“To the full extent of their capabilities”

Took me a while to clear up time and read Dave Aitel’s post on his experience with the NSA as compared to the interview that Edward Snowden did with James Bamford of Wired. Make sure you do too, and then come back here for a quick reality adjustment.

So, just to set things straight: I agree with the first point that talk about how working at the NSA consists of abiding with a metric ton of rules, regulations and bureaucratic nightmares. It’s also true for most modern western intelligence agencies (your mileage may vary of course, and this is based on personal subjective observations of course).

However, the NSA (and other agencies in other countries) know very well how to bypass these restrictions, and are very happy to use 3rd party resources to do the dirty work for them. That’s exactly how shady (again – my opinion) companies work in the market of intelligence collections, “lawful interception”, exploit research and development, etc.

This also enables overcoming the difficulties posed by the second point in the article, which pertains to the US’s ability to spy on China (and other countries). In order to provide a more cohesive intelligence landscape, you can’t just focus collection efforts on military and government, as civilian infrastructure is always part of the play for both sides (hey – we just talked about using 3rd parties for intelligence. Guess what? The same thing happens with other countries). As such, “crossing the line” is a needed practice that is often outsourced in terms of liability, legality and ethics, to entities that are willing to take said liability/legality/ethics upon themselves.

And just to steal the closing soundbite: “Every country in the world is engaged in cyber espionage to the full extent of its capabilities. The US just happens to be the one that got caught. This time.

Getting things right goes a long way when you are bleeding

I’m starting to see a trend here with the weekend posts. I can stomach most of the FUD during the work days, but things get to me through the weekend. Oh well. There goes a “mandatory” heartbleed post:

Yes, it’s a bad one. No it’s not the worst one. And no – the sky isn’t falling, and the Internet isn’t about to go away.

Heartbleed was one of the most media driven (and ready) bugs in a few years. Logo, website, clear message, and two XKCD strips. The last of which is probably the best explanation to laypersons of what it’s all about.

And did the media catch up on it. Oh yeah… The usual naysayers, FUD-spreading evangelists had their 3.5 minutes of fame. And everyone started recommending that users immediately change their password.

Or maybe not. No! Wait until the site fixes their SSL implementation. Or yes? Ummm, what to do?… That’s where things get interesting.

The real issue here is this: sites affected by heartbleed could potentially be leaking information. And by leaking I mean that anyone with intimate knowledge of the bug could have been, in the past two years, pulling data from those sites. That includes session information, usernames, passwords, and even the private keys used to secure said SSL connections.

Which means that if you think that you were targeted by someone in the past two years, or that your information could have meant something to someone in the past two years with the capability to snoop on those credentials, yes, you should probably do something about it. BUT, and it’s a bug but (yeah, yeah, yeah), you need to remember that it’s not as simple as checking that the website in question has applied the fix. Not even close. If (and again – IF) you believe you need to change your password, you also need to remember that whoever had the knowledge and capability to syphon all that information, was pretty certainly also stealing the server private keys. Initially pundits were skeptical that private encryption keys would be compromised through heartbleed. But as always – if it’s hackable, it will be hacked, and the proof came in pretty quickly.

So yes, there are online tools that will allow you to check whether a certain site had the issue fixed. But these aren’t enough, as you would need to verify somehow (and that’s not easy) that the site also generated a new private encryption key, and got a new server certificate to go with it in to be used AFTER patching the SSL implementation.

Tricky, isn’t it? Yeah, welcome to security…

Anyways – don’t just blatantly go updating your passwords nilly-nelly. First figure whether you really need to, then consider the entire picture: were you exposed just during the time from when heartbleed was announced until the site was fixed? are you concerned about three-letter-agencies that had knowledge of heartbleed and were dumping gigabytes of server RAM so they can get everyone’s data? Then figure whether that site’s private keys and certificates were updated. Then act.

Good luck with that. I’ll leave you with a bleeding heart punch so you won’t need to see that logo AGAIN on a security blog :-P

Relying on AV? Really?

I tried to hold back on this one, but if you’ve read this blog (or met me in person) you know it’s hard… Another amazing research coming out of your favorite AV vendor – uncovering ground breaking security implications. Take a minute to read this:

Admittedly, I have stopped reading any AV vendor’s blog ever since I didn’t need to (for marketing or competitive reasons). The main reason is that they are riddled with old information, mostly FUD and scare tactics, self promotion, and subtle competitor bashing. So yes, I might be missing on more gems like this…
Nevertheless, this specific post came to my attention as it was quoted in a blog dedicated to security in the middle east written by Tal Pavel who I highly respect as a researcher that focuses on regional issues (warning – Hebrew only site): http://middleeasternet.com/?p=9999

So, a new RAT that caters for and was written by Arabic speakers. njRAT. That name rang a bell, and of course, after a couple of minutes of digging through my notes, there it was. OLD as nicely aged single malt whiskey (in “cyber” terms…).
The original Symantec article claimed it first saw the light of day sometime in 2013. That’s pretty fresh. Too bad that this thing has been around probably since early 2012 (might be even earlier – I haven’t really looked into it that much). How can I say that? Well, I’ve used it as an example (yes – and example! wasn’t even the main topic of what I was talking about) in a presentation I first gave publicly in April 2012 at Source Boston. Which means it was seen, analyzed, used (and, ahem, somewhat abused), much earlier in 2012. I also presented this as part of my SexyDefense talk at BlackHat USA, DerbyCon, HashDays, and SecurityZone later that year.
They did get one thing right – the focus on Arabic speaking threat communities. I’ve seen njRAT back then when working on a defensive posture project for a client who’s threat communities were heavily into the Arabic speaking world (vagueness intentional).

(skip to slide 68 for the specific example concerning njRAT)

The question remains though – are you still relying on AV vendors to have your back, when their “breaking grounds research” deals with malware that’s over 2 years old? And I’m not picking on Symantec here either (they did a great job of analyzing the 3 year old Stuxnet back at the time!). All AV vendors can feel free to include themselves here (yes, even if you no longer call yourself an “AV Vendor”, you still are. I’m looking at all of you…).

Think again…
Oh, and here’s a late edition just to top it off: http://mincore.c9x.org/breaking_av_software.pdf (Breaking AV Software – from Syscan 2014).

And guess what, perfect timing – next week I’m going to be in Boston again for Source – where this post basically all began :-) See you there!

Hacking, Business, and Politics

I’ve recently had the great fortune to be called in as an industry expert to comment on current news at the Fox Business “Money with Melissa Francis”. I’ll be the first one to tell you that every (read: EVERY) mass media outlet has an agenda. From Fox, through CBS, NBC, CNN to Al-Jazeera. They have their agendas that works with their audiences, which works well with the “you get what you pay for” approach for most people (for a nice overview of media bias read this: http://en.wikipedia.org/wiki/Media_bias_in_the_United_States).

As it came about, my latest commentary on the show was on the meeting held between President Obama and a few tech company CEOs in light of the NSA surveillance mandate. As always – I’m keeping a fair separation between my business and hacking views and my personal political ones, and I expressed my take on the matter (TL;DR: It’s a PR charade designed to make everyone look a bit better).

Nevertheless, and probably because of the wider audience this kind of broadcast reaches, I received some comments (surprisingly from both sides) that were of political nature.

Granted, this is Fox, and my fellow panelists on the show are a couple of the more verbal and respected figures on the network, so very quickly the discussion became highly political. You could notice that at these points I was less than conversational ;-).

I do think that there needs to be a “balancing” voice whenever topics of this nature are brought up to a public discussion, and if you ask me the discussion shouldn’t be political as in “this guy is bad, and the other guy is good”, but more of the “this is the situation, here’s how it’s good/bad for us (the people), what can we do to change it?”. At the end of the day, even when pushing a political/economical agenda of any form, the discussion should end with an idea or a call for action. I see little merit in simple criticism (unless we are talking about entertainment media – where sarcasm is my first friend, and the likes of Jon Stewart, Louis CK, are my heroes). When faced with an opportunity to provide information, commentary and call for action I’d rather be able to educate and encourage discussion than opt for the easy way out of playing out the right “tune” for my audience.

Specifically in this case – surveillance is going to happen, I mean, we are talking about the intelligence agency here. And guess what? whatever mandate they get, they are going to do their best to be able to fulfill their main task (gather actionable intelligence) which includes things like working with other agencies outside the US to get information on assets that they may not be privy to (us citizens that are not specifically suspects). It’s (almost like) hacking the legal system to get what you need. I know – been there, done that.

Also – while we’ve been caught with our hands in the cookie jar, almost any other nation either has, or is developing, or buying the same kind of capacity to gather intelligence at this scope. How about discussing this? How about discussing the outsourcing of intelligence gathering of the more borderline kind that companies such as Gamma Group, NSO Group, HackingTeam, and their likes?

Last but not least – if you are a security practitioner, and you haven’t had a chance to take a look at the “I am the cavalry” initiative, you probably owe it to yourself to check it out: http://www.iamthecavalry.org/