Wednesday, March 28, 2012

Cyber Self Defense For Non-Geeks


"The direction of a strike depends on where your opponent stands, what he is doing at the moment, and what target on his body you want to hit. There are five sections of the body that you can attack: head, hands and arms, trunk, thighs, and lower legs. There are three components to consider before launching a strike: distance to the available targets, angle of the surface of the target, and timing of the opponent’s movement."
- Sang H. Kim, Vital Point Strikes (Turtle Press, 2008)

The best way to think about cyber security and self defense is to compare it to boxing or any martial art. Your body, like a computer network, has numerous vulnerabilities. When you find yourself being attacked, you need to position your arms and your torso in such a way that you shrink the number of vulnerabilities exposed to the attacker. This is known as “shrinking the attack surface”. Trained fighters will angle their body to present a reduced attack surface to their opponent. They’ll keep their arms up to cover everything from the bottom of their ribcage to the top of their skull because most of the lethal points of the body are in those regions. They’ll still get hit, but it probably won’t be on a vital point. Similarly, there’s no way to stop an attack against your network, but you can make sure that the attack hits only non-vital data rather than your company’s most valuable information.

The following are some basic principles for you to follow both at home and abroad to help keep your valuable data safe. They won’t be sufficient for when you’re in high-risk locales and they won’t stop a targeted attack, but they will make it much less likely that you’ll suffer a serious breach because of poor cyber security habits or an over-reliance on your antivirus or firewall application. A 64-year-old friend of mine who’s been a lifelong bodybuilder and a fighter is fond of saying “I may not be able to feed a guy his lunch any more, but I’ll definitely feed ‘em a sandwich.” That’s all we want to do with this strategy. If someone wants to attack you, we want that person to know that it’s going to cost them something—and that may be enough to get them to leave you alone and pursue weaker, less prepared prey.

Develop a healthy paranoia about everything in your Inbox or your Browser
If you receive an email from an unknown person with an attachment, don’t open it. If you recognize the name of the sender but the text in the email doesn’t sound like her, pick up the phone and call her to verify that the email is legitimate. If the email asks that you click on a link, read the link first. A lot of malicious links are designed to look like the real thing but won’t stand up to close scrutiny. Is the word spelled correctly? Does it end with a “dot com” or a “dot co”? Take a minute and check before you click.

If you’re on Twitter and receive a tweet with nothing but a shortened URL, ignore it. If you receive a Direct Message from someone you know with a shortened URL, but the message doesn’t sound like it would have come from that person, pick up the phone and make a call to verify that your friend Jody actually sent you the message “You should see what this guy is saying about you at fakeURL.com!”

Use the most secure Web browser that you can find
It doesn’t matter if you’re a Microsoft geek or Apple chic. Don’t let your loyalty to a company brand determine your online safety. Find and read independent research on which browser is the most secure and make your decision from the evidence. For example, Accuvant Labs recently published “Browser Security Comparison: A Quantitative Approach” on December 14, 2011. They examined Internet Explorer, Mozilla Firefox, and Google Chrome for security flaws and came to the conclusion that Chrome was the most secure browser. However, take your time and read the full report so that you understand what the issues are and why Accuvant made the decision that it did. Feel free to look for contrary findings as well and make an informed decision.

The only rule you need to know about passwords
There is one simple rule to remember about constructing a password: make it as long as possible—definitely longer than 10 characters. One example is to use the latitude or longitude of your favorite city. For example, Rio de Janeiro’s latitude is “Latitude:-22.9181189”. That password has 20 characters of all 4 types and it’s almost impossible to crack using any of the password cracking tools out there today. If you like that idea, visit www.findlatitudeandlongitude.com and pick your favorite destination. If you can’t memorize it, write it down and keep it in your wallet, but be sure to obfuscate it in some way that only you know. For example, just write down the number portion and obfuscate that by adding numbers to it: e.g., 22.918118904, or turn it into something that looks like a credit card number: 2291 8118 9040 5592. You’ll remember that everything from the 0 onward is extraneous but no one else will know that. Add an expiration date 01/15 and anyone who finds your little cheat sheet will automatically assume that it’s a credit card number.

It’s important to remember that no matter how complex your password is, if your computer becomes infected with a keylogger (an application that captures your keystrokes), you’re done. That’s why the above advice about browsers and email are so important.

Do preventative maintenance on your computer
Your computer is a tool just like all of your other tools, including your automobile, and as such it requires regular maintenance. Make sure that all of the applications running on your computer are up to date. One way to do that is by using a free program called Secunia Personal Software Inspector (PSI). The website address is http://secunia.com/vulnerability_scanning/personal/. Once it’s loaded on your machine, it will search for security patches for every application that you use, notify you if any are out-of-date and point you to the download site.

Avoid free Wi-Fi
One of the most popular ways for bad guys to steal your login credentials is to hang out at coffee shops, airports, and other popular locations that offer free Wi-Fi and use an application known as a “sniffer” to intercept your username and password for whatever application you’ve logged into while drinking a cup of coffee or waiting for your flight. Instead, use the mobile hotspot that comes with your smart phone or pay for a service that protects your session. Both are secure from wireless sniffers.

Don’t use USB thumb drives or other removable media
One of the worst breaches ever to occur at the U.S. Department of Defense came about because of the popularity of transmitting data from one computer to another via thumb drives. The following article was written by Deputy Defense Secretary William J. Lynn III for the magazine Foreign Affairs in the September/October 2010 issue:
"In 2008, the U.S. Department of Defense suffered a significant compromise of its classified military computer networks. It began when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East. The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."
"This previously classified incident was the most significant breach of U.S. military computers ever, and it served as an important wake-up call. The Pentagon's operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy."
To put it simply: don’t use removable media to transfer data between computers. The only time removable media should be used is when you travel and then only to store your own critical data as an alternative to storing it on your travel laptop.

This is an excerpt from my ebook "A TRAVELER'S GUIDE TO CYBER SECURITY"


Tuesday, March 27, 2012

The Real Reason Why Symantec Sold Its Interest in Huawei Symantec

Finally the truth about why Symantec CEO Enrique Salem decided to sell Symantec's share of the Huawei Symantec joint venture is out, thanks to the New York Times:
Less than four years after Huawei Technologies and Symantec teamed up to develop computer network security products, the joint venture is being dismantled because Symantec feared the alliance with the Chinese company would prevent it from obtaining United States government classified information about cyberthreats.
However I'd like to point out that I called this on November 15th, 2011 in this blog post where I wrote:
My question is, what happened between May and October to make CEO Salem change his mind?
Could it have been this Washington Times article last August about how four Senators and a Congressman were asking the Departments of Defense and Energy to look into the sale of H-S parts to a government research lab at the University of Tennessee? Or perhaps it was the release of an Open Source Center report on Huawei's Chairwoman Sun YaFang's past with the equivalent of China's CIA, the Ministry of State Security?
Or perhaps it was that the ludicrous nature of the relationship between a Chinese company with State affiliations and a security company who's supposed to protect their customers from espionage activities from that same State finally sunk in to Salem's brain?  No, it probably wasn't that.
And while the joint venture may be over, remember that a lot of Huawei equipment has already been sold to the U.S. government including DOD and NASA by Huawei Symantec through channel partners like MPAK and Dell Force 10 Networks. To make matters worse, no one is testing for backdoors in firmware updates to any of the hardware manufactured in China; not just Huawei but Dell's servers as well.

Tuesday, March 20, 2012

An Open Source Offensive Methodology To Attack Critical Infrastructure

The goal of this article is to demonstrate how attackers with moderate skill levels can cause disruption to outright destruction of critical infrastructure installations around the world at low cost and in relatively short order. Contrary to popular wisdom, an attack against a nuclear power plant or hydro-electric plant doesn't require long periods of time nor the resources of a nation state. All that's required is some open source research based upon the findings of S4's Project Basecamp, familiarity with how to use Rapid7's Metasploit Penetration Testing Software, and one or more individuals with engineering training in Industrial Control Systems.

Project Basecamp identified four Programmable Logic Controllers (PLC) with major security flaws made by GE, Koyo, Rockwell, and Schneider:
  • GE D20
  • Koyo DirectLOGIC ECOM
  • Rockwell Automation ControlLogix
  • Schneider Modicon Quantum
The vulnerabilities discovered in each of those devices have become Metasploit modules which penetration testers can use against their own network to demonstrate vulnerabilities that need to be fixed. Metasploit, while a valuable tool for security engineers to "sell" needed improvements to their employers can also be used by bad guys to attack networks. In this case, the above modules have simplified the process for not only launching an attack against a utility operator but also in identifying which utilities to attack by doing some open source research. Once you know that you can exploit a particular device, it's relatively easy to use a search engine and identify which utilities use that device. Those companies then become your target list. For example, Capula Nuclear is a GE technology partner that uses the D20, D25, D200 and D400 Remote Terminal Units for 65 substation control systems across the U.K's power grid. That means that a major act of sabotage could be perpetrated against Britain's grid by a hacker with intermediate process control engineering knowledge for the price of a single Metasploit license.

Schneider Electric's customers include the Three Gorges Dam in China (the world's largest hydro-electric power plant) and multiple utilities in France, India, the U.S., Spain, Australia, Brazil, Italy and many other countries - any of whom may be susceptible to attack via the Metasploit module for Schneider Electric.

This is literally a disaster waiting to happen. The above vendors along with Siemens (who wasn't included in Project Basecamp because its S7 vulnerabilities were already well-known) have done nothing to remediate the disclosed vulnerabilities. The boards of directors of companies who use these products aren't forcing their CEOs to change them out for more secure devices. The U.S. Congress won't pass legislation requiring U.S. companies to stop using those devices because of political pressure from business interests who don't want to a) be "forced" to do anything and b) hurt their profits by spending the money needed to fix their networks. It's because of that cluster-f__k that penetration testing research like the Metasploit Framework exists and ironically it may be that same research which is used to bring harm to thousands of innocent victims who rely on their utility companies to provide critical services. 

Thursday, March 15, 2012

Commerce Secretary John Bryson Doesn't Understand Cyber Espionage

U.S. Department of Commerce Secretary John Bryson wrote an editorial for Politco wherein he provides a high level overview of cyber espionage entitled "The New Face of Corporate Espionage". While his motive is laudable, his content reveals a not surprising lack of knowledge about the threat. I say "not surprising" because I can count on one hand the number of senior government officials that I've met who understand the complexities of this problem. The give-away in Secretary Bryson's editorial is this sentence: "many cyber-intrusions could be prevented by implementing sound cybersecurity practices."

That's absolutely false. While many companies can do much more than they're presently doing, we're talking about adversaries that are adaptive. If the targeted corporation implements poor security, the attack vector will take advantage of an obvious flaw which "sound cybersecurity (sic) practices" could have remedied. However that doesn't mean that the attack won't happen. It just means that the adversary will find a different attack vector, or build a customized one (aka a "Zero-day") to mount a successful breach. The solution to cyber espionage isn't in implementing "sound security practices", nor will it be found in the passage of any of the cyber security bills currently before Congress. The U.S. will only begin to save its intellectual property from cyber thieves when corporate boards of directors force CEOs to inventory, segregate and monitor their critical data in real time which usually means re-architecting their entire network.

If Secretary Bryson is truly committed to saving American jobs by reducing the amount of cyber espionage being conducted today, then he needs to hire someone who understands the reality of the threat to advise him on the realities of the threat landscape, and then the Secretary should go on the road, visiting board rooms and stressing the need for each corporation who's invested in high value technology R&D to do what it takes to address this problem in an informed, serious, and dedicated way.

Wednesday, March 14, 2012

A History of Google's Government Sales

After reading Noah Shachtman's article at Danger Room "Google Adds (Even More) Links to the Pentagon", I was curious about the scope of Google's (NASDAQ:GOOG) government sales so I used the FFATA Search Portal and plugged Google's name into the search field. The results were surprising. The largest number of sales by far is with the Department of Defense (264); which is about two and a half times more than NASA who's in 2nd place with 104 sales. Here's the Top Ten search results:
  • Defense, Dept of (264)
  • NASA (104)
  • Justice, Dept of (75)
  • State, Dept of (68)
  • Treasury, Dept of the (44)
  • Health and Human Services, Dept of (43)
  • Interior, Dept of (42)
  • Agriculture, Dept of (41)
  • Commerce, Dept of (40)
  • Transportation, Dept of (37)
Sales within the Department of Defense are to:
  • Army (130)
  • Air Force (50)
  • Navy (44)
  • Defense Information Systems Agency (10)
  • Defense Logistics Agency (8)
  • U.S. Special Operations Command (6)
  • Defense Contract Management Agency (5)
  • Uniformed Services: University of the Health Sciences (3)
  • Defense Threat Reduction Agency (3)
  • Defense Media Center (2)
Sales with the Department of Justice are to:
  • Drug Enforcement Administration (45)
  • Federal Bureau of Investigation (8)
  • Offices, Boards, and Divisions (7)
  • Office of Justice Programs (6)
  • Federal Prison System (6)
  • U.S. Marshalls Service (2)
  • ATF Acquisition and Property Management Div (1)
To be fair, every technology company sells to the government and compared to Microsoft and Apple the above numbers are pretty low, but since Google is more intimately connected with our search habits and email content (for advertising) than anyone else, these statistics still make me a little uncomfortable.

Related:
The Google-Clinton-China Martini with a Cyber War Twist

Tuesday, March 13, 2012

USCC Commission Report On China Misses the Boat on Cyber Espionage

The US China Economic and Security Review Commission report “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations (CNO) and Cyber Espionage” only delivered the goods on the CNO side. It's severely lacking on the cyber espionage side; especially regarding corporate cyber espionage, which is the main reason that Washington is putting pressure on China. Part of the problem might be that there's a lot more information available about China's CNO and Electronic Warfare buildup then there is about cyber espionage. While the report authors did a great job surveying China's military writings for this area, is that really news? Of course China is building up its cyber warfare capabilities. So are 30+ other countries around the world. There's nothing new there.

On the other hand, the report failed to document the cyber espionage risk associated with over 1200 foreign R&D labs operating in China. It barely mentioned the Ministry of State Security except as the former employer of Huawei Chairwoman Sun YaFang. MSS plays a major role as both a foreign and sometimes domestic intelligence service and deserves a lot more attention in any report purporting to be about Chinese cyber espionage.

The report did a good job exploring part of the Supply Chain problem but only insofar as it had to do with chip development. It didn't cover the more common problem of U.S. companies who out-source their development work to Chinese firms or U.S. companies like Dell who do all of their manufacturing and R&D in China. This is as much a supply chain issue as the possibility of someone corrupting a microchip or selling counterfeit hardware. It's actually a worse problem because Dell is a large and trusted U.S. corporation which acquired the InfoSec firm SecureWorks last year. If anyone should write a report on the supply chain problems that come with buying Dell products (for example), it should be a U.S. government commission. Too bad that didn't happen this time around.

Monday, March 5, 2012

Announcing "A Traveler's Guide to Cyber Security"


Whether it’s a talk at a dinner for a group of Fortune 100 CIOs or a speech before the National Security Council of a U.S. allied government, one of the questions that I’m most frequently asked afterwards is “Jeff, how can I keep from being compromised when I travel overseas.” And of course they expect an easy answer in 30 seconds or less. After having written two editions of “Inside Cyber Warfare” (O’Reilly Media, 2009, 2011) and having given over 100 talks on the subject since 2008, I still struggled with the best way to answer it. The reality is that there’s no simple answer to that question if you want to do it justice. And there’s ample evidence that the most common advice given; i.e., don’t take your laptop or cell phone out of the country - is rarely complied with except by the most security conscious of government employees. The hard truth is that in a battle between security and convenience, convenience will always win.
I spent many hours working on the best way to answer that question. It eventually occured to me that attacks launched against high value targets are resource-intensive; meaning that they aren’t conducted - can’t be conducted - against everyone. Therefore an adversary most likely has a way to qualify targets of interest before commiting resources to compromise them. I decided to build my own system of qualifying targets (the Cyber Risk Index™) and then use that to provide appropriate security advice to traveling officials and executives. This ebook "A Traveler's Guide to Cyber Security" represents my best work to date on the question - what can I do to stay safe when traveling abroad. I consider it a work in progress and welcome your feedback.


This 40 page ebook provides detailed guidance on how to determine your personal CRI; provides information on how Russian and Chinese intelligence services can legally intercept your data and interact with you personally; and provides a groundwork in basic cyber self defense."

I'd appreciate your help in spreading the word about this new resource at your organization and among your peers. It's a low cost, unique, and effective approach to help business travelers more fully engage with the security process by knowing their risk of compromise in any country in which they're doing business. It's available on Amazon for the Kindle and on Lulu.com for all other formats although Lulu does require that Adobe Digital Editions be installed on your computer (sorry about that). Hopefully it'll soon be available at iBookstore as well.

Thursday, March 1, 2012

Russian Presidential Elections: Cyber Developments

One of the services that my company Taia Global provides is a subscription bi-weekly cyber intelligence report that focuses primarily on the Russian Federation. I normally don't make these reports public however considering the upcoming Russian Presidential election on March 4th, I've made our report for this important event available for free in .pdf format. An introduction follows:


Russian Presidential Elections: Cyber Developments

Russia’s Presidential elections are scheduled for Sunday March 4th, 2012.  The Duma elections held last December were marked by widespread allegations of electoral fraud benefiting President Medvedev’s and Prime Minister Putin’s United Russia Party.  The allegations were documented by videos and first hand reports posted on social media, news sites, and election monitoring sites.

The public perception that United Russia stole the election led to protests coordinated through social media.  Protestors used US based Facebook and Twitter as well as Russian-focused social media.  Many sites were hit by cyber attacks that included massive distributed denial of service (DDoS) attacks that rendered sites unusable.  The DDoS attacks used previously undetected botnets and new malware variants.  Cyber attacks were conducted primarily against Russian-focused social media resources hosted in both Russia and the United States.  Twitter was hit by hashtag spamming.  Facebook was not attacked.

The Russian public assumes the government was behind the Duma election cyber attacks.  In contrast to past cyber attacks, neither patriotic hackers nor Russian youth groups claimed responsibility.  The Russian government did not comment on the attacks and did not initiate investigations to determine responsibility.  Indeed, RU-CERT (www.cert.ru), the Russian member of the Forum of Incident Response and Security Teams, seems completely oblivious to the DDoS attacks even though investigating cyber incidents falls within RU-CERT’s charter.

The DDoS attacks were usually tactically successful in rendering the target unusable.  However, the opposition quickly expanded the target set by moving posted material to additional sites inside and outside Russia.  As a result, the cyber attacks failed in their strategic objective of denying the opposition Internet access and instead became an opposition rallying point.

Since the Duma Elections

The cyber resources used by the opposition, the United Russia Party, and the Russian government have evolved since the Duma elections.  The opposition continued using Facebook and Twitter to organize protests demanding new Duma elections and fair Presidential elections.  Targeted web sites, such as the US hosted Feb26.ru, helped organize the Moscow ring road protest.  The Democratia2.ru web site provided a forum where the opposition organized groups around specific campaign issues and shared information documenting United Russia as “the party of crooks and thieves.”  The Democratia2.ru is hosted in Germany, however, the name servers are located in Russia where the Federal Security Service Information Security Center (FSB ISC) can monitor Russians visiting the site.