligence sources to its civil sector firms for non-military technologies on a wide-spread basis.

A U.S. influencing strategy toward China premised on the claim that this is China’s policy would appear to be ill-advised based on the evidence introduced so far by the United States in the public domain." (emphasis added)

I find it interesting that the author concedes theft by Chinese government actors, which the Chinese government refuses to acknowledge. However, the author seeks to excuse this activity out of concern for the effect it has on US-China ties.

One aspect of the relationship between China and the US worries the author most:

"There are many ways to characterize the negative impact on potential bilateral cooperation on cyberspace issues of the “lawfare” being practised by the United States to discipline China for its massive cyber intrusions into the commercial secrets of U.S. firms. One downside is in my view more important than others. This is the belief being fostered by U.S. officials among elites in the United States and in other countries that China as a nation is a “cheater” country..."

Then, in a manner similar to the way Chinese spokespeople respond to any Western accusations of wrongdoing, the author turns the often-heard "Chinese espionage as the largest transfer of wealth in history" argument against the US:

"In the absence of any Administration taxonomy of the economic impacts of cyber espionage, alleged by some to represent the largest illicit transfer of wealth in human history, one way of evaluating it is to understand that for more than three decades it has been U.S. policy, like that of its principal allies, to undertake the largest lawful transfer of wealth in human history through trade with, investment in and technology transfer to China."

(I'm not sure I understand the cited benefits the US has accrued due to this "largest lawful transfer of wealth in human history," given the hollowing out of the American manufacturing sector and the trade imbalance with China, which totaled over $82 billion in 1Q15 alone. It's possible I am not appreciating what the author means though.)

Let's accept, for argument's sake, that it is not "official" Chinese government policy for its intelligence and military forces to steal commercial data from private and non-governmental Western organizations. How does accepting that proposition improve the situation? Would China excuse the US government if a "rogue" element of the American intelligence community or military pursued a multi-decade campaign against Chinese targets?

Even if the US government accepted this "Chinese data theft by rogue government actor" theory, it would not change the American position: stop this activity, by whatever means necessary. Given the power amassed by President Xi during his anti-corruption crackdown, I would expect he would be able to achieve at least some success in limiting his so-called "rogue actors" during the 2+ years since Mandiant released the APT1 report. As Nicole Perlroth reported this month, Chinese hacking continues unabated. In fact, China has introduced new capabilities, such as the so-called Great Cannon, used to degrade GitHub and others.

Similar to the argument I made in my post What Does "Responsibility" Mean for Attribution?, "responsibility" is the key issue. Based on my experience and research, I submit that Chinese computer network exploitation of private and non-governmental Western organizations is "state-integrated" and "state-executed." Greg Austin believes the activity is, at worst, "state-rogue-conducted." Stepping down one rung on the state spectrum of responsibility ladder is far from enough to change US government policy towards China.

Note: In addition to the article in The Diplomat, the author wrote a longer paper titled  China’s Cyberespionage: The National Security Distinction and U.S. Diplomacy (pdf).

I also plan to read Dr Austin's new book, Cyber Policy in China, which looks great! Who knows, we might even be able to collaborate, given his work with the War Studies department at KCL.

Sunday, May 10, 2015

What Year Is This?

I recently read a manuscript discussing computer crime and security. I've typed out several excerpts and published them below. Please read them and try to determine how recently this document was written.

The first excerpt discusses the relationship between the computer and the criminal.

"The impersonality of the computer and the fact that it symbolizes for so many a system of uncaring power tend not only to incite efforts to strike back at the machine but also to provide certain people with a set of convenient rationalizations for engaging in fraud or embezzlement. The computer lends an ideological cloak for the carrying out of criminal acts.

Computer crime... also holds several other attractions for the potential lawbreaker. It provides intellectual challenge -- a form of breaking and entering in which the burglar’s tools are essentially an understanding of the logical structure of and logical flaws inherent in particular programming and processing systems. It opens the prospect of obtaining money by means that, while clearly illegal, do not usually involve taking it directly from the till or the cashier’s drawer...

Other tempting features of computer crime, as distinct from other forms of criminal activity, are that most such crimes are difficult to detect and that when the guilty parties are detected not much seems to happen to them. For various reasons, they are seldom intensively prosecuted, if they are prosecuted at all. On top of these advantages, the haul from computer crime tends to be very handsome compared with that from other crimes."

The second excerpt describes the attitudes of corporate computer crime victims.

"The difficulties of catching up with the people who have committed computer crimes is compounded by the reluctance of corporations to talk about the fact that they have been defrauded and by the difficulties and embarrassments of prosecution and trial. In instance after instance, corporations whose assets have been plundered -- whose computer operations have been manipulated to churn out fictitious accounting data or to print large checks to the holders of dummy accounts -- have preferred to suffer in silence rather than to have the horrid facts about the frailty of their miracle processing systems come to public attention.

Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporations up to public ridicule, and cause all sorts of turmoil within their staffs. In many cases, it seems, management will go to great lengths to keep the fact of an internal computer crime from its own stockholders...

The reluctance of corporations to subject themselves to unfavorable publicity over computer crimes is so great that some corporations actually seem willing to take the risk of getting into trouble with the law themselves by concealing crimes committed against them. Among independent computer security consultants, it is widely suspected that certain banks, which seem exceptionally reluctant to admit that such a thing as computer fraud even exists in the banking fraternity, do not always report such crimes to the Comptroller of the Currency, in Washington, when they occur, as all banks are required to do by federal law. Bank officers do not discuss the details of computer crime with the press... [A] principal reason for this kind of behavior is the fear on the part of the banks that such a record will bring about an increase in their insurance rates."

The third excerpt talks about the challenges of prosecuting computer crime.

"In addition to the problems of detecting and bringing computer crimes to light, there are the difficulties of effectively prosecuting computer criminals. In the first place, the police, if they are to collect evidence, have to be able to understand precisely how a crime may have been committed, and that usually calls for the kind of technical knowledge that is simply not available to most police departments...

Another difficulty is that not only police and prosecutors but judges and juries must be able to find their way through the mass of technical detail before they can render verdicts and hand down decisions in cases of computer crime, and this alone is a demanding task. In the face of all the complexities involved and all the time necessary to prepare a case that will stand up in court, many prosecutors try to make the best accommodation they can with the defendant’s lawyers by plea bargaining, or else they simply allow the case to fade away unprosecuted. If they do bring a case to trial, they have the problem of presenting evidence that is acceptable to the court.

The fourth excerpt mentions "sophistication" -- a hot topic!

To somebody looking at the problem of computer crime as a whole, one conclusion that seems reasonable is that although some of the criminal manipulators of computer systems have shown certain ingenuity, they have not employed highly sophisticated approaches to break into and misuse computer systems without detection. In a way, this fact in itself is something of a comment on the security of most existing computer systems: the brains are presumably available to commit those  sophisticated computer crimes, but the reason that advanced techniques haven’t been used much may well be that the haven’t been necessary."

The fifth excerpt briefly lists possible countermeasures.

"The accelerating incidence of computer-related crimes -- particularly in the light of the continuing rapid growth of the computer industry and the present ubiquity of electronic data-processing systems -- raises the question of what countermeasures can be taken within industry and government to prevent such crimes, or, at least, to detect them with precision when they occur...

In addition to tight physical security for facilities, these [countermeasures] included such internal checks within a system to insure data security as adequate identification procedures for people communicating with the computer... elaborate internal audit trails built into a system, in which every significant communication between a user and a computer would be recorded; and, where confidentiality was particularly important, cryptography..."

Now based on what you have read, I'd like you to guess in which decade these excerpts were written? By answering the survey you will learn the publication date.



I'll leave you with one other quote from the manuscript:

The fact is, [a security expert] said, that “the data-security job will never be done -- after all, there will never be a bank that absolutely can’t be robbed.” The main thing, he said, is to make the cost of breaching security so high that the effort involved will be discouragingly great.

Thursday, April 30, 2015

The Need for Test Data

Last week at the RSA Conference, I spoke to several vendors about their challenges offering products and services in the security arena. One mentioned a problem I had not heard before, but which made sense to me. The same topic will likely resonate with security researchers, academics, and developers.

The vendor said that his company needed access to large amounts of realistic computing evidence to test and refine their product and service. For example, if a vendor develops software that inspects network traffic, it's important to have realistic network traffic on hand. The same is true of software that works on the endpoint, or on application logs.

Nothing in the lab is quite the same as what one finds in the wild. If vendors create products that work well in the lab but fail in production, no one wins. The same is true for those who conduct research, either as coders or academics.

When I asked vendors about their challenges, I was looking for issues that might meet the criteria of Allan Friedman's new project, as reported in the Federal Register: Stakeholder Engagement on Cybersecurity in the Digital Ecosystem. Allan's work at the Department of Commerce seeks "substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers."

I don't know if "realistic computing evidence" counts, but perhaps others have ideas that are helpful?

Tuesday, April 28, 2015

Will "Guaranteed Security" Save the Digital World?

Thanks to a comment by Jeremiah Grossman on LinkedIn, I learned of his RSA talk No More Snake Oil: Why InfoSec Needs Security Guarantees. I thought his slide deck looked interesting and I wish I had seen the talk.

One of his arguments is that security products and services lack guarantees, "unlike every day 'real world' products," as shown on slide 3 at left.

The difference between the products at left and those protected by security products and services, however, is that security products and services are trying to counter intelligent, adaptive adversaries.

Jeremiah does include a slide showing multiple "online security guarantees" for financial services. Those assets do indeed face challenges from the sorts of adversaries I have in mind. I need to hear more about what Jeremiah said at this point, and also I need to learn more about this individual guarantees.

It may be useful to look at what physical security companies offer by way of guarantees. I did not see this angle in Jeremiah's slides, although he may have talked about it.

Taking a tentative step in this direction, I visited the ADT web site. You've seen their ads for protecting homes, and you might even be a customer. This is the sort of company that faces at least some threats who are intelligent and/or adaptive. What guarantees does ADT offer?

The screen capture below shows the answer. I am particularly interested in the "Theft Protection Guarantee."


A theft protection guarantee is like a "hack prevention guarantee." As you can see, if your home is burglarized while under ADT monitoring, you get up to $500 paid toward your insurance deductible.

The fine print is even more interesting:

"The Customer presenting ADT with this ORIGINAL CERTIFICATE will be eligible to receive a reimbursement of up to five hundred dollars ($500) of Customer’s homeowner’s insurance deductible (if any) if, and only if, ALL of the following requirements are met to ADT’s reasonable satisfaction

(i) the property loss was the result of a burglary that took place while the security system installed at Customer’s protected premises was in good working order and was “on,” and while all of Customer’s doors and windows were locked; and 

(ii) the intruder entered the residence through a door, window or other area equipped with an ADT detection device, and such detection device was not “bypassed”; and 

(iii) Customer is not in any way in default under the ADT Residential Systems Customer’s Order; and 

(iv) Customer files a written claim with their homeowner’s insurance company, and such claim is not rejected or otherwise contested by the insurer; and 

(v) Customer reports the burglary loss to the appropriate police department and obtains 
a written police report; and 

(vi) Customer provides ADT with copies of the insurance claim report, the police report within six
ty (60) days of the property loss and proof of settlement by insurance carrier; and 

(vii) Customer certifies in writing to ADT (by signing this ORIGINAL CERTIFICATE and presenting it to ADT within sixty [60] days of the property loss) that all of the foregoing requirements have been satisfied. 

Customer understands that presentation of this ORIGINAL CERTIFICATE signed by Customer is required and understands that ADT reserves the right to reject any application for reimbursement that does not comply with ALL of the requirements." (emphasis added)

Can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?

It would be interesting to see how many times ADT has paid out this guarantee money.

Wait, you might say, Jeremiah showed a car in the slide at the top of this post. What do car security guarantees look like? I'm glad you asked. Here's one of the top results I found online, for Viper.


Here is the fine print:

"Qualifications:

    The qualifying system was sold, installed, and serviced by an authorized dealer for DIRECTED, remains in the car in which the system was originally installed, and owned by the original purchaser of the qualifying system. Window decals must have been in place on the vehicle at the time of installation.

    The theft occurred less than one year after the date of purchase of the qualifying Viper system.

    This GPP claim is made within sixty (60) days of settlement of your claim with your insurance carrier. (90 days in New York state)

    The warranty registration card was completely filled out and mailed to DIRECTED within 10 days of purchase.

    The vehicle was stolen as a result of alarm system failure and the automobile was not left in an inactive/disarmed mode for whatever reason, even if left at a service station.

    A police report must be filed and a copy submitted with your GPP claim.

    Vehicle must be insured against theft at the time vehicle was stolen.

    The insurance company must accept and pay the claim.

    A DIRECTED starter kill device must have been installed on the vehicle and the sales receipt must show starter kill installation.

Your claim MUST meet all of the criteria as stated above to be eligible to file a claim for reimbursement of your comprehensive deductible...

A product's warranty is automatically void if its date code or serial number is defaced, missing, or altered. GPP does not cover vandalism, theft of vehicle parts, contents, damage to vehicle and/or towing charges. Furthermore, vehicles that are consigned or displayed for sale are not covered by the GPP program. GPP is not available to employees, agents, friends or relatives of Directed or of its dealers. 

GPP does not extend to or cover motorcycles or vehicles without lockable doors, ignition systems and/or engine compartments." (emphasis added)

Again, I ask, can you imagine the equivalent conditions for a digital security service or product? Could you imagine a customer being able to prove it met the requirements?

Given these examples of security guarantees in the physical work, I don't think we will see much progress in the digital world, perhaps beyond paying insurance deductibles.

I believe the heavy work on the economic side will be done by the insurance companies, as is indicated by these physical security examples.

We are likely to see more insurance on the security vendor side, as we are already seeing (as noted in Jeremiah's talk) much more insurance in the security consumer (enterprise) arena.

Quick addendum: It just occurred to me that the security services mentioned earlier are primarily means to the following:


  1. Decrease insurance premiums.
  2. Deter attackers.
  3. If deterrence fails, increase the changes of more rapid police response.
These ideas have some relevance in the digital security world, although I think "stickers" saying "protected by product X and service Y" may have the opposite effect, as they may give intruders ideas on how to bypass the defenses. Then again, that might already happen with the house and car alarm examples.


Monday, April 13, 2015

Example of Chinese Military Converging on US Military

We often hear of vulnerabilities in the US military introduced by net-centric warfare and a reliance on communications network. As the Chinese military modernizes, it will introduce similar vulnerabilities.

I found another example of this phenomenon courtesy of Chinascope:

PLA Used its Online Purchasing Website for its First Online Purchase

Written by LKY and AEF   

Xinhua reported that on, April 7, the PLA announced that five manufacturers won the bidding, totaling 90 million yuan (US$14.48 million), to supply general and maintenance equipment to the PLA. The article said that these were the first purchase orders that the PLA received since it launched its military equipment purchasing website in January. The site is at http://www.weain.mil.cn/. 

The PLA claimed that it saved close to 12 million yuan (US$1.93 million) compared to the list price. The purchase order consisted of items such as containers for maintenance equipment and tools, gas masks, carrier cases, and army field lighting. The article said that the PLA equipment purchasing website was launched on January 4. On February 25, the PLA General and Maintenance department made a public announcement on the website calling for bids. On March 19, the public bidding was held at Ordnance Engineering College in Shijiazhuang City of Hebei Province. 

Over 20 manufacturers submitted bids and 5 of them, including some privately owned companies, won the bidding.

Source: Xinhua, April 12, 2015
http://news.xinhuanet.com/info/2015-04/12/c_134143641.htm

(emphasis added)

You can imagine the sorts of opportunities this story presents to adversaries, including impersonating the Chinese Web site, phishing either party (supplier or purchaser), and so on.

I expect other militaries to introduce similar vulnerabilities as they modernize, presenting more opportunities for their adversaries.

Network Security Monitoring Remains Relevant

Cylance blogged today about a Redirect to SMB problem found in many Windows applications. Unfortunately, it facilitates credential theft. Steve Ragan wrote a good story discussing the problem. Note this issue does not rely on malware, at least not directly. It's a problem with Microsoft's Server Message Block protocol, with deep historical roots.

(Mitigating Service Account Credential Theft on Windows [pdf] is a good paper on mitigation techniques for a variety of SMB problems.)

Rather than discussing the technical problem, I wanted to make a different point. After reading about this technique, you probably want to know when an intruder uses it against you, so you can see it and preferably stop it.

However, you should be wondering if an intruder has already used it against you.

If you are practicing network security monitoring (described most recently in my newest book), then you should already be collecting network-based evidence of this attack.

  • You could check session data and infer that outbound traffic on using traditional SMB ports like 139 or 445 TCP are likely evidence of attack. 
  • You could review transaction data for artifacts of SMB traffic, looking for requests and replies. 
  • Best of all, you could review full content data directly for SMB traffic, and see exactly what happened. 

Whenever you see a discussion of a new attack vector, you will likely think "how do I stop it, or at least see it?"

Don't forget to think about ways to determine if an attacker has already used it against you. Chances are that certain classes of intruders have been exercising it for days, weeks, months, or perhaps years before it surfaced in the media.

PS: This post may remind you of my late 2013 post Linux Covert Channel Explains Why NSM Matters.

Sunday, April 12, 2015

Please Support OpenNSM Group

Do you believe in finding and removing intruders on the network before they cause damage? Do you want to support like-minded people? If you answered "yes," I'd like to tell you about a group that shares your views and needs your help.

In August 2014, Jon Schipp started the Open (-Source) Network Security Monitoring Group (OpenNSM). Jon is a security engineer at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. In his announcement on the project's mailing list, Jon wrote:

The idea for this group came from a suggestion in Richard Bejtlich's most recent book, where he mentions it would be nice to see NSM groups spawn up all over much like other software user groups and for the same reasons.

Network security monitoring is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions. It is an operational campaign supporting a strategy of identifying and removing intruders before they accomplish their mission, thereby implementing a policy of minimizing loss due to intrusions. At the tactical and tool level, NSM relies on instrumenting the network and applying hunting and matching to find intruders.

Long-time blog readers know that I have developed and advocated NSM since the late 1990s, when I learned the practice at the Air Force Computer Emergency Response Team (AFCERT).

I am really pleased to see this group holding weekly meetings, which are available live or as recordings at YouTube.

The group is seeking funding and sponsorship to build a NSM laboratory and conduct research projects. They want to give students and active members hands-on experience with NSM tools and tactics to conduct defensive operations. They outline their plans for funding in this Google document.

I decided to support this group first as an individual, so I just donated $100 to the cause. If you are a like-minded individual, or perhaps represent an organization or company, please consider donating via GoFundMe to support this OpenNSM group and their project. You can also follow them @opennsm and Facebook, and check out their notes at code at GitHub. Thank you!

Friday, March 27, 2015

The Attack on GitHub Must Stop

For many years, private organizations in the West have endured attacks by the Chinese government, its proxies, and other parties. These intruders infiltrated private organizations to steal data. Those not associated with the targeted organizations were generally not directly affected.

Today an action by the Chinese government is affecting millions of users around the world. This is unacceptable.

You may be aware that an American technology company, GitHub, is suffering a massive distributed denial of service attack, at the time of writing.

According to Insight Labs, Internet traffic within China is being manipulated, such that users are essentially attacking GitHub. They are unwittingly requesting two sites hosted by GitHub. The first is a mirror of the Chinese edition of the New York Times (blocked for several years). The other is a mirror of the GreatFire.org Web site, devoted to discovering and exposing Internet filtering by China's "Great Firewall."

As noted in this Motherboard story, it's unlikely a party other than the Chinese government could sustain this attack, given the nature of the traffic injection within the country's routing infrastructure. Even if somehow this is not a state-executed or state-ordered attack, according to the spectrum of state responsibility, the Chinese government is clearly responsible in one form or another.

It is reprehensible that the censorship policies and actions of a nation-state are affecting "over 3.4 million users and with 16.7 million repositories... the largest code host in the world." (Source)

The Chinese government is forcing GitHub to expend its private resources in order to continue serving its customers. I call on the US government, and like-minded governments and their associates, to tell the Chinese to immediately stop this activity. I also believe companies like IBM, who are signing massive IT deals with "Chinese partners," should reconsider these associations.