Category Archives: Security Research

When great ideas go to the wrong places

Or: why attribution is not a technical problem.

TL;DR: hacking is an art and a science, computer attacks (cyber these days) are only one manifestation of an aggressor, which has very limited traits that can trace it to its origin. Relying on technical evidence without additional aspects is not enough to apply attribution, and when done so, attackers can use it to deflect attribution to other actors.

Context: Experts, Microsoft push for global NGO to expose hackers

So, apparently, some really smart people at RAND corporation and Microsoft have decided that they are going to solver the world’s computer Bourne attack problems by creating a new global NGO to unmask and apply attribution to hacking incidents. They claim the organization will be responsible to authoritatively publish the identities of attackers behind major cyber attacks.

Which is really cute when you think about it – a bunch of brainiacs (and Microsoft people) sit around and analyze network, storage and memory dumps to trace back attacks to their origins. Sounds like a really great service, which can be used by companies and governments to trace back who attacked them, and act on it (either by suing, or means of diplomatic recourse).

The only problem is that the attribution game is not won on technical merit only. And guess what? Attackers know that very well. Even the US government knows that (or at least the organization responsible for launching such attacks) and have been trained to study different attacker’s traits and tactics so that they can replicate them in their own attack – hence throwing off attribution if/when the attacks are detected.

The reality of it is that companies are often hired to provide incident response and forensics, and in a rush/pressure to give value to their clients, come up with attribution claims based on technical merits. Cyrillic words will point to Eastern European blame (RUSSIA!). Chinese character in a binary will lead to claiming Chinese hackers are behind an attack. An Iranian IP address linked to a command and control server that trojans connect to will point to an Iranian government operation. Which is all a big steaming pile of horse feces because everyone who’s been on the offense in the last couple of decades (probably more – I can only attest to my experience) also knows that. And can easily create such traces in their attack. Furthermore, for the ones following at home thinking “oh, they know that I know…” – yes, we play that game too, and attackers are also “nesting” their red herrings to trace back to several different blamed parties, and it all depends on how deep the forensic analyst wants to dive in.

The bottom line, is that the technical artifacts of a computer attack are ALL FULLY CONTROLLED BY THE ATTACKER. Almost all forensic evidence that can be found is controlled by a knowledgeable attacker, and should be considered tainted.

Now consider an NGO who have no “skin in the game”, and relies on technical artifacts to come up with attribution. No financial evidence, no political ties, no social and physical artifacts or profiling of suspected targets or persons of interest in the victim organization. Anyone who’s been somewhat involved in the intelligence community can tell you that without these, an investigation is not worth the paper or the bits that are produced during it.

So, sorry to burst another bubble, and actually, if you read the article, you’ll see that I’m not alone, and at the Cycon conference at which this initiative was announced, several others have expressed pretty firm opinions on the futility of this initiative. So as much as I appreciate the initiative and willingness to act and “fix the problem”, perhaps it’s best to actually step out of the fluorescent light and really understand how things work in the real world 😉

Infosec conferences/talks redux

Don’t mind me, just poking my head in here to make sure the cobwebs haven’t taken over this place yet 😛
So yes – I’m going to be blogging waaay less then before because of, well, life? But I recently saw a post from Daniel Meissler who discussed how (in)effective are modern security talks at conferences are.
He’s bringing up a couple of great points, and talks about what a good talk in his mind would be. Figured I’d share my 2c on this based on a couple of conferences and talks I’ve been to and delivered.

So, neither approach is useful IMHO (i.e. essay, nor entertainment).
A Dan Geer style essay-reading has zero added value for the participants. Go read it yourself in your own pace and you’ll be better equipped to take something from it.

A handwaving “look at my marketing schtick” presentation has no value without any insights to the thought process behind it. Neither is a talk focused solely on the entertainment value. Even if it seems to veil itself as “but through which you’ll get awareness/education”. Especially if it’s mostly self-serving and designed to make you look good. Go away.

Slides that are visually appealing (cat pics), but that support the narrative of what the speaker is saying would be the best experience for me personally (given that there is actual content, and not just the same regurgitated BS that a lot of talks “innovate/research” with).

So, first – get something new in place.

Ok – go and google that shit. Double time. Because most of what’s been out there recently – from “unveiling” cyber criminal tools and forums, to “new” ways to avoid data exfiltration mitigations, is OLD FUCKING NEWS. You are supposed to be this OSINT Google-foo master. Prove it by not embarrassing yourself with a re-branding of old research.

Now, realizing that you may have no idea how to present this new thing, do two things:

  1. Write a paper that describes said new thing. Keep it fairly academic or white-paper style. This is the “essay” style you keep hearing about. DO NOT TRY TO PRESENT IT. It’ll be boring as fuck, and people will go into hibernation in the crowd.
  2. Start writing the story of how you found said new thing. Take note of the following:
    1. Why did you go out to invent/find said new thing? What was the motivation? What gap does this fill?
    2. How did you go about researching and finding the new thing? What challenges did you face doing so? What didn’t work through your process (much more interesting and relevant than what did work)?
    3. How do you use this new thing? How can I use it (assuming I don’t have to sell a kidney to do so. If so, pass this along to your marketing guys so they can get ready for RSA)?
    4. Show relevant data on how this new thing improved your life (professional life included). Show the situation before, and after new thing was applied. Data is cool, and you can’t argue with it (as opposed to “hey, look at me doing this thing one time with no context and no goal and how badass I am”).
    5. Give credit. Understanding that you are probably not alone researching new thing in complete void – give some props to the people/projects who have inspired you, helped you move along your research, or have done similar things, and you have build on their things to get to your new thing. (i.e. don’t be an asshole).
  3. Take this story now, and tell it. This is your talk. Find visuals that support the narrative of this story. These don’t have to be the text verbatim of what you are saying (please, for the love of god, stop it with the bullet wars). They can be cat pictures, then can be graphs, or funny graphics. Make sure there’s some context between your slides and your story narrative.
  4. Practice going through your talk and telling your story. After a couple of tries, try turning off the slides. Can you still make it work? Do you keep trying to read out from the slides (of course not, because they should only have minimal text on them).
  5. Go talk. It’s going to be great. You are going to stumble on your words sometimes, utter an “Ummm”, and an “Ahhh” from time to time. Nobody really cares. Because they are listening to your story, which is awesome, and interesting, and not reading out of your slides before you can recite them.
    1. (oh, and of course – don’t memorize the thing. You need to be able to tell that story again and again, and never sound the same. Otherwise you could have just sent a pre-recorded and edited copy of you doing this).

I guess it’s easier to say this from where I’m standing (here’s my bias declaration: I’ve done this many times, including bad presentations, and am about to deliver my last talks by the end of the month). But trust me – do yourself a favor and think about what you’d want to see/hear at a conference. It’s that simple. Don’t think about some “rock star” researcher and look up their presentation (they might suck at public speaking), just put yourself in the crowd and think “this is what would have worked for me if I’d want to learn about something”.

An obituary to pentesting?

I just saw a blog post in which Mike Kemp discovers the realities of 2010 (linkedin). (disclaimer – I know Mike and love him as a person, and this is my way of poking at him a bit – no disrespect here, but pretty much the opposite)

Now, go read that post (yes, I know, it’s long, but trust me).
This isn’t new (albeit very honest, direct and true),but here are a couple of comments I have:

  1. Penetration Testing is dead. Overrated, and abused by fancy vulnerability scanning, it died a few years ago. If you are still paying for one – check carefully what you are actually getting…
  2. Automation is king. I actually argue that 80% of what’s sold as a pentest by the major providers can/should be automated. All those scanner monkeys should be fired or forced to step up their game and actually do some work.
  3. Compliance? Really? Do you really want to go there? It’s got nothing to do with security, and if you thought so for a second I want to have what you were on when you did.
  4. Standards. This is where Mike touches on a sensitive topic for me (yes, PTES…). I’d actually challenge Mike to show me how PTES (which he mentions in the post – but you already know that because you read it, right?!) restricts providers by providing the engagement steps – which they should follow. There’s no restriction to scope, and I have personally used PTES in red team engagements. Full scope, no bars held. But still with a standard to follow, and something the client can also keep track of and know what to expect (and demand).
  5. I fully agree on the “pass the wealth” point where you should call in someone else who’s an expert to deal with a specific client request. Done that many times, and have never lost a customer that way.

Last but not least – yes, I do think that most pentesters can be replaced with a script. As they should. I do however have a solid advice to Mike and others who are still valuable professionals that have skills which are not replaceable by automation: demand a proper engagement model. And yes – I’m referring to the PTES again. You’d notice that threat modeling is part of it. Done properly threat modeling achieves multiple goals:

  • Forces the discussion to be around security rather than compliance, price or other factors that have nothing to do with security.
  • Scope goes out the window as threat models focus on the BUSINESS and not the TECHNOLOGY.
  • Enables the organization to test itself against its adversaries (threat actors/communities) rather than against pentesters. Much more rewarding, and correct.
  • Enables the provider (if it can muster to perform a decent threat model with the client) to charge decent rates for its services. You can clearly show how this isn’t some automated software running and spitting out reports, but skills and experience playing. It’s then your responsibility to follow through on it and make sure the final deliverable also looks like that (otherwise you are looking at a very short success rate for trying to adopt only part of this approach).

I actually welcome the hordes of scanner monkeys and tool-jockeys. They make the real professionals look even better. And although professionals don’t often have the marketing/sales power of the big-[number], trust me – they are busy, and doing work that the “big” and “trusted” suppliers can’t even start to put on their canned proposal templates.

Amazonian Trojans and Marketing Fear-Mongering

Hello there, welcome back to our scheduled programming on how to drum up clicks and views on your website “Powered by Fear Uncertainty and Doubt”.

As most marketing organizations know, sometimes you need to be a little creative when coming up with news and research. You draw a target for your security researchers to hit, and hope they come back with meaningful data that’ll make it to the next news cycle. And sometimes it actually works.

This time it didn’t. Recently, when reviewing my Twitter/Facebook feeds, I ran across “news” that state that Amazon (OMG – our trusted Amazon) are selling Rooted Android tablets, preinstalled with Trojans. Most of the public probably goes: “Hide your Nexus and shoot your Kindles!” in response. How dare Amazon sell us trojaned tablets?

But worry not, only after actually reading the details of the article (http://www.net-security.org/malware_news.php?id=3152) and the original research report (http://www.cmcm.com/blog/en/security/2015-11-09/842.html) you’ll understand that:

  1. Amazon has nothing to do with this. Just like you and I can set up shop on Amazon and start selling backdoored laptops, Amazon wouldn’t have anything to do with said backdoored laptops.
  2. It’s not about your usual tablet. So you can pull back your Nexus, brush up your Kindle, and keep using your Asus/Samsung/LG/[brand] Android tablet.
  3. It’s not even really an Android issue. One could have jailbroken an iPad, install a backdoor/trojan on it, and sell it online. The Android part is relates more to the price point and the ability to sell really cheap tablets.
  4. I dare you to recognize any of the “brands” of tablets sold with these trojans. Funny, the top “brand” is actually, wait for it, “NO BRAND”. I kid you not.

brands

So after sorting out the FUD, we are left with no much of a scare. Suspiciously cheap tablets, marketed mostly as “no brand” (or other brands which at least I’ve never heard of), are filled with questionable software. Kind’a reminds me of even “big name” manufacturers who load their phones/tablets/laptops with assorted unwanted software (officially dubbed “bloatware”). Wow. How did this not make headline news across the nation?

Bottom line – it’s pretty sad that we end up running research on the fringe areas of consumer devices and shopping behaviors. Yes, there’s a technical merit to analyzing a Chinese backdoor, but marketing it as “OMGWTFBBQ!” by sprinkling in Amazon and Android in the headline is pure marketing alchemy. Let’s get back to two things:

  1. Educating that when the deal seems too good, it probably is.
  2. Focusing our research efforts on more meaningful things. Yes, this also applies to stunt hacking, or junk hacking of sorts. There’s a lot of brainpower that could be diverted to solving problems that we have been dealing with for ages, yet would probably yield less media buzz.

SMRMageddon!

Social media and online interaction are dramatically changing the way our companies and employees interface with society at large. Recent examples of people tweeting or posting something silly or offensive and being responded to by doxxing or even threats of physical abuse are, unfortunately, becoming more common.

Today SIRA member Alex Hutton and Ian Amit are publicly announcing an open (free as in speech, free as in beer) project to help security departments identify social media presences that are more “at risk” to negative reactions and general information security risk. This framework of indicators is a little something we’re calling “Social Media Risk Metrics” (catchy, right?). SMRM is being introduced at Derbycon today complete with a demonstration, worksheet tool, and suggestions for further development.

The mind map is available here:
https://www.mindmeister.com/572637750#

The calculation tool on Google Sheets is available here:
https://docs.google.com/spreadsheets/d/1SBQwarmvyIRJQJqf9VN2Dma7Ukw2XU3fpYE0UOhIcwA/edit?usp=sharing

Additionally, here are some of the links mentioned in the talk, these are all tools that can be used as part of the OSINT collection and analysis that is part of the SMRM.
Predicting elections paper: http://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/1441/1852
Sentiment analysis tools:
https://tone-analyzer-demo.mybluemix.net/
https://watson-pi-demo.mybluemix.net/
http://www.nltk.org/
http://text-processing.com/demo/sentiment/
http://cran.r-project.org/web/packages/tm/index.html
http://rapid-i.com/content/view/184/196/
http://gate.ac.uk/sentiment/
http://uima.apache.org/
http://www.cs.waikato.ac.nz/ml/weka/
http://www.unal.edu.co/diracad/einternacional/Weka.pdf
http://www-nlp.stanford.edu/software/
http://alias-i.com/lingpipe/demos/tutorial/sentiment/read-me.html