Category Archives: #pub

Updates, Malware Analysis Links, Meltdown, & Spectre

Posted by on January 11, 2018 No comments

Readers,

My apologies for not posting more often. I’ve been busy with my studies (and occasionally reading and writing off-site). There’s been so many new forensics blogs, mailing lists, and infosec communities recently that I’ve been content with reading instead of writing my own posts. Bad habit, I know! I’ve also taken part in a number of security CTF and infosec challenges. I said that I’d be covering past challenges and their solutions in greater depth in my DC3 post and that’s still a plan for the future (if time permits).

I’ve also been toying with the idea of setting up an up-to-date CTF challenge section on site since I have enough content from past CTFs and challenge organizers. We’ll see. I did make a challenge to de-anonymize target onion sites, the solution to which would be in discoverable data about the target web server. But I’ve been told that this might come across as hostile and not helpful for learning purposes, so I’ll probably just end up with standard jeopardy-style questions. Other options include the obligatory stegano in images, sound files, whole forensic images of disks with flags for various forensic artifacts, etc. Since security challenges are time consuming to create, it’ll have to wait a little longer. As always, feel free to subscribe to the blog for future updates.

I’ve also been looking for quality reverse engineering malware resources. I’m still new to that arena but what follows is a list of some really helpful sites, webinars, and books for learning to disassemble programs and study malware both from a static and dynamic perspective. I realize many readers here already do malware analysis, but this is intended for others looking to get into it. Some of the sources are older but all of them are worth checking out. Regretfully I can’t go through every examiner’s quality blog here, but check the site for more links! I’m also happy to read, study, and add any sites or research if submitted.

Malware Resources

Blogs, Articles, Webcasts, & General Papers

Introduction to Malware Analysis by Lenny Zeltser (Webcast), 12/6/2016.
Note – Webcasts, webinars, white papers, blog entries, conferences, I’ve seen a lot of Lenny Zeltser’s work and I’m a big follower. So I often link to his work.

Malware Analysis: An Introduction (GIAC Gold Paper) by Distler. 12/14/2007.

5 Steps to Building a Malware Analysis Toolkit Using Free Tools by Lenny Zeltser. 3/14/2015.

Malware Analysis Essentials Using REMnux w/ Lenny Zeltser (Webcast), SANS Institute, 4/17/2014.

4 Cheet Sheets for Malware Analysis by Lenny Zeltser, SANS Blog, 9/13/2017.

Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser. 9/7/2017.

Thoughts on Malware, Digital Forensics, and Data Breaches by Hal Pomeranz, SANS Blog, 1/18/2012.

CyberBit’s 5 Open Source Malware Tools You Should Have in Your Arsenal

Projects To Watch/Tools to Know:

FLARE VM – The Windows malware platform by FireEye, a company known for their malware analysis and incident response know-how. 1/16/2018 Update: This tool is really outstanding. The packages can be imported into any VM, preferably newly rolled evaluation copies of Windows 10 VM, since you can just keep restoring back if you max the 90 day eval. Flare includes many tools for file analysis out-of-the-box such as hex editors, debuggers, disassemblers, text editors, PE tools, process hacks, packet analyzers, alternate data stream manipulation tools, and more (official list on Github). Package installation is made simple with Chocolatey. My own custom box includes essentials I downloaded such as OWASP ZSC for Python shellcode generation, Yara, stegano detection tools, audio editors, and more. Definitely not an exaggeration to say that you can make this into the best security platform available on Windows.

REMnux – A Linux Toolkit for Reverse-Engineering and Analyzing Malware

Kali Linux – I use Kali a lot so I highly recommend it. It’s an extremely well maintained distro, adding your own packages as needed is simple and usually everything just works (thanks to all the modules and dependencies pre-rolled into Kali). There are some great tutorials for pentesting and forensics on Udemy and through Offensive Security. Adding malware tools is easy.

SIFT Workstation – I’ve used multiple versions of SIFT from Linux to Windows 7 and 10. I highly recommend it for forensics work. It does have more timeline tools than Kali (although you can add packages to Kali as you see fit). SIFT VM + Kali VM = ideal. I have heard great things about BlackArch for penetration testing but have yet to try it (I do have fond memories of Archlinux and Archbang, so it’s on my to-do list).

Yara Analysis Tool – industry leading tool in signature and behavioral rule-set matching for malware.

Cuckoo Sandbox – Sandboxing tool for malware. If you’re just using VMware, be careful of VM escape vulnerabilities, bogging down resources, etc.

IDA & IDA Pro – Ideal for static analysis. Disassembler for every major operating system. I’ll be honest, my assembly skills are weak, but this is one tool worth sticking with. There’s even a great No Starch book on IDA to help you out! (IDA Pro Book, 2nd Edition by Chris Eagle — fair warning, the assembly sections are pretty light and assume you know what you’re doing, so I’d suggest supplementing it with another resource to familiarize yourself with the subject prior to diving into IDA. One good (and free) course is the x86 class by Open Security.)

OllyDbg – The Gray Hat Hacking books use OllyDbg a lot.

Immunity Debugger

Automatic Malware Analysis and Sandbox Services by Lenny Zeltser

Classes:

Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration w/ Xeno Kovah (Open Security Training)

Introduction To Reverse Engineering Software by Matt Briggs & Frank Poz (Open Security Training)

Reverse Engineering Malware by Matt Brigs & Frank Poz (Open Security Training)

FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Jake Williams (SANS Institute)
Note- I haven’t had a chance to take this class but it’s pretty much the de-facto malware analysis class in digital forensics.

Again, there are many courses and tutorials available through Lynda, Udemy, and YouTube. Here… hold up. There we go (had to do it!).

Technical References:

Tech refs can be expensive but these are totally worth it if you’re committed to learning the subject matter (or, like me, you’re equally committed to making a visually impressive security bookshelf /modestyfail). Most well-maintained, high traffic libraries should have some of them. Sure, there are plenty of online sources with similar information but these texts are definitely helpful.

Malware Analyst’s Cookbook: Tools and Techniques for Fighting Malicious Code by Hartstein, Richard, Ligh, and Adair. 2010.
Note: It’s the bible of malware analysis. It was one of the first larger-works to tackle malware head-on. While it isn’t as technically in-depth for complicated tasks (I found that GHH was more technical for some things), it’s a must have. New to malware analysis, I can honestly say it’s readable and worth checking out.

Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz. 2015.
Note: One of my all time favorites. Black Hat-style techniques are explored using Python code and popular modules. There’s something for everyone here. (I often use BHP or GHH – mentioned below – as a springboard for Python projects, so I can also recommend getting physical copies as opposed to eBook versions.)

Gray Hat Hacking, 2nd Edition & 3rd Edition by Harper, Harris, Ness, Eagle, Lenkey, Williams. 2008 & 2011 respectively.
Note: When I first picked up the 2nd edition from the library I had no idea what IDA Pro was and wanted more on pentesting. Immediately dismissing GHH something I wouldn’t use. In retrospect, GHH is an awesome guide to DLLs, handles, processes, reverse engineering, and malware analysis.

Data Hiding Techniques in Windows OS: A Practical Approach to Investigation and Defense by Hassan & Hijazi. 2017.
Note: This book should just be called “How to Win at CTF Every Time.” While it doesn’t explore malware in-depth, it does talk about various forms of data hiding and data manipulation (ADSs, stegano, etc). Since malware utilizes different methods of remaining hidden, DHTIWO is a great guide for developing critical thinking skills. This and File System Forensic Analysis by Brian Carrier are so easy to use as regular resources in forensics.

Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers & Security Engineers. TJ. O’Connor. 2013.
Note: I used to really love this book prior to finding BHP and the Gray Hat books. It has drone hacking and Twitter OSINT hacks, what’s not to love? The code is hit or miss but it has some good ideas for Python coders. It does also contain a section on Virus detection. I prefer Justin Seitz’s work, but respectful nod to TJO’s great resource.

Miscellaneous Resources:

Mitre’s CVE Page (Security Bug/Exploit Lookup)
Yara Official Documentation
Yara Definitions & Rulesets
Offensive Security’s Exploit-DB (Exploit Lookup & Sample Code)

Also check the links to other blogs around the site as there are a fair amount that cover malware research.

Meltdown & Spectre Links

Meltdown Paper | Spectre Paper | FAQs: https://meltdownattack.com/#faq-fix

You know that feeling when you’re lurking darknet forums or Inj3ct0r for information on new malware and you’re like, “what a liar, that’s not a revolutionary 0day exploit, that’s yet another buffer overflow exploit!” This is a fair bit more serious.

Thanks to Jann Horn and the analysts at Google Project Zero, two new dangerous exploits were discovered. Spectre – which leverages a processor’s speculative execution to pull data from memory to an attacker via side channels* – and Meltdown – which uses out-of-order code execution on processors to leak sensitive information across any form of virtualized environment or through any form of protected memory space. Unfortunately, fears are that they’re so deeply embedded in modern processor architecture that they’re nearly impossible to temporarily patch without crippling current infrastructure. They aren’t entirely software issues that can be patched easily. Dynamic execution speeds up computing performance drastically while Spectre potentially effects so many different types of processors. I’ve tried to include some useful links here for understanding the severity of Meltdown and Spectre.

* Yes, Spectre sounds like the coolest thing since poptarts. So much for professionalism.

FireEye Notice for CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 (FireEye), 1/5/2018.

Researchers Discover Two Major Flaws in the World’s Computers by Cade Metz and Nicole Perlroth (New York Times), 1/3/2018.

The Complete List Of CPUs Affected By Meltdown / Spectre by Dr. Adrian Wong, 1/8/2018.

In response to worries of Spectre being able to extract passwords from application password managers and vaults, Dashlane’s Eitan Katz wrote an article on the state of Dashlane and what Meltdown and Spectre do. Check it out here: Meltdown and Spectre: What you Need to Know to Stay Safe by Eitan Katz (Dashlane), 1/5/2018.

It’s not every day you see patches that cause entire Linux communities to freak out. If you’re an Ubuntu user, be sure to check out this article regarding Ubuntu 16.04’s patch: Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers by Catalin Cimpanu, 1/10/2018. The patch in question only applied to Meltdown. The problem was fixed with subsequent updates after the article was released.

Be sure to check out the CVEs below for more technical information about each of the exploits. The links contain a lot of critical information such as sample source code that you can attempt to run in a virtual environment. Note that your mileage may vary in VMs, some have reported BSoDs and not useful crashes when attempting to execute the exploits.

Spectre CVEs: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753 & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
Meltdown CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Top Articles & WordPress Session Hijacking

Posted by on September 18, 2013 No comments

The blog has successfully been migrated to the new self-hosted WordPress (forensicsblog.org), simple name, same great flavor! We’ve got a double feature for you this evening. First, is a list of some of the articles generating the most views on here (thank you for reading!), followed by some WordPress Session Hijacking resources.

Also, please take the time to visit some of the great forensics resources along the right side of the blog. I’ve tried to keep the list to (in my mind) the most interesting blogs/bloggers in information security. They all have great content and research worth reading.

Top Articles on fork()

  • Research: GPS Device Analysis” — research on the manual forensic examination of a Garmin Nüvi 1490. Piece includes a comprehensive breakdown of the GPX file structure, how it’s used to store trackpoint data and information on GPS metadata.
  • Thoughts on viaExtract (Demo)” — discusses the viaExtract utility designed by viaForensics for the analysis of android devices. Highlights artifact extraction with AFLogical and viaExtract case reports. Also discusses the Santoku Linux distribution for mobile forensics.
  • Updates to GPS Utility (Timestamp Features)” — TrackerCat’s latest post to date: adds timestamp extraction of trackpoint data within GPX files to CSV file format. Also includes the ability to recursively export GPX files from a user-specified path and displays embedded file metadata time.

There are a lot more interesting posts here so be sure and scroll down or use the Monthly Archives menu on the side panel. You can also use the site-wide search for topics such as “encryption” or “OpenPGP.”

WordPress Session Hijacking

Since I’ve been tinkering with this blog, I’ve noticed that WordPress is still vulnerable to session cookie hijacking. This is a topic that WordPress or plugin developers should address in much greater detail since many use WP as a site-wide CMS. This section is to share some links on the subject and increase awareness of it.

To those that may not know, session hijacking is when an attacker copies authenticated session cookies from an authorized user and uses them as his own. This is done by first monitoring unencrypted network traffic and then modifying the appropriate cookie and sending it back to the server. HTTP or poorly implemented HTTPS are most at risk. There’s nothing new about this and it’s extremely simple to execute.

These sources can be invaluable for understanding and mitigating the risk:

There are too many MITM tools to list. I’ve included the Fern link to demonstrate how such attacks can be carried out over a wireless network. The following tools are for either modifying HTTP headers or crafting clone cookies:

Almost every new installation of WP.org I’ve seen is susceptible to this attack. WordPress recommends using HTTPS. If you don’t have SSL enabled on your site or haven’t set up HTTPS properly, your site could be at risk. Other forms of risk mitigation include:

  • Use a trustworthy VPN when logging into a WordPress to prevent eavesdropping. If using a mobile device or laptop to access your blog a VPN is the simplest way to ensure your safety on an public hotspot.
  • The Safer Cookies Plugin by Janis Elsts which restricts an IP address to one session at a time, solving half the problem for blog owners. It would have been nice to see this as an option in out-of-the-box WordPress. It’s almost ludicrous that WP doesn’t come with a feature like this (even Facebook allows for terminating multiple simultaneous sessions).
  • Deploy WP security suites and WP firewall plugins such as Cloudflare Threat Management, WordfenceBetter WP Security or Bulletproof Security. Firewalls don’t protect against session hijacking directly but helps by adding IP-based controls such as blacklisting and white listing single IPs or addresses within a specific range. They may slow down the site’s loading speed but they’re worth it.
  • WordPress login control plugins are extremely useful to setup on your blog. There’s Login Lockdown and Lockdown WP Admin. The first provides excellent rules for login expiration and maximum login attempts before an account is locked down. The second offers the ability to hide the WP admin page from individuals that aren’t logged in. It also has the option of making logins use basic HTTP authentication (but without SSL, that isn’t as secure as it sounds).
  • Sandboxing. If an attacker does gain a foothold by accessing an account, make sure it isn’t your admin account (if you’re using your WP admin account to log in regularly, you shouldn’t be doing it from an open wifi network beyond your control). Also make sure your account’s user directory and all files within it are safe (this is critical if you’re using WP plugins that allow you access to modify files without having to FTP/SFTP in).

WordPress has yet to come up with a fix for this type of attack as it’s considered “low priority.” This is probably due to the fact that this attack isn’t direct, it’s passive and requires being in a position to capture network data. The problem is that WordPress isn’t necessarily responsible; HTTP is not secure and website owners should be aware of this threat.

Hope you found the resources above interesting. Thanks for reading!

Updates to GPS Utility (Timestamp Features)

Posted by on August 7, 2013 No comments

I decided to make some pretty solid changes to TrackerCat since my last post.  I wasn’t satisfied with it only converting GPX-to-KML. The new changes include the following:

  • Ability to recursively export all GPXs from a specified path (can be a mounted device image).
  • Extract and write all trackpoint timestamps to CSV  including archived files.  Optionally, you can choose to export Active Log names and times to its own CSV. While the latter isn’t as important to export as trackpoint times, it may still be useful to some.
  • Display a file’s metadata time tag during the timestamp dump. This is critical if the GPX file is the Current.gpx (akin to a last access, or rather, last power-on for some devices). These are not written to CSV as their importance differs depending on file and scenario.

To reduce spam, I’ll try to keep minor official updates to Twitter instead of posting here in the future . Hope the updates are useful!

newlogo

TrackerCat: GPX-to-KML Active Log Mapping Tool

Posted by on July 29, 2013 No comments

To supplement my GPS research, I created a simple tool for the extraction of Active Log data from GPX files. This tool will transform GPS device data files into keyhole markup language files for easy mapping (GPX to KML). The output can easily be opened in programs like Google Earth. This tool will provide analysts with a better understanding of data contained within GPXs and their Active Logs. The KMLs are complete with timestamps and trackpoint coordinates.

Prior to TrackerCat – and without the use of expensive utilities – analysts had to manually re-save exported GPX files as KMLs in mapping programs. TrackerCat automates the transformation process while striving to preserve as much forensic data as possible.

While the tool is really just a simple XML-to-XML XSLT transform script (that parses the appropriate formats), you can join the the project to improve its functionality! You can use the project’s Github to show off your own GPS device forensics scripts. Also be sure to check out the PowerPoint here.

Official Github Logo

Click on the Official GitHub logo above for TrackerCat’s reader-friendly GitHub landing page, or go right to the project’s GitHub.

Android USB Device Support

Posted by on June 23, 2013 No comments

While reading Android Forensics by AH and setting up the SDK on my Ubuntu box, I noticed the udev rules needed an update. Makes sense considering there’s been many new vendors since the book was published.

I’ve compiled an up-to-date ruleset that uses the standard format and includes comments indicating each vendor. While not a terribly new contribution, I’ve decided to post the rules here to allow android devs and examiners the opportunity to use them with little effort.

Copy & paste it:

# 51-android-rules should be placed in /etc/udev/rules.d (chmod 664 or a+r)
# Official Guide & Vendor IDs: http://developer.android.com/tools/device.html#Acer
SUBSYTEM==”USB”, SYSFS{idVendor}==”502″, MODE=”0666″
#ASUS
SUBSYTEM==”USB”, SYSFS{idVendor}==”0b05″, MODE=”0666″
#Dell
SUBSYTEM==”USB”, SYSFS{idVendor}==”413c”, MODE=”0666″
#Foxconn
SUBSYTEM==”USB”, SYSFS{idVendor}==”0489″, MODE=”0666″
#Fujitsu
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Fujitsu Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”04c5″, MODE=”0666″
#Garmin-Asus
SUBSYTEM==”USB”, SYSFS{idVendor}==”091e”, MODE=”0666″
#Google
SUBSYTEM==”USB”, SYSFS{idVendor}==”18d1″, MODE=”0666″
#Haier
SUBSYTEM==”USB”, SYSFS{idVendor}==”501E”, MODE=”0666″
#Hisense
SUBSYTEM==”USB”, SYSFS{idVendor}==”109b”, MODE=”0666″
#HTC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0bb4″, MODE=”0666″
#Huawei
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d1″, MODE=”0666″
#K-Touch
SUBSYTEM==”USB”, SYSFS{idVendor}==”24e3″, MODE=”0666″
#KT Tech
SUBSYTEM==”USB”, SYSFS{idVendor}==”2116″, MODE=”0666″
#Kyocera
SUBSYTEM==”USB”, SYSFS{idVendor}==”0482″, MODE=”0666″
#Lenovo
SUBSYTEM==”USB”, SYSFS{idVendor}==”17ef”, MODE=”0666″
#LG
SUBSYTEM==”USB”, SYSFS{idVendor}==”1004″, MODE=”0666″
#Motorola
SUBSYTEM==”USB”, SYSFS{idVendor}==”22b8″, MODE=”0666″
#MTK
SUBSYTEM==”USB”, SYSFS{idVendor}==”0e8d”, MODE=”0666″
#NEC
SUBSYTEM==”USB”, SYSFS{idVendor}==”0409″, MODE=”0666″
#Nook
SUBSYTEM==”USB”, SYSFS{idVendor}==”2080″, MODE=”0666″
#Nvidia
SUBSYTEM==”USB”, SYSFS{idVendor}==”0955″, MODE=”0666″
#OTGV
SUBSYTEM==”USB”, SYSFS{idVendor}==”2257″, MODE=”0666″
#Pantech
SUBSYTEM==”USB”, SYSFS{idVendor}==”10a9″, MODE=”0666″
#Pegatron
SUBSYTEM==”USB”, SYSFS{idVendor}==”1d4d”, MODE=”0666″
#Philips
SUBSYTEM==”USB”, SYSFS{idVendor}==”0471″, MODE=”0666″
#PMC-Sierra
SUBSYTEM==”USB”, SYSFS{idVendor}==”04da”, MODE=”0666″
#Qualcomm
SUBSYTEM==”USB”, SYSFS{idVendor}==”05c6″, MODE=”0666″
#SK Telesys
SUBSYTEM==”USB”, SYSFS{idVendor}==”1f53″, MODE=”0666″
#Samsung
SUBSYTEM==”USB”, SYSFS{idVendor}==”04e8″, MODE=”0666″
#Sharp
SUBSYTEM==”USB”, SYSFS{idVendor}==”04dd”, MODE=”0666″
#Sony
SUBSYTEM==”USB”, SYSFS{idVendor}==”054c”, MODE=”0666″
#Sony Ericsson
SUBSYTEM==”USB”, SYSFS{idVendor}==”0fce”, MODE=”0666″
#Teleepoch
SUBSYTEM==”USB”, SYSFS{idVendor}==”2340″, MODE=”0666″
#Toshiba
SUBSYTEM==”USB”, SYSFS{idVendor}==”0930″, MODE=”0666″
#ZTE
SUBSYTEM==”USB”, SYSFS{idVendor}==”12d2″, MODE=”0666″

Or you can download it from my Sourceforge @ https://sourceforge.net/projects/forensicscripts/files/android/

Edit: Do you see android running on a device that works but somehow isn’t officially mentioned in the SDK docs? Feel free to grab the vid and comment with it (to get the vid you can connect the device and run a simple dmesg | usb.)

Mandiant APT1 Report & New IOCs

Posted by on February 20, 2013 No comments

I’m a little late writing about this but, as many people now know, U.S. security and forensics firm Mandiant has released critical information in regards to the Chinese state sponsored group known as APT1. As a student of digital forensics I find this kind of stuff very interesting. I’ve been having some great discussions on various forums with fellow (usually more experienced) security buffs in the field with regard to the 60-page report so I thought I’d reshare the links.

APT1: Exposing One of China’s Cyber Espionage Units (Mandiant Intelligence Center)

IOCs w/ hashes as part of Mandiant’s OpenIOC ProjectDigital Appendix & Indicators

So be sure to add those IOCs to a Redline collector and get scanning!

CyberCity Wargames Looks Great

Posted by on November 27, 2012 No comments

Hacker wargames are nothing new: from the epic Pull The Plug to a number of off-shoot sites still in existence, simulated hacking environments are used to help train individuals to develop sound computer security problem solving skills. A few of these sites such as hackthissite.org and OverTheWire teach practical software exploitation and network penetration skills through game-like hands-on challenges. While organizations like Offensive Security and the SANS Institute feature full fledged certification paths involving penetration challenges (see SANS NetWars).

Now the United States Air Force has established one of their newest Cyber Ranges, CyberCity. The new simulation trains both military and government personnel in the proper way to safeguard systems from penetration in real world scenarios. The simulation contains bank-type systems, public wifi networks as in the sort that coffee houses and internet cafes have, social networking site-simulations and more. Even more interesting? The man behind SANS NetWars, Ed Skoudis (noteworthy SANS Metasploit teacher), designed Cyber City himself!

Although some (including myself) have been critical of Director Panetta’s use of “Pearl Harbor” as a metaphor for “cyber war” (see “Cyber Terrorism and the Election” @ Neuralhub), I can’t deny the importance of adopting sound IT security solutions to prevent against new emergent threats both domestic and abroad. I’m glad to see my government adopting them. Penetration testing and defending simulations are ideal learning opportunities.  If you haven’t had the opportunity to attend a con where CTF was being played, I highly recommend attending one of the conventions in New York or Vegas (my first was HOPE 2K!).

Safeguarding such systems in light of specific exploits, malware and viruses such as Stuxnet and Flame is of great importance of to government officials. Whereas some in the news have criticized the U.S. as being behind on cyber defense (especially so with the Chinese attack against White House computer network), the public and private sector have been trying to step up their game and continue to work together to train our future front-line defenders.

From all the articles I’m reading in regards to CyberCity, I’m most impressed with the idea of real world consequences the simulation portrays. If someone botches up, it’ll have “real world” ramifications illustrated in physical models of U.S. cities (sounds a bit like War Hammer+Uplink). The simulations are even complete with statistical information regarding people affected by events occurring in game.

A similar but more expensive project is DARPA’s National Cyber Range (Lockheed won the $30m contract to help design it with DARPA back in 2010). For more information on the NCR, click here. Although my opinion is strictly that of an enthusiast/lay person, from everything that I’m reading, CyberCity looks even more promising!

Lastly, I apologize my infrequent posts as of late. I’ve been taking a DFIR class that’s been taking up much of my time. So be sure to subscribe to fork() to keep up-to-date with all the latest blog postings delivered right to your email!

Sources

O’Harrow, Robert, Jr. “CyberCity allows government hackers to train for attacks.” Washington Post, 11/26/2012.  Note: If you’re interested in learning more about the CyberCity simulation, Robert O’Harrow Jr.’s coverage of it is full of great details and covers CyberCity much more detail.

For some free computer security training videos be sure to check out Security Tube or the fork() post entitled “Computer Security Resources” for more interesting sites.

Cyber Terrorism and the Election

Posted by on October 21, 2012 No comments

Leon Panetta, Secretary of Defense, recently stated that the United States could be facing Pearl Harbor if it doesn’t revamp its security. This time the threat doesn’t come from physical fire fights with opponents overseas, instead it stems from the Internet. Panetta’s goal is to help pass the new Cyber Security bill, H.R. 3623 (“Cyber Intelligence Sharing and Protection Act”).

https://www.youtube.com/watch?v=QVzgPDXJisI

Summed up briefly, the new bill hopes to enable federal law enforcement with the ability to be able to access corporate computer systems in times of need. CISPA’s opposition claims that the resolution hurts individual privacy online. We’ll let you – the reader – decide on whether or not the pros outweigh the cons. To read the resolution in full please click here.

Many feel that Panetta’s comments are an over-exaggeration of a very real problem. As security expert Bruce Schneier stated on October 19th, “[t]here’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.” (Schneier on Security, 10/19/2012)

Similarly, I feel as Bruce Schneier does: although there’s a very real security threat (APTs), comparisons to Pearl Harbor or 9/11 serve only to incite fear. They aren’t based on any rational understanding of how actual computer networks work. That being said, I do believe industry control systems are at risk by forces from within as well as from without.

Over 2,000 lives were lost during the Japanese assault on Pearl Harbor. To compare a future cyber-assault to Pearl Harbor is a bit of a stretch. Despite the Secretary of Defense’s claims to the contrary, computer systems worldwide are NOT all integrated in a Terminator-style way. They may be in the distant future, but they aren’t now.

Can you DDoS systems on a network? Yes. The problem is that not all industry control systems are online or interconnected. And if they are, they must have something exploitable in order to be compromised. On top of that it is worth reminding readers that a DDoS isn’t “hacking into” anything, it is the flood of bogus traffic to an open and receptive server. Actually hacking “into” something requires systems-specific exploitation.

Panetta points to DDoS assaults such as the latest JP Morgan-Anonymous attack, but those attacks against a web server aren’t going to result in the inability for that bank to do business. E-commerce sites face greater risk from this form of attack.

Air traffic control and power grid monitoring systems are typically closed and separate from the internet. While these systems are sometimes networked on intranets or by secure other means, they aren’t actually accessible to us or an attacker. Panetta’s claims are lumping industry control systems in one big category when they should be understood on an individual basis (SCADA security is an excellent topic that well exceeds the scope of this post).

Do similar assaults pose a problem for corporate interests and cost companies revenue? Absolutely.

If the CISPA was designed to protect corporate interests alone, it would go a long way to easing the public’s opinions of the bill. The source of contention comes from CISPA giving the government power over corporate computers (in the mind’s of many citizens, anyway). Keep in mind companies like Google store your search queries in their database for a certain amount of time, identifying marks such as an IP address are removed eventually).

There probably are important systems that are connected to the Internet and need safeguarding. But to say the exploitation and disruption of such systems would cause an apocalyptic scenario is downright ludicrous. Such systems are the exception not the rule.

Proponents make mention of Stuxnet and yet rumors that Stuxnet was designed by a super power have been prevalent. Many point to the U.S. working in concert with the Israeli government to disrupt specific Siemens industrial equipment (after all, it clearly targets one ‘type’ of system). This is similar to one of the new incident Panetta mentions, a virus that targeted a very specific oil system. With Stuxnet, the rootkit is absolutely useless outside of the environment it was created to exploit: for more information see Operation Olympic Games.

You better believe the new CISPA bill is being pushed for political reasons. That doesn’t necessarily mean it’s bad either, it’s just unfortunate that the only time people “need protection” is during an election year. Positive future legislation will assist companies and stress importance of securing key infrastructure while, at the same time, ensuring that such systems aren’t accessible to the public.

Corporate espionage and enemy penetration from within a company’s own network is a very real danger but it’s beyond the scope of CISPA. Such issues are still not as prevalent as Secretary Panetta is making them out to be. Keep what Bruce Schneier says in mind when reading the news:

“But while scare stories are more movie-plot than actual threat, there are real risks. The government is continually poked and probed in cyberspace, from attackers ranging from kids playing politics to sophisticated national intelligence gathering operations. Hackers can do damage, although nothing like the cyber-terrorism rhetoric would lead you to believe.”

Schneier on Security, 10/19/2012

I’m not a politician and I don’t care how you vote. I only care about the facts. I don’t like when people are “scared” into action especially if they aren’t given all the facts. Cyber security and safety online is an issue which transcends political parties: stay informed is important and I urge everyone to read multiple news sources online for information.

Again, while cyber-threats are real, they’ve been portrayed in the news recently in a slightly over-dramatic way. With proper insight and understanding we can safeguard necessary systems without spreading unnecessary fear.

Sources

Video: BBC News. “Leon Panetta warns of cyber Pearl Harbour” (posted by BBC24News on YouTube), October 12, 2012.

Aitel, Dave. “The The Cybersecurity Act of 2012: Are We Smarter Than a Fifth Grader?.” Huffington Post, August 3, 2012.

Schneier, Bruce. “Stoking Cyber Fears.” Schneier on Security blog. October 19, 2012. Note: As always, Schneier has links to multiple sites/essays of interest concerning this matter.

H.R. 3523: Cyber Intelligence Sharing and Protection Act (CISPA)

Related Neuralhub Posts

LOIC DDoS & The Nature of Anonymous Attacks“, October 2, 2012.

Link – In the News: Chinese Attackers Hit White House“, October 2, 2012.

National Cybersecurity Awareness Month” @ Neuralhub, October 2, 2012.

Edit: A friend asked me for clarification a while after I wrote this. He asked if I was suggesting that Advanced Persistent Threats do not exist. I positively do not believe that. I was disagreeing with likening cyber attacks to Pearl Harbor (even as a metaphor for something extremely tragic). As technologies advance so too will the risks: this assessment can change with time. Advanced threats pose a very real problem to industry and national security and I personally agree with efforts to combat them.

News – The Death of a Dream

Posted by on October 15, 2012 No comments

“Two tires fly. Two Wail.
A bamboo grove, all chopped down
From it, warring songs.”
― Neal Stephenson, Cryptonomicon

Great article in the Sunday Times Obituaries today covering the death of  Roy Bates, founder of The Principality of Sealand, on the 9th. Bates, residing in England, died at 91 after years of suffering from a number of illnesses.

For those that are not aware of Sealand’s existence, the former artillery platform was home to a number of shady operations throughout the years. Bates used the platform to broadcast pirate radio signals to Europe and declared that Sealand was its own nation and, therefore, not subject to any country’s laws.

With aspirations of becoming a standalone data haven, HavenCo tried to capitalize on Sealand but failed and ended up fading into obscurity. How does a free mini-nation exist without the protection and support from neighboring countries? It doesn’t. Even the infamous Julian Assange was said to have considered purchasing Sealand for his WikiLeaks servers and decided against it.

Although the Bates family has a caretaker staying at Sealand, the platform is empty despite past attempts to lease or sell it. Still, the family remains active and maintains a website and a soccer team!

Regardless of the realities, Sealand remains a dream to all those inspired by the idea of a censorship-free government. In that light, the family is selling everything from plastic wristbands and email accounts to custom titles on their website. Hey… freedom is a nice idea but someone needs to pay the bills!

Roy Bates will be missed. E Mare Libertas!

Source

Yardley, William.” Roy Bates, Bigger-Than-Life Founder of a Micronation, Dies at 91.” The New York Times. October 13, 2012.

Bates, James. “Prince Roy of Sealand aka Roy Bates (passed away 9th October 2012) Obituary.” Principality of Sealand Homepage. October 10th, 2012.

Related Articles

Grimmelmann, James. “Death of a data haven: cypherpunks, WikiLeaks, and the world’s smallest nation.” Ars Technica. March 27, 2012.

Libbenga, Jan. “Offshore hosting firm HavenCo lost at sea.” The Register (UK). November 25. 2008.

Masnick, Mike. “The History Of Sealand, HavenCo And Why Protecting Your Data Needs More Than Being In International Waters.” TechDirt. March 28, 2012.

Staff Writer. “HavenCo “data center” offline?” SecurityAndThe.Net. 2008.

The Principality of Sealand Homepage: http://www.sealandgov.org/

Link – In the News: Chinese Attackers Hit White House

Posted by on October 4, 2012 No comments

Darknet recently covered an interesting article written by The Register (UK) involving a phishing attack conducted against the White House on the 1st of this month. Since it’s National Cyber Awareness Month, I figured this issue is timely and relevant. The pieces can be found here:

Hackers break onto White House military network @ The Register

Hackers Break Into White House Military Network @ Darknet.co.uk

A spear phishing attack is like any phishing attack but executed through the use of email. The attacker poses as a trusted party and obtains credentials from his/her victims in order to exploit them and the systems they have control over. As mentioned in the Neuralhub piece entitled “DNS Threats and Security Solutions,” one can can also employ other forms of social engineering attacks, such as a Credential Harvester attack, to gain sensitive information in this manner.

Another form of credential-stealing attack mentioned on the blog would be Session Hijacking which I mentioned in mentioned in this neuralhub piece.

This spear phishing attack, conducted via a Chinese network, was successful in accessing a highly sensitive network (the White House Military Office) which does everything from arrange hospitality services to “send and authenticate nuclear strike commands” (The Register, not me, I can’t claim to know whether or not this is true but it sounds unrealistic since they also mention that the network is “unclassified”). Apparently some form of attachment and/or malware was used to prep the system in question for the attacker.

Apparently no sensitive information was obtained by the attacker and that attack was halted before anything of note was accomplished.

As always with posted links, I highly encourage you to read about the issue directly from the sources cited above for greater depth.