Tag Archives: analysis

The power of collaboration (BlueHat post)

Some additional BlueHat wrap-up –  a collaborative post with a dear colleague of mine Fyodor Yarochkin has just been posted on the BlueHat blog.

The interesting thing about this is that my interaction with Fyodor have been as follows:

  1. Email exchange prior to BlueHat, as we were speaking one after the other, and were referring to the same ecosystems but from different points of view.
  2. Meeting in Seattle/Redmond at BlueHat, having some conversations (and drinks, yes, some drinks were involved too) about work, research, and such.
  3. Speaking one after the other.
  4. Working together on a post through online sharing tools where we basically played with throwing ideas around, putting in writing what we thought about them, exchanging some ideas and directions, and coming up with the aforementioned post.

To sum this up quickly, we didn’t really know each other (not virtually either) a few weeks ago, and based on our mutual interests, research and passion we were able to come up with a (somewhat) cohesive post that at least I can stand back and say “damn!, that’s pretty good” (and learn something from).

Only in InfoSec!

Stuxnet Analysis Report

So, after quite some time of working behind the scenes, and making an effort to focus on essence rather than buzz, the CSFI have published their official report on Stuxnet.

I have had the opportunity to assist (just a bit… work has been taking its toll) in the report writing – mostly inCSFI Logo terms of countermeasures for a threat like this, and some basic analysis.

Feel free to download the report form here:CSFI_Stuxnet_Report_V1

As well as watch the demonstration video on the CSFI website: http://csfi.us/?page=stuxnet

Kudos to all the great contributions from the CSFI-CWD (Cyber Security Forum Initiative – Cyber Warfare Division)  fellows!

The Botnet Wars – industry Q&A

I was approached recently by Bart P from Panda security in order to participate in an industry expert Q&A about the botnet wars (apparently he did his homework as he got quite the lineup to participate in this, guessed he can count me as a close miss :-)…).

He managed to compile a great Q&A where you can read some of the views and opinions on the current state of business at the Botnet (including exploit kits and crimeware kits) marketplace.

The full article is available at: http://bartblaze.blogspot.com/2010/10/botnet-wars-q.html

Enjoy!

Learning from stux, and connecting more dots in infosec

So everyone has been fully focused on Stuxnet – trying to figure out (again) what 0-days were involved, how were networks crossed, which command-and-control channels are utilized and how the systems were compromised.

Great.

I’m really hoping that the technical analysis would help us get a better grip on what kind of risk a persistent and well-funded attacker poses to a target. Nevertheless, it’s almost as we have not really learned a lot from past events – and yes, I’m talking about connecting the dots again. This time not in the sense of linking between crime and nation-state, but more in the sense of understanding that the technological attacks are usually coupled with kinetic ones – especially when talking about the more advanced activities.

For starters – stuxnet could not have gotten to where it did without the “human factor”. Someone needed to carry the infected USB thumbdribve and stick it into some system that was in the separate network. Call it a hostile agent, call it a paid off internal agent, or a 3rd party provider that was recruited to provide slightly modified equipment. It had to be done.

Now that we established that the “matrix” could not have just jumped across networks, let’s see what else can we learn from such an incident. As in learn whether this could affect us, and how. Which brings me to the second point:

We got nothing. Nothing in the sense of actual protection. And no, your claims that “our production control and monitoring network is physically disconnected from other networks” does not hold water anymore. It didn’t before either, but now it’s easier to point out how wrong you were.
Not only we got nothing, we keep listening to vendors that are too cheap/lazy to implement proper controls (from proper secure development, to taking into account that security measures would need to live on the systems), and completely lose focus when something proprietary comes along the way. When we should have been kicking vendors in the round ones and making sure that we make ourselves experts in the “proprietary” protocols thrown at us. Time to taste a bit of what we’ve been cooking.

Because stuxnet is not going to be hitting us soon. It’s going to be something much more appropriate for our culture and more targeted towards our soft spots. If delaying a nuclear development plan was on the top of the objective list when the operation that included stuxnet was planned, the counter-plans we would have to defend from would be different.
Think more in the lines of altering the way we perceive reality. Seriously. What if someone would be able to change what the newspapers printed tomorrow morning? What if they could change/affect what we see on TV? And no, this is not science fiction (check out what happened during Cast Led where Israel hacked the palestinian TV station, and how a retaliation effort was mounted and almost succeeded).
Such actions can be pulled out more easily than you’d think. The fact the everyone is focused on the pure technical aspects of defense left us pretty much open on any front that combined both human/social, physical and technical efforts.
Thinks furthermore on how the economy would hurt if the stock exchanges would be provided with false information (remember what happened when computers were involved in making decisions back in May 2010?).

And there’s more. Out travel, insurance and a lot of our financial systems are running on technology that was created back in the time when “strong authentication” means that you had to guess a really cryptic username. That’s right – not even a password is needed. And we are running billions of dollars on these things. They are protected of course – by separation. But network separation is not enough as we have just seen.

So back to connecting the dots. Remember my last rant? (you better!) – that’s exactly where the dots connect. Think critically of the business as a whole. Not in a system by system, or network by network scheme, but in the “how does this business work” scheme. How does the paper get printed at the end of the day? It may be easier to hack into the printing press facility control system than to the editor’s or the publisher’s network. Same goes for financial institutions, hospitals, airports, manufacturers, etc… Identify the weak spots in your industry, not in your office or your network.
And don’t blame me from giving the bad people ideas. They should be considered at least as smart as all of us are (smarter than me for sure 🙂 ). The anger that you are feeling right now reading this, is coming from the pain of sticking your neck out of the sand your head was buried in, and the uncomfortable feeling of getting a grip on reality…
Thanks for taking the red pill, and welcome to the matrix.

Now go and change things.

The Turkish hack and another case for IL-CERT

You have been living under a rock if you haven’t heard of the Turkish hack a couple of days ago. Basically – a Turkish hacker forum that bolsters a strong anti-Israeli attitude has been practicing hacking and mostly defacing Israeli sites for the past few months (years).

Now, this is nothing new, and as I stated before, has been going on for years. I’m not even going to go to the political discussion on whether this is sponsored by the government (or have been turned a blind eye by it), as opposed to Israeli hackers that would like to retaliate but know that they would be charged in their country for computer crimes.

No.

The focus here is that there was such a huge media outrage over the fact that so many (more than 100,000) user accounts have been affected, and everyone is scrambling to figure out who should have notified who on what. A couple of funny things to consider in this incident:

  1. There are more than a couple of companies in Israel that specialize in gathering intelligence on such forums as their core business. One company has even been quoted that they knew of this issue months ago.
  2. Some of the accounts that have been breached belong to government personnel (or at least have a .gov.il email account with it’s corresponding password).
  3. The sites that have been breached were not notified until a couple of days ago. They have no-one to consult with in terms of how to handle this incident, or how to fix their issues (ever heard of one-way password hashing??? apparently not…).

Why am I bringing up these specific point? Let’s see, and now from a perspective of a normal CERT that if would have been here would have addressed these as follows:

  1. Companies that deal with security research can send their insights over local security incidents to a coordinating entity – IL-CERT that would manage the anonymous and responsible notification to the affected parties. No need to figure out a local policy for notifications, no need to dig out contact details for obscure police departments and guesstimate whether they even care about your data, and no need to get into the politics of the existing semi-CERTS and who they constituency is.
  2. Coordination and notification to government related bodies would  be handled through the ILGOV-CERT (although their website is not too promising, there are ways to reach them…). Additionally, collateral damage notification would also be handled in the same way (i.e. – a .gov.il site has not been breached, but .gov.il account have been found through breaching a .co.il server. This is the kind of thing that ILGOV-CERT does not know how to handle right now…).
  3. Incident handling support and assistance would have been provided by subject-matter experts to any site that have experienced a breach. No cost associated (unless actual work on the servers or code would have been sought after, in which case the IL-CERT would have probably done a referral as initially it would not be a commercial body).

Simple huh? And you keep wondering how come a place where so much innovation in science, technology and security has come from is still in the dark ages of it’s own internet security…