An article in the Financial Times by Abigail Fielding-Smith describes the recent attacks by criminal networks and others on the banking and industrial networks in the Middle East. The damage caused by the various attacks, from the theft operations against banks to wiper attacks on the oil company Saudi Aramco’s computers, have inspired a concerted response, including standing up CERT teams and making regional actors compliant with data security protocols.
Month: October 2013
“Dynamics of the Local Situation” Panel at NATO Headquarters, 10 October 2013
Brussels, Belgium: Director of MIIS Cyber Dr. Itamara Lochard presented the findings of the “Dynamics of the Local Situation” panel at NATO headquarters in Brussels last week, highlighting the role of how non-state armed groups employ technology and how technology can be used to increase situational awareness by the Alliance. She has chaired this panel for the past two years as part of the Human Aspects of the Operational Environment project of the NATO HUMINT Center of Excellence (HCOE). The effort is sponsored by the NATO Science for Peace, Counter-Terrorism Programme of Work of the Emerging Security Challenges Division, chaired by NATO Deputy Assistant Secretary General Dr. Jamie Shea.
Taiwan’s Citizen Smart Card Plan Compromised by Bad RNGs
In a recent paper compiling a few years of ongoing research, an international team has described the methods they used to find the cryptographic keys of 184 out of 2 million smart card certificates issued to the Taiwanese public by their government. More than a hundred of the keys shared prime numbers used in their generation with at least one other key, While this may seem like a trivial number of failures for a program of this size, the algorithm used to generate the keys, 1024 bit RSA, can randomly choose between more than 2^502 different prime numbers when building a key. Even in a sample size as large as 2 million, any prime sharing indicates deep seated failure in the employment of the cryptographic system. The researchers used regular desktop computers to find the keys, in operations that should have taken millions of years of processing time had the cryptosystems been implemented correctly.
The cards were issued by the Taiwanese government to enable citizens to authenticate themselves to the government when using online services, such as paying taxes. The vulnerable cards were all using RSA 1024, while most of the cards issued now use RSA 2048. The government has also attempted to reach out to the citizens whose cards are cryptographically compromised in order to replace them.
Problematically, the system and the smart cards had been certified as cryptographically safe by a number of agencies. This failure will certainly raise more doubt about the current effectiveness of certification agencies for cryptography. In the wake of the remaining questions regarding the DUAL_EC_DRBG fiasco at the US’s NIST (National Institute of Science and Technology), the old question of “Quis custodiet ipsos custodes?” or “Who watches the watchmen?” still stands.
Dan Gifford – MCySec Media Manager
Adm. Stavridis Advocates for US Cyber Force
Former Commander of NATO (and current Dean of the Fletcher School) Admiral (USN Ret.) James Stavridis has published an Op-Ed in the Boston Globe advocating for the creation of a US Military “Cyber Force” in parallel to the Army, Navy, Air Force and Coast Guard. He makes a potent analogy to the evolving state of US Government policy towards the commercial and military use of air power, and pointedly claims that the policy community on cyber is still on the level that the FAA was at Kitty Hawk.
Now, given that computing technology has had a good fifty years to develop, I would object somewhat on the kitty hawk analogy; we are much further along than that. However, the use of “cyber” as a budget padding measure by each armed service and government agency has certainly resulted in a system that could hardly be described as functional. Without any guiding vision or overarching command structure, military cyber operations will continue to be disjointed and poorly articulated. I would counter with an analogy of my own, the position of Billy Mitchell after the First World War in attempting to get the established military command structure to respond to the changes that were bearing down on them. Let us hope there is not a Pearl Harbor event to vindicate our views.
Dan Gifford – MCySec Media Manager
Use With Caution: The Value and Limits of Deterrence Against Asymmetric Threats
MIIS’s own Professor Jeffrey Knopf has published an analysis of the possibilities of deterrence theory against the primary security threats of the age, namely; terrorism, WMD use by “Rogue States”, and cyber attacks. He comes down against the application of deterrence theory to cyber attacks and especially against the bombastic statements of some in the defense community of a national policy of responding to catastrophic cyber attack by employing the “Nuclear Triad”. The central problem of attribution of attacks also comes to the fore, and even after attribution has been made more or less conclusively, the problem still remains of demonstrating actual state knowledge and complicity in any given attack. Deterrence by denial, however, remains viable in the cyber context, and hardening infrastructure may go a long way towards discouraging high-impact hacking attacks.
Dan Gifford – MCySec Media Manager
QUANTUM and FOXACID; NSA:TAO MiTMing TOR Users
Bruce Schneier has recently published a series of articles on the ways that the users of the TOR network and others have been targeted with exploits by the NSA’s Tailored Access Operations group. He has also posted a full explanation on his blog. The attacks run generally as follows:
1. Through pervasive surveillance and traffic sharing agreements with telecommunications companies (under project code names such as Stormbrew, Fairview, Oakstar and Blarney) customer http traffic is collected.
2. Using data analysis tools with names like Turbulence, Turmoil and Tumult, connections leaving the TOR network’s exit nodes and connecting to other servers on the internet are found.
3. These individual connections are then exploited using a man-in-the-middle (MiTM) attack where servers positioned strategically around the world (a system called QUANTUM) respond and impersonate the server the TOR user is attempting to connect to. This works if the QUANTUM server is closer in physical distance to the TOR exit node than the exit node is to the TOR user’s target server, allowing the commands to reach there first. Ideally, nothing is noticed by the TOR user, as attacks of this nature can actually pass the user through to their originally intended server.
4. As needed, TOR users can be redirected by QUANTUM onto a different set of servers run by the Tailored Access Operations group, called FOXACID.
5. The FOXACID servers look like normal webpages, but if someone is directed to a specific tag url, the server executes specific exploits against the target user’s machine. Most of these exploits have targeted the Firefox browser, and often the specific version of the Firefox browser “bundled” with TOR by the TOR foundation. Phishing has also been used to induce users to click on FOXACID tags. Once exploited, a trojan is downloaded to the target user’s machine, which then calls home to a separate subset of FOXACID servers, called FRUGALSHOT. The FRUGALSHOT servers perform more exploits as needed to ensure the integrity of the compromise and allow further monitoring of the target’s activities. The target’s real IP address (bypassing their TOR network connection) is also obtainable.
The bottom line is that a structured system has been revealed which subverts the anonymity provided by the TOR network by installing malicious programs onto the computers of users. While various Computer Network Effect operations have come into view and been theorized lately, the general thought was that these attacks would be targeted at nation states rather than used in a wholesale manner against users whose national affiliation is not known beforehand. Obviously any assumptions along those lines was wrongheaded, and the targeting of general populations of internet users with exploit code and trojans has received the blessing of the US Government.
There remain methods of preventing this kind of attack, however. The best way to avoid it would be to use tails, which installs TOR and a Browser bundle as a LiveCD/ LiveUSB that cannot be written to, preventing any trojan software from installing and/or calling home with your actual IP address.
Dan Gifford – MCySec Media Manager
ssndb.ms Plot Thickens
Brian Krebs’ investigation into the botnet which was being employed to steal background check data (see previous summary) has taken a darker turn as of late. Apparently, he has found the source code for a number of Adobe products on the hacker’s servers, leading to the conclusion that Adobe’s source code repository, and their records of (avowedly encrypted) customer credit cards has been accessed by the hacking crew.
Access to the source code could help the hackers in developing vulnerabilities for use against acrobat and photoshop users, among other program families. The credit card data breach is also of severe concern. The data may be encrypted, however, the first two quartets of a credit card number are vendor specific and limited to a small set, possibly enabling a known plaintext attack. This of course assumes that the hacker’s penetration did not extend to the encryption keys used by Adobe. However, given that the attackers were able to bypass Adobe’s two-factor access control to acquire their source code, I would say that we should not rule out anything as impossible just yet.
Dan Gifford – MCySec Media Manager
Anonymous Unmasked
Gabriella Coleman, one of the preeminent researchers of “Hacker” culture and of the nebulous group known as “Anonymous” has published an excellent paper describing the history, origins and and elements of the group. She correctly places the seminal nexus of the group in the various imageboards centered on 4chan.org (and the previous “trolling” groups of somethingawful.com). Importantly, she incorporates the role of various IRC chat rooms as being influential in the development of the activist character that the group took on in the wake of their operations against the Church of Scientology, a character which further developed during the response to the wikileaks blockade, where Anons ddos’d major credit card companies and paypal, and through the “Arab Spring”, during which an interesting internationalist attitude and user base developed.
My only qualms with her characterization of the group is that she does not explicitly state the nature of anonymous as a discardable identity- something assumed by various actors for various purposes to be left behind as soon as its utility is finished. She concentrates on the groups that clung most tightly to the image, while the actual ecosystem of actors using the common identity and ideological schema was much more diverse than the self proclaimed “Anons”. Anonymous was in many ways simply a convenient mask to be worn for political action.
Dan Gifford – MCySec Media Manager
Intel’s Resident Anthropologist Questions Society’s Readiness for Pervasive Wearable Computing
In an excellent interview posted on MIT’s Technology Review, Anthropologist Genevieve Bell questions if society is ready for the new wearable computing devices such as Google’s Glass and Samsung’s Galaxy Gear. Her arguments focus on the intersection of the functional and the symbolic, and she takes the position that at this still nascent stage in wearables development our society still hasn’t “liberated ourselves to take advantage of all the really interesting technical stuff”.
Dan Gifford – MCySec Media Manager
China’s Great Firewall Comes Down for New Shanghai Free Trade Zone
Chinese officials are reportedly considering easing restrictions on visiting foreign social media sites. Inside the newly establish 20 square mile zone in Shanghai websites that have banned in the rest of the country since 2009, such as Twitter and Facebook, may become accessible. While the actual impact is small, many of these companies are no doubt eager to establish a foothold with the Chinese audience.