S. Korea Cyber Attack Crashes Navigation Devices. Time to fuzz your GPS?

South Korea suffered a major cyber attack yesterday. The origin of the attack seems to be China at the moment, but that is far from being definite.

I happened to be in one of the (several) cyber security operation centers, by pure coincidence. I had a chance to see events unravel in real time. Several banks have been hit (including the very large shinhan bank) and a few broadcasting channels.

The damage is hard to assess, since it’s now in everyone’s advantage to blame the cyber attack on anything from a system crash to the coffee machine running out of capsules. Budget and political moves will dominate most of the data that will be released in the next few days.
It’s clear, however, that the damage substantial. I reached out to a few friends in technical positions at various MSPs and most had a sleepless night. They’ve been hit hard.

The most interesting part of this incident, in my opinion, was a report on car GPS crashing while the attack was taking place. I haven’t seen a news report about that yet, and I couldn’t personally verify it (as I mentioned, I was stationary at the time, watching the frantic cyber-security team getting a handle on a difficult situation) but this is making rounds in security forums and a couple of friends confirmed to me that their car navigation system crashed and had to be restarted, at the exact time the attack was taking place.

The most likely explanation is that the broadcasting companies, who send TPEG data to the GPS devices (almost every car in Korea has a GPS device, almost all get real-time updates via TPEG), had sent malformed data which caused the devices to crash. This data could have been just a result of a domino effect from the networks crashing, or it could have been a very sophisticated proof-of-concept by the attacker to see if they can create a distruption. Traffic in Seoul is bad even on a normal day; without GPS devices it can be a nightmare.

Which brings up an interesting point about fuzzing network devices. TPEG fuzzers have been available for a while now (beSTORM has a TPEG module, and you can easily write your own TPEG fuzzer). The difficult part is getting the GPS device to communicate with the fuzzing generator; this is something the GPS developer can do (but probably won’t) but it is also possible for a government entity to do the necessary configuration to make that happen, given the proper resources or simply by forcing the vendors to cooperate.

The choice of the attacker to bring down the broadcasting networks might be deliberate: other than knocking TV and radio off the air (an obvious advantage in a pre-attack strike) the broadcasting networks control many devices who rely on their data. Forcing them to send malformed data to crash a variety of devices can have interesting implications. If I was a little more naive, I would predict that this will push governments around the world to focus more on fuzzing to discover these kind of vulnerabilities before they see their adversaries exploit them. But in the world we live in, they will instead throw around the phrase “APT” and buy more “APT detection products” (an oximoron if I’ve ever heard one). Thank god for APT, the greatest job saving invention since bloodletting.

An detailed analysis of the attack here:

http://training.nshc.net/KOR/Document/virus/20130321_320CyberTerrorIncidentResponseReportbyRedAlert(EN).pdf

Share

The political risks of a DDoS

In Korea, the ruling party performed a DDoS attack, and as result the chairman and most of its officials will resign. Most likely, it will be disbanded completely.
This is probably the most severe result of a cyber attack yet. Of course, the only reason they know who to blame, is because the guy responsible for the attack admitted guilt. DDoS is all fun and games until the guy you hired to do it spills the beans.

Share

Get trained for emergencies

I’ve mentioned this before.

We seem to have had a number of disasters this year: earthquakes, tsunami, a few hurricanes (with one currently sweeping Japan, and another building right now off the east coast of the US), wildfires, you name it.  In the US, this is National Preparedness Month.

So this is a good time to get trained.  It gets you CPEs, usually for free.

And, in a disaster, it makes you part of the solution, not part of the problem.

Share

“Extrusion Detection”, Richard Bejtlich

BKEXTDET.RVW   20101023

“Extrusion Detection”, Richard Bejtlich, 2006, 0-321-34996-2,
U$49.99/C$69.99
%A   Richard Bejtlich www.taosecurity.com taosecurity.blogspot.com
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2006
%G   0-321-34996-2
%I   Addison-Wesley Publishing Co.
%O   U$49.99/C$69.99 416-447-5101 800-822-6339 bkexpress@aw.com
%O  http://www.amazon.com/exec/obidos/ASIN/0321349962/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0321349962/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321349962/robsladesin03-20
%O   Audience a+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P   385 p.
%T   “Extrusion Detection:Security Monitoring for Internal Intrusions”

According to the preface, this book explains the use of extrusion detection (related to egress scanning), to detect intruders who are using client-side attacks to enter or work within your network.   The audience is intended to be architects, engineers, analysts, operators and managers with an intermediate to advanced knowledge of network security.  Background for readers should include knowledge of scripting, network attack tools and controls, basic system administration, TCP/IP, as well as management and policy.  (It should also be understood that those who will get the most out of the text should know not only the concepts of TCP/IP, but advanced level details of packet and log structures.)  Bejtlich notes that he is not explicitly addressing malware or phishing, and provides references for those areas.  (It appears that the work is not directed at information which might detect insider attacks.)

Part one is about detecting and controlling intrusions.  Chapter one reviews network security monitoring, with a basic introduction to security (brief but clear), and then gives an overview of monitoring and listing of some tools.  Defensible network architecture, in chapter two, provides lucid explanations of the basics, but the later sections delve deeply into packets, scripts and configurations.  Managers will understand the fundmental points being made, but pages of the material will be impenetrable unless you have serious hands-on experience with traffic analysis.  Extrusion detection itself is illustrated with intelligible concepts and examples (and a useful survey of the literature) in chapter three.   Chapter four examines both hardware and software instruments for viewing enterprise network traffic.  Useful but limited instances of layer three network access controls are reviewed in chapter five.

Part two addresses network security operations.  Chapter six delves into traffic threat assessment, and, oddly, at this point explains the details of logs, packets, and sessions clearly and in more detail.   A decent outline of the advance planning and basic concepts necessary for network incident response is detailed in chapter seven (although the material is generic and has limited relation to the rest of the content of the book).  Network forensics gets an excellent overview in chapter eight: not just technical points, but stressing the importance of documentation and transparent procedures.

Part three turns to internal intrusions.  Chapter nine is a case study of a traffic threat assessment.  It is, somewhat of necessity, dependent upon detailed examination of logs, but the material demands an advanced background in packet analysis.  The (somewhat outdated) use of IRC channels in botnet command and control is reviewed in chapter ten.

Bejtlich’s prose is clear, informative, and even has touches of humour.  The content is well-organized.  (There is a tendency to use idiosyncratic acronyms, sometimes before they’ve been expanded or defined.)  This work is demanding, particularly for those still at the intermediate level, but does examine an area of security which does not get sufficient attention.

copyright, Robert M. Slade   2010     BKEXTDET.RVW   20101023

Share

REVIEW: “Inside Cyber Warfare”, Jeffrey Carr

BKCYWRFR.RVW   20101204

“Inside Cyber Warfare”, Jeffrey Carr, 2010, 978-0-596-80215-8,
U$39.99/C$49.99
%A   Jeffrey Carr greylogic.us
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2010
%G   978-0-596-80215-8 0-596-80215-3
%I   O’Reilly & Associates, Inc.
%O   U$39.99/C$49.99 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596802153/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0596802153/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596802153/robsladesin03-20
%O   Audience n Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   212 p.
%T   “Inside Cyber Warfare: Mapping the Cyber Underworld”

The preface states that this text is an attempt to cover the very broad topic of cyber warfare with enough depth to be interesting without being technically challenging for the reader.

Chapter one provides examples of cyber attacks (mostly DDoS [Distributed Denial of Service]), and speculations about future offensives.  More detailed stories are given in chapter two, although the reason for the title of “Rise of the Non-State Hacker” isn’t really clear.  The legal status of cyber warfare, in chapter three, deals primarily with disagreements about military treaties.  A guest chapter (four) gives a solid argument for the use of “active defence” (striking back at an attacker) in cyber attacks perceived to be acts of war, based on international law in regard to warfare.  The author of the book is the founder of Project Grey Goose, and chapter five talks briefly about some of the events PGG investigated, using them to illustrate aspects of the intelligence component of cyber warfare (and noting some policy weaknesses, such as the difficulties of obtaining the services of US citizens of foreign birth).  The social Web is examined in chapter six, noting relative usage in Russia, China, and the middle east, along with use and misuse by military personnel.  (The Croll social engineering attack, and Russian scripted attack tools, are also detailed.)  Ownership links, and domain registrations, are examined in chapter seven, although in a restricted scope.  Some structures of systems supporting organized crime online are noted in chapter eight.  Chapter nine provides a limited look at the sources of information used to determine who might be behind an attack.  A grab bag of aspects of malware and social networks is compiled to form chapter ten.  Chapter eleven lists position papers on the use of cyber warfare from various military services.  Chapter twelve is another guest article, looking at options for early warning systems to detect a cyber attack.  A host of guest opinions on cyber warfare are presented in chapter thirteen.

Carr is obviously, and probably legitimately, concerned that he not disclose information of a sensitive nature that is detrimental to the operations of the people with whom he works.  (Somewhat ironically, I reviewed this work while the Wikileaks furor over diplomatic cables was being discussed.)  However, he appears to have gone too far.  The result is uninteresting for anyone who has any background in cybercrime or related areas.  Those who have little to no exposure to security discussions on this scale may find it surprising, but professionals will have little to learn, here.

copyright, Robert M. Slade   2010     BKCYWRFR.RVW   20101204

Share

DDoS Attacks and Torrent Sites

If anyone has been following the recent news about anti-piracy companies trying to take torrent sites offline by DDoSing them, then you’ll know that this was a bad idea from the start, if not here’s a brief recap.

Aiplex Software is a company that has been trying to take down torrent sites for a while now. As they weren’t getting anywhere, they decided to take on a new approach, and DDoS the torrent sites instead. It was suspected that this was the case for a while, but then to save everyone the effort, the nice guys over at Aiplex Software openly admitted that they were doing it, big mistake!

As the Internet is a wonderful medium for communication, there was a scheduled DDoS attack against Aiplex Software which took their site offline for a fair amount of time, until all the attackers then decided that moving onto the MPAA website was a better idea. The MPAA was forced to move it’s site to a new IP address after being down for 18 hours.

Yesterday an attack was launched against the RIAA in the same manner, and knocked the web site of the Internet for a good few hours.

All this was done via various means of communication, using the tool LOIC (Low Orbit Ion Cannons) and a bunch of anonymous supporters that weren’t afraid to stand up for what they believed in. Whether these attacks were right or wrong is purely a matter of opinion, but more to the point is the amount of damage that can be done.

In the past, if people wanted to protest, they would all gather in groups with placards and march around yelling various slogans, this usually happened outside the offending parties premises. If it got out of hand, the police would be called in to disperse the crowd, and everything was back to normal. However now in the age of the Internet, people are free to participate from the comfort of their own homes, just by downloading a program, typing in an IP address or hostname and clicking “Attack”. These people won’t be traced if the attack is coordinated properly, as it’s next to impossible to trace where all the packets are coming from if you have a large amount of people doing this at the same time. Even if people were traced, there is always the “Botnet defense” (My PC must have been infected by something and become part of a botnet, I ran my anti-virus program and removed some things, and now it all seems fine).
As security professionals we need to look at this as the shape of things to come, what if an online retailer annoyed a few of it’s customers, or if an online gambling or finance site was just “asking for it”. All it takes is the right form of communication and a few thousand people, and poof, the site is off the Internet if it doesn’t have the correct protection mechanisms in place.

As security professionals, do you do your best to protect your companies online assets from DDoS attacks? Or are you mainly concentrating on making sure the web sites are coded securely, that the web servers have been hardened and patched up to date…

I’m really interested to hear everyone’s comments on this one, so please leave them below.

Share

Reflections on Trusting Trust goes hardware

A recent Scientific American article does point out that is is getting increasingly difficult to keep our Trusted Computing Base sufficiently small.

For further information on this scenario, see: http://www.imdb.com/title/tt0436339/  [1]

We actually discussed this in the early days of virus research, and sporadically since.  The random aspect (see Dell problems with bad chips) (the stories about malware on the boards is overblown, since the malware was simply stored in unused memory, rather than being in the BIOS or other boot ROM) is definitely a problem, but a deliberate attack is problematic.  The issue lies with hundreds of thousands of hobbyists (as well as some of the hackers) who poke and prod at everything.  True, the chance of discovering the attack is random, but so is the chance of keeping the attack undetected.  It isn’t something that an attacker could rely upon.

Yes, these days there are thousands of components, being manufactured by hundreds of vendors.  However, note various factors that need to be considered.

First of all, somebody has to make it.  Most major chips, like CPUs, are a combined effort.  Nobody would be able to make and manufacture a major chip all by themselves.  And, in these days of tight margins and using every available scrap of chip “real estate,” someone would be bound to notice a section of the chip labeled “this space intentionally left blank.”  The more people who are involved, the more likely someone is going to spill the beans, at the very least about an anomaly on the chip, whether or not they knew what it did.  (Once the word is out that there is an anomaly, the lifespan of that secret is probably about three weeks.)

Secondly, there is the issue of the payload.  What can you make it do?  Remember, we are talking components, here.  This means that, in order to make it do anything, you are generally going to have to rely on whatever else is in the device or system in which your chip has been embedded.  You cannot assume that you will have access to communications, memory, disk space, or pretty much anything else, unless you are on the CPU.  Even if you are on the CPU, you are going to be limited.  Do you know what you are?  Are you a computer? Smartphone?  iPod?  (If the last, you are out of luck, unless you want to try and drive the user slowly insane by refusing to play anything except Barry Manilow.)  If you are a computer, do you know what operating system you are running?  Do you know the format of any disk connected to you?  The more you have to know how to deal with, the more programming has to be built into you, and remember that real estate limitation.  Even if all you are going to do is shut down, you have to have access to communications, and you have to a) be able to watch all the traffic, and b) watch all the traffic, without degrading performance while doing so.  (OK, true, it could just be a timer.  That doesn’t allow the attacker a lot of control.)

Next, you have to get people to use your chips.  That means that your chips have to be as cheap as, or cheaper than, the competition.  And remember, you have to use up chip real estate in order to have your payload on the chip.  That means that, for every 1% of chip space you use up for your programming, you lose 1% of manufacturing capacity.  So you have to have deep pockets to fund this.  Your chip also has to be at least as capable as the competition.  It also has to be as reliable as the competition.  You have to test that the payload you’ve put in place does not adversely affect performance, until you tell it to.  And you have to test it in a variety of situations and applications.  All the while making sure nobody finds out your little secret.

Next, you have to trigger your attack.  The trigger can’t be something that could just happen randomly.  And remember, traffic on the Internet, particularly with people streaming videos out there, can be pretty random.  Also remember that there are hundreds of thousands of kids out there with nothing better to do than try to use their computers, smartphones, music players, radio controlled cars, and blenders in exactly the way they aren’t supposed to.  And several thousand who, as soon as something odd happens, start trying to figure out why.

Bad hardware definitely is a threat.  But the largest part of that threat is simply the fact that cheap manufacturers are taking shortcuts and building unreliable components.  If I was an attacker, I would definitely be able to find easier ways to mess up the infrastructure than by trying to create attack chips.

[1] Get it some night when you can borrow it, for free, from your local library DVD collection.  On an evening when you don’t want to think too much.  Or at all.  WARNING: contains jokes that six year olds, and most guys, find funny.

Share

National Strategy for Trusted Identities in Cyberspace

There is no possible way this could potentially go wrong, right?

Doesn’t the phrase “Identity Ecosystem” make you feel all warm and “green”?

It’s a public/private partnership, right?  So there is no possibility of some large corporation taking over the process and imposing *their* management ideas on it?  Like, say, trying to re-introduce the TCPI?

And there couldn’t possibly be any problem that an identity management system is being run out of the US, which has no privacy legislation?

The fact that any PKI has to be complete, and locked down, couldn’t affect the outcome, could it?

There isn’t any possible need for anyone (who wasn’t a vile criminal) to be anonymous, is there?

Share

The Internet Almost Crashed!


Yeah, it is true. I guess some programming errors are more serious than others, so lets give these guys a break: I also suppose the dark clouds gathered for all the recent DDoS characters, too.

Share

Agressive Anti-Spam Measures that Cause More Harm than Good

This post had a personal info. I have removed it as I think it is irrelevant to the point I’m trying to make. Let’s just call him “Rick”. A user on a domain I maintain forwarded me an email from Rick explaining why his anti-spam swallowed the email, I replied with a set of challenges to his anti-spam’s filter effectiveness, as well as question the validity of the reasons behind it. Let’s be charitable and just say he did not seem to be open to discuss the matter.

Personal manners aside, this does bring up the greater question of arbitrary spam filters (arguably the worst ill effect spam had on the Internet) and standards conformance. (more…)

Share

ISOI 3 is on, and Washington DC is hot

following up on that strange title, isoi 3 (internet security operations and intelligence), a workshop for do-ers who work on the security of the internet and its users, is happening monday and tuesday in washington, dc.

this time around we have even more government participation (we’re in dc, duh), but a bit less from academia (who can try and look at long term solutions), rather than just us security researchers, and operators (who respond, contain and mitigate incidents).

i am very pleased with our progress on encouraging global cooperation, and getting more industry information sharing going. i am also happy we are moving from “just” good-will based relationships to the physical world with our efforts, being able to take things to the next level with world-wide operational task forces and, indeed, affecting change.

if you are interested in this realm of internet security operations, take a look at isoi 3′s schedule, and perhaps submit something for the next workshop.

some reporters are somewhat annoyed that entrance is barred to them, but i hope they’d understand that although we make things public whenever we can as full disclosure is a strong weapon in the fight against cyber crime, folks can not share as openly when they have to be on their toes all the time.

the third isoi is here because after dhs ended up unable to host it, sponsors emerged who were happy to assist:

afilias ltd.: http://www.afilias.info/
icann: http://www.icann.org/
the internet society: http://www.isoc.org/
shinkuro, inc.: http://www.shinkuro.com/

it’s going to be an interesting next week here at the swamp. atendees better show up with their two forms of id. :)

gadi evron,
ge@beyondsecurity.com.

Share

MS Patch Tuesday and Skype outage – why things didn’t match

In the situation when Skype’s explanation written on 20th Aug, Microsoft’s response written on Monday too and Skype’s clarification written today, 21th Aug exist it’s time to share word with a short summary:

Why the security community reacted like it reacted?

1. Microsoft has released monthly security updates since January 2004
2. There was three critical MS patches in July, and four critical in June
3. Only four August critical patches included a mandatory reboot
4. Critical patch (MS07-044) for code execution issue in Excel needs no reboot
5. Critical patch (MS07-050) for VML needs reboot only if files in use
6. SecurityLab.ru released public Skype Network Remote DoS Exploit on 17th Aug
7. There was new Skype for Windows version 3.5.0.214 out on 17th Aug
8. A lot of home users go to Microsoft Update on Tuesday, not on Thursday…

Do we need more reasons? No. Boys and girls at Skype, please share information that you are aware of public PoC, what the new bugfix release fixes etc.

But the good news: Villu Arak of Skype states that their “bug has been squashed.” And

The parameters of the P2P network have been tuned to be smarter…

Fine, because there are Black Tuesday patches in the future too! ;-)

Share

eWeek: Estonian Cyber-War Highlights Civilian Vulnerabilities

i posted a column on eweek on what critical infrastructure means, looking back at the estonia incident.

they edited out some of what i had to say on home computers and their impact as a critical infrasrtcuture, but hey, word limitations.

http://www.eweek.com/article2/0,1895,2166125,00.asp

Gadi Evron,
ge@linuxbox.org

Share

Alternative Botnet C&Cs – free chapter from Botnets: The Killer Web App

syngress was kind enough to allow me to post the chapter i wrote for botnets: the killer web application here as a free sample.

it is the third chapter in the book, and requires some prior knowledge of what a botnet c&c (command and control) is. it is basic, short, and to my belief covers quite a bit. it had to be short, as i had just 5 days to write it while doing other things, and not planning on any writing, but it is pretty good in my completely unbiased opinion. ;)

you can download it from this link:
http://www.beyondsecurity.com/whitepapers/005_427_botnet_03.pdf

for the full book, you would need to spend the cash.

enjoy!

gadi evron,
ge@beyondsecurity.com.

Share

CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)
=============================

introduction
————

cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at: http://isotf.org/isoi3.html

details
——-
27th, 28th august, 2007
washington dc -
aed conference center:
http://www.aedconferencecenter.org/main/html/main.html

registration via contact@isotf.org is mandatory, no cost attached to attending. check if you apply for a seat in our web page.

cfp

this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email contact@isotf.org as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)
——————————————–

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba

Share

The attacks on Estonia by Russians (or Russia?)

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.

thanks,

gadi evron,
ge@beyondsecurity.com.

Share