Category Archives: Security Research

Yes, you knew exactly what you were walking into…

I’m writing this in response to a very well put together article written by my friend Dave Lewis on CSO Online: “Are you a legitimate military target?“.
In the article Dave talks about how security researchers, practitioners, and security vendors are suddenly “surprised” to find themselves potentially being under the scrutiny of foreign (and guess what – domestic) governments and militaries.

Dave quotes Mikko Hypponen, F-Secure’s Chief Research officer who keynoted the FIRST conference last week in Berlin, saying “I didn’t sign up for this”.
Well, sorry to take the other side – but you did. We all did. Even those of us who have been in the industry for almost 20 years. We grew up on movies like “War Games“, on the stories such as Cliff Stoll’s “The Cuckoo’s Egg“, and those of us who were pushing the boundaries and practicing security research, also knew that we were playing fast and loose with the law a lot of times (successfully for those of us with a clear record).
Well ,guess what, just like a nuclear physicist becomes a target (legitimate or not) for a foreign nation because they are associated with another nation’s nuclear program, so are we.

Any new piece of information that may allow an advantage in the greater scheme of things is highly sought after by nation states, and if you are not aware of it, well, good luck to you.

I join Dave’s closing comment on the difference between espionage and warfare. We all need to understand though that there are governments and their intelligence services behind both of these. So yes, we all knew very well what we were walking into when we found our first 0-day, vulnerability, or realized that we can bypass controls, processes, hardware, software or whatever it is we hack our way through. This kind of knowledge and skill is a far cry from a new crocheting technique.

p.s. I’ve mentioned the law here, and if you know me you know that one of my advice to any fellow practitioner is usually “get a lawyer”. This isn’t just for fun – law is just as hackable as cheap knockoff Chinese firmware, or a shady Israeli device driver. I highly encourage everyone to at least study your local legislation in relation to computer “stuff”, as well as dabble a bit in the international aspects of it.

May the force? May in full force…

Lack of updates here usually means that time constraints are in effect… But apparently all that work is paying off as some of the research we have been working on is starting to get front-and-center stage.
May marks a busy month where I’ll be bouncing around a few places (São Paulo, North Carolina, and locally here in NYC) to talk about it.
Stay tuned for details 😉

Killing (innovation) in the name of the law

I am not a lawyer. Nor I want to be one.

But fortunately I have enough education and practice around legal systems – domestic and international to be “dangerous” enough so I can actually get my job done wherever I need to.

This, however, is a constant balancing act, especially in light of the proposed cybersecurity bill. The proposed legislation basically expands the CFAA (Computer Fraud and Abuse Act), and not in the right directions. As-is, the CFAA is draconian, and has been repeatedly abused to prosecute people who have for a lack of better terms, pissed off someone. Notable examples like Barrett Brown, Aaron Swartz and Andrew Auernheimer (‘weev’) have been subjected to government prosecutors who leaned on the ambiguity and far-reaching implications of the CFAA.

Extending the law, and subjecting it to elements such as RICO (Racketeer Influenced and Corrupt Organizations Act) furthers it’s reach, and along with the proposed amendments basically criminalizes most of the work done by hackers (i.e. good guys). It stifles innovation and the ability to “play around” with computers, software and hardware, and would have put most hi-tech founders in jail for a long time if the law would have existed back then. Heck, I’d be serving decades in jail if it would.

And to think, even for a moment, that any of this have, or would deter real criminals is absurd. Other than holding back legitimate research and innovation that is put to use to thwart cybersecurity threats, this does nothing good.

I truly hope that legislators would wake up and rise above the political forces that managed to push this bill in its current form, and perhaps even take action to correct the already crooked CFAA in a way that would make it more relevant to computer crime and fraud.

Until then, I guess that we would have to keep tiptoeing between the raindrops to make sure that we can keep pushing the envelope as always. Much like a lot of organizations (private, as well as government, that I have had a chance to work with) have done by offshoring and distancing their more aggressive/proactive activities to avoid jurisdiction issues.

A couple of good reads on this are here for your background: Orin Kerr and a shameless plug of my comments on this on CSO Online.

When a door is not a door

This is going to be a short one, because so much has been written on this, and the level of (in)competence exhibited by so many people around this has almost driven me crazy.

Yes, the Sony hack. Not going to comment on what has been done, what should have been done, the sophistication of the attack, the ability to detect tens of terrabytes leaving a network, or the way to handle this (technically, politically, diplomatically, business, ugh – you name it…).

But I do find it ironic that this post comes right after my previous one, now aptly titled “To the full extent of their capabilities” by Dave Aitel (who’s also had his share of commenting on the Sony hack).

I was vocal enough around this, especially (and weirdly I must say) as someone who suddenly sounds like the responsible adult, urging for deeper and more comprehensive forensic work and not knee-jerk attribution. Attribution, as we all (should) know, is difficult. Especially in the “cyber” realm, where fingerprints are more difficult to link to actors, who are in turn difficult to link to aggressors.

dognetOn the Internet, everyone can be anyone, and planting false flags is common practice among even the less capable threat actors. Acting on such red herrings is not only irresponsible, it can also be dangerous (an “unnamed official” at the Pentagon responded as such to the DDoS attacks on July 4th 2009). And it looks like we are facing the same weak evidence again. I highly recommend reading Fauxtribution by Krypt3ia, who really lays out the evidence, and the highly speculative nature of the attribution from the FBI on this one.

Looking at TTPs (Tools, Tactics, and Procedures) only in order to derive attribution is not enough. Without being to link real activities to a human actor, and follow up with a more “traditional” investigation (motivation, funding, accessibility, relationships), TTPs and other forensic evidence leaves us with a highly biased view of what’s going on. More worryingly, this view is almost entirely controlled by the real attacker, who had the time and opportunity to choose who would they like to appear as at the end of the day when the attack is discovered. Having clear documentation on TTPs for almost any major actor, with highly accessible online resources such as proxies, compromised hosts, and for-rent bots/servers, and finally throw in some foreign language references, and we have ourselves a perfectly guised threat actor.

Unless the investigation ends up with a multi-national cooperative law enforcement effort, enforced by the legal systems, and commercial capabilities, this goose chase isn’t going to end well. We can (gulp) take a hint from Microsoft’s playbook and their recent endeavors in hunting down the true sources of mass botnets and malware attacks. One can only hope…

Relying on AV? Really?

I tried to hold back on this one, but if you’ve read this blog (or met me in person) you know it’s hard… Another amazing research coming out of your favorite AV vendor – uncovering ground breaking security implications. Take a minute to read this:
http://www.symantec.com/connect/blogs/simple-njrat-fuels-nascent-middle-east-cybercrime-scene

Admittedly, I have stopped reading any AV vendor’s blog ever since I didn’t need to (for marketing or competitive reasons). The main reason is that they are riddled with old information, mostly FUD and scare tactics, self promotion, and subtle competitor bashing. So yes, I might be missing on more gems like this…
Nevertheless, this specific post came to my attention as it was quoted in a blog dedicated to security in the middle east written by Tal Pavel who I highly respect as a researcher that focuses on regional issues (warning – Hebrew only site): http://middleeasternet.com/?p=9999

So, a new RAT that caters for and was written by Arabic speakers. njRAT. That name rang a bell, and of course, after a couple of minutes of digging through my notes, there it was. OLD as nicely aged single malt whiskey (in “cyber” terms…).
The original Symantec article claimed it first saw the light of day sometime in 2013. That’s pretty fresh. Too bad that this thing has been around probably since early 2012 (might be even earlier – I haven’t really looked into it that much). How can I say that? Well, I’ve used it as an example (yes – and example! wasn’t even the main topic of what I was talking about) in a presentation I first gave publicly in April 2012 at Source Boston. Which means it was seen, analyzed, used (and, ahem, somewhat abused), much earlier in 2012. I also presented this as part of my SexyDefense talk at BlackHat USA, DerbyCon, HashDays, and SecurityZone later that year.
They did get one thing right – the focus on Arabic speaking threat communities. I’ve seen njRAT back then when working on a defensive posture project for a client who’s threat communities were heavily into the Arabic speaking world (vagueness intentional).


(skip to slide 68 for the specific example concerning njRAT)

The question remains though – are you still relying on AV vendors to have your back, when their “breaking grounds research” deals with malware that’s over 2 years old? And I’m not picking on Symantec here either (they did a great job of analyzing the 3 year old Stuxnet back at the time!). All AV vendors can feel free to include themselves here (yes, even if you no longer call yourself an “AV Vendor”, you still are. I’m looking at all of you…).

Think again…
Oh, and here’s a late edition just to top it off: http://mincore.c9x.org/breaking_av_software.pdf (Breaking AV Software – from Syscan 2014).

And guess what, perfect timing – next week I’m going to be in Boston again for Source – where this post basically all began 🙂 See you there!