Getting things right goes a long way when you are bleeding

I’m starting to see a trend here with the weekend posts. I can stomach most of the FUD during the work days, but things get to me through the weekend. Oh well. There goes a “mandatory” heartbleed post:

Yes, it’s a bad one. No it’s not the worst one. And no – the sky isn’t falling, and the Internet isn’t about to go away.

Heartbleed was one of the most media driven (and ready) bugs in a few years. Logo, website, clear message, and two XKCD strips. The last of which is probably the best explanation to laypersons of what it’s all about.

And did the media catch up on it. Oh yeah… The usual naysayers, FUD-spreading evangelists had their 3.5 minutes of fame. And everyone started recommending that users immediately change their password.

Or maybe not. No! Wait until the site fixes their SSL implementation. Or yes? Ummm, what to do?… That’s where things get interesting.

The real issue here is this: sites affected by heartbleed could potentially be leaking information. And by leaking I mean that anyone with intimate knowledge of the bug could have been, in the past two years, pulling data from those sites. That includes session information, usernames, passwords, and even the private keys used to secure said SSL connections.

Which means that if you think that you were targeted by someone in the past two years, or that your information could have meant something to someone in the past two years with the capability to snoop on those credentials, yes, you should probably do something about it. BUT, and it’s a bug but (yeah, yeah, yeah), you need to remember that it’s not as simple as checking that the website in question has applied the fix. Not even close. If (and again – IF) you believe you need to change your password, you also need to remember that whoever had the knowledge and capability to syphon all that information, was pretty certainly also stealing the server private keys. Initially pundits were skeptical that private encryption keys would be compromised through heartbleed. But as always – if it’s hackable, it will be hacked, and the proof came in pretty quickly.

So yes, there are online tools that will allow you to check whether a certain site had the issue fixed. But these aren’t enough, as you would need to verify somehow (and that’s not easy) that the site also generated a new private encryption key, and got a new server certificate to go with it in to be used AFTER patching the SSL implementation.

Tricky, isn’t it? Yeah, welcome to security…

Anyways – don’t just blatantly go updating your passwords nilly-nelly. First figure whether you really need to, then consider the entire picture: were you exposed just during the time from when heartbleed was announced until the site was fixed? are you concerned about three-letter-agencies that had knowledge of heartbleed and were dumping gigabytes of server RAM so they can get everyone’s data? Then figure whether that site’s private keys and certificates were updated. Then act.

Good luck with that. I’ll leave you with a bleeding heart punch so you won’t need to see that logo AGAIN on a security blog :-P

Relying on AV? Really?

I tried to hold back on this one, but if you’ve read this blog (or met me in person) you know it’s hard… Another amazing research coming out of your favorite AV vendor – uncovering ground breaking security implications. Take a minute to read this:
http://www.symantec.com/connect/blogs/simple-njrat-fuels-nascent-middle-east-cybercrime-scene

Admittedly, I have stopped reading any AV vendor’s blog ever since I didn’t need to (for marketing or competitive reasons). The main reason is that they are riddled with old information, mostly FUD and scare tactics, self promotion, and subtle competitor bashing. So yes, I might be missing on more gems like this…
Nevertheless, this specific post came to my attention as it was quoted in a blog dedicated to security in the middle east written by Tal Pavel who I highly respect as a researcher that focuses on regional issues (warning – Hebrew only site): http://middleeasternet.com/?p=9999

So, a new RAT that caters for and was written by Arabic speakers. njRAT. That name rang a bell, and of course, after a couple of minutes of digging through my notes, there it was. OLD as nicely aged single malt whiskey (in “cyber” terms…).
The original Symantec article claimed it first saw the light of day sometime in 2013. That’s pretty fresh. Too bad that this thing has been around probably since early 2012 (might be even earlier – I haven’t really looked into it that much). How can I say that? Well, I’ve used it as an example (yes – and example! wasn’t even the main topic of what I was talking about) in a presentation I first gave publicly in April 2012 at Source Boston. Which means it was seen, analyzed, used (and, ahem, somewhat abused), much earlier in 2012. I also presented this as part of my SexyDefense talk at BlackHat USA, DerbyCon, HashDays, and SecurityZone later that year.
They did get one thing right – the focus on Arabic speaking threat communities. I’ve seen njRAT back then when working on a defensive posture project for a client who’s threat communities were heavily into the Arabic speaking world (vagueness intentional).


(skip to slide 68 for the specific example concerning njRAT)

The question remains though – are you still relying on AV vendors to have your back, when their “breaking grounds research” deals with malware that’s over 2 years old? And I’m not picking on Symantec here either (they did a great job of analyzing the 3 year old Stuxnet back at the time!). All AV vendors can feel free to include themselves here (yes, even if you no longer call yourself an “AV Vendor”, you still are. I’m looking at all of you…).

Think again…
Oh, and here’s a late edition just to top it off: http://mincore.c9x.org/breaking_av_software.pdf (Breaking AV Software – from Syscan 2014).

And guess what, perfect timing – next week I’m going to be in Boston again for Source – where this post basically all began :-) See you there!

Hacking, Business, and Politics

I’ve recently had the great fortune to be called in as an industry expert to comment on current news at the Fox Business “Money with Melissa Francis”. I’ll be the first one to tell you that every (read: EVERY) mass media outlet has an agenda. From Fox, through CBS, NBC, CNN to Al-Jazeera. They have their agendas that works with their audiences, which works well with the “you get what you pay for” approach for most people (for a nice overview of media bias read this: http://en.wikipedia.org/wiki/Media_bias_in_the_United_States).

As it came about, my latest commentary on the show was on the meeting held between President Obama and a few tech company CEOs in light of the NSA surveillance mandate. As always – I’m keeping a fair separation between my business and hacking views and my personal political ones, and I expressed my take on the matter (TL;DR: It’s a PR charade designed to make everyone look a bit better).

Nevertheless, and probably because of the wider audience this kind of broadcast reaches, I received some comments (surprisingly from both sides) that were of political nature.

Granted, this is Fox, and my fellow panelists on the show are a couple of the more verbal and respected figures on the network, so very quickly the discussion became highly political. You could notice that at these points I was less than conversational ;-).

I do think that there needs to be a “balancing” voice whenever topics of this nature are brought up to a public discussion, and if you ask me the discussion shouldn’t be political as in “this guy is bad, and the other guy is good”, but more of the “this is the situation, here’s how it’s good/bad for us (the people), what can we do to change it?”. At the end of the day, even when pushing a political/economical agenda of any form, the discussion should end with an idea or a call for action. I see little merit in simple criticism (unless we are talking about entertainment media – where sarcasm is my first friend, and the likes of Jon Stewart, Louis CK, are my heroes). When faced with an opportunity to provide information, commentary and call for action I’d rather be able to educate and encourage discussion than opt for the easy way out of playing out the right “tune” for my audience.

Specifically in this case – surveillance is going to happen, I mean, we are talking about the intelligence agency here. And guess what? whatever mandate they get, they are going to do their best to be able to fulfill their main task (gather actionable intelligence) which includes things like working with other agencies outside the US to get information on assets that they may not be privy to (us citizens that are not specifically suspects). It’s (almost like) hacking the legal system to get what you need. I know – been there, done that.

Also – while we’ve been caught with our hands in the cookie jar, almost any other nation either has, or is developing, or buying the same kind of capacity to gather intelligence at this scope. How about discussing this? How about discussing the outsourcing of intelligence gathering of the more borderline kind that companies such as Gamma Group, NSO Group, HackingTeam, and their likes?

Last but not least – if you are a security practitioner, and you haven’t had a chance to take a look at the “I am the cavalry” initiative, you probably owe it to yourself to check it out: http://www.iamthecavalry.org/

Women in infosec? That thing again?

I usually don’t weigh in on the topic, well, because I don’t have the right equipment for once, and furthermore, I think that the majority of discussions around it are led by people who woefully misrepresent most of the women in infosec that I know.

courtesy: http://meanwomensuck.com/ (seriously!)But I have to share this: Jennifer J. Minella (@jjx on twitter) posted her quick rant after hitting RSA: http://securityuncorked.com/2014/02/calling-bull-on-women-in-infosec/.

And I couldn’t agree more. I can only share my own experiences, and I’ll do it anecdotally (i.e. non-representative of frequency or quantity). First – women “empowering” other women who work together. Bad Idea. Again – anecdotally, having such a situation ends up in “cleanup on aisle 3″. Competitive, backstabbing, fame stealing, idea hogging, you name it. Someone gets hurt, and sometimes it’s not even the one in the more senior position.

The second example is layering – having mixed groups of the male and female persuasion  usually ends up in empowerment. Of both groups. Ideas that get better “QA” in their inception and formalizing phases, wider coverage of risks and development areas, and even more relaxed work environment when compared to mostly homogeneous groups. Works even better when such “layering” is also reflected in the organizational hierarchy. Men reporting to Women, who report to Men, and so on.

So there you go – a bit of good, a bit of bad, but remember again that these are just anecdotes. I’m sure that you’ll find counter-examples, and more ideas that support the “clan” model where women should stand for one another and support each other. I don’t see this as something that’s going to be better than finding out real mentors (regardless of gender) that you can learn from, and teach back. I know I have – both as a mentor, as well as a mentee or protégé (one of these words isn’t a word I suspect…).

I’ve yet to meet a women in infosec who’s been “empowered” because of other women, on the other hand I’ve met a lot of women in infosec that made it because they actively took a role in the industry, fought for their voice (just like anyone in the industry does), and didn’t give up just because they were denied. I can’t count the number of times I’ve been denied, yet we all keep working and pushing forward. Finding excuses for being rejected is easy. Either because you are a women, or maybe black, or white, or speak the wrong language, wear the wrong clothes, have a different opinion, religion, nationality – you name it. I can point out people from each one of those “traits” and show you how it never made it as an excuse in their vernacular. They just kept pushing on.

Breaking news: Spy agencies are spying!

Please say it ain’t so! Spy agencies are spying?

I’m actually going to go out on a limb here and present my (again – MY) opinion, which might pass as complicated by people with very deterministic views (or are being spoon-fed said views through the media of their choice).

First – I think that the Der Spiegel article that covers the “latest” NSA spying capabilities (http://www.spiegel.de/netzwelt/netzpolitik/quantumtheory-wie-die-nsa-weltweit-rechner-hackt-a-941149.html) is very important, and I applaud Jake and the crew that covered this. If you haven’t yet, go read it and go over the slides. Also make sure to read through the “product catalog” here: http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

So you are back? Great! That being said, I do think that spy agencies should continue spying. BLAM! And yes, it makes total sense to me. Because I do think that spy agencies should keep spying in order to keep their corresponding nations safe. It’s all about the tradecraft and trying to keep a step ahead of your potential enemies.

Yes, that WILL entail walking (and falling over) a very fine line between legal implications and privacy. It means that as always – agencies will spy on foreign nationals AND citizens. Because yes – terrorists and adversaries do not have boundaries that are defined by the color of your passport. And opposed Jake’s claim in his CCC talk, “carpet bombing” is a totally legitimate way to collect and analyze data. I’m not saying that it’s nice, or legal, or ethical, but it’s effective. It’s up to the agency using this technique to justify and qualify what they do. And yes – keep it quiet – just because of this delicate nature of collection.

Now, back to the data. Yes – agencies (and I’m not picking on the NSA here, these kinds of capabilities exist with lots of other agencies), have these kinds of capabilities to wiretap, modify, exploit and persist on a lot of kinds of accounts and systems. It’s what they are tasked with doing. That’s not even news. But I think that the fact that this comes up again is critical because of something completely different: OPSEC. Operational Security.

The NSA has fallen (again) to the oldest sin of spying – getting cocky. You can see the same behavior from anyone who’s picking up a new capability – be it a script kiddie picking up Metasploit for the first time, someone getting to be decent at martial arts, or any other skill. They get cocky. And think they are unbeatable. And that’s when mistakes start to show up. Basic OPSEC. And I believe that this is an important lesson to learn. Again. Because OPSEC is not a compliance thing that you check off once and forget about it. It’s a basic practice that (should be) taught to everyone that participates in tradecraft. And practiced. And apparently the NSA isn’t that great at it (surprise!). Hence their powerpoint slides are all over the Internet now.

So that’s my little 2c on the topic. Yes – I support spy agencies continued practice, and yes – I support anonymity and privacy, and yes – I support the law and the need to keep improving it. I support the creation of free and open source software designed to enhance your anonymity and privacy. I have actually met Jacob a couple of times (and found it funny that he’s freaking out every time we do meet), and actually think he’s a great guy. Same for Moxie. Complicated? I mentioned it at the beginning. So there you have it. Deal with it.

Now go watch Jake’s talk from CCC. You have to. Because I said so. And for crying out loud – get your OPSEC together.