Insider Threat

The FBI says 70% of attackers originate from inside the organization (or is it 80%). So why do we all talk about hackers and Internet-bound attacks?

HDCP Master Key Leaked

High-bandwidth Digital Content Protection (HDCP) is a form of copyright protection developed by Intel. It is designed to prevent the copying of digital audio and video as it travels accross media interfaces such as HDMI, DisplayPort or Unified Display Interface (UDI).

The system is meant to stop HDCP-encrypted content from being played on devices that do not support HDCP or which have been modified to copy HDCP content. Before sending data, a transmitting device checks that the receiver is authorized to receive it. If so, the transmitter encrypts the data to prevent eavesdropping as it flows to the receiver.

Manufacturers who want to make a device that supports HDCP must obtain a license from Intel subsidiary Digital Content Protection, pay an annual fee, and submit to various conditions.

On 14th September 2010 the HDCP Master Key was somehow leaked, and published online in various sources. At present it is unknown how this Master Key was obtained, or whether Intel is doing any investigations as to how this happened. Intel has however threatened to sue anyone.

The leaked master key is used to create all the lower level keys that are stored within devices, so you can see what a nightmare this must be for Intel.

Intel have threatened to sue anyone that makes use of this key under intellectual property laws. However it will now only be a matter of time before we start seeing black market devices appearing.

If anyone’s at all interested though, you can find the key here.

Reflections on Trusting Trust goes hardware

A recent Scientific American article does point out that is is getting increasingly difficult to keep our Trusted Computing Base sufficiently small.

For further information on this scenario, see: http://www.imdb.com/title/tt0436339/  [1]

We actually discussed this in the early days of virus research, and sporadically since.  The random aspect (see Dell problems with bad chips) (the stories about malware on the boards is overblown, since the malware was simply stored in unused memory, rather than being in the BIOS or other boot ROM) is definitely a problem, but a deliberate attack is problematic.  The issue lies with hundreds of thousands of hobbyists (as well as some of the hackers) who poke and prod at everything.  True, the chance of discovering the attack is random, but so is the chance of keeping the attack undetected.  It isn’t something that an attacker could rely upon.

Yes, these days there are thousands of components, being manufactured by hundreds of vendors.  However, note various factors that need to be considered.

First of all, somebody has to make it.  Most major chips, like CPUs, are a combined effort.  Nobody would be able to make and manufacture a major chip all by themselves.  And, in these days of tight margins and using every available scrap of chip “real estate,” someone would be bound to notice a section of the chip labeled “this space intentionally left blank.”  The more people who are involved, the more likely someone is going to spill the beans, at the very least about an anomaly on the chip, whether or not they knew what it did.  (Once the word is out that there is an anomaly, the lifespan of that secret is probably about three weeks.)

Secondly, there is the issue of the payload.  What can you make it do?  Remember, we are talking components, here.  This means that, in order to make it do anything, you are generally going to have to rely on whatever else is in the device or system in which your chip has been embedded.  You cannot assume that you will have access to communications, memory, disk space, or pretty much anything else, unless you are on the CPU.  Even if you are on the CPU, you are going to be limited.  Do you know what you are?  Are you a computer? Smartphone?  iPod?  (If the last, you are out of luck, unless you want to try and drive the user slowly insane by refusing to play anything except Barry Manilow.)  If you are a computer, do you know what operating system you are running?  Do you know the format of any disk connected to you?  The more you have to know how to deal with, the more programming has to be built into you, and remember that real estate limitation.  Even if all you are going to do is shut down, you have to have access to communications, and you have to a) be able to watch all the traffic, and b) watch all the traffic, without degrading performance while doing so.  (OK, true, it could just be a timer.  That doesn’t allow the attacker a lot of control.)

Next, you have to get people to use your chips.  That means that your chips have to be as cheap as, or cheaper than, the competition.  And remember, you have to use up chip real estate in order to have your payload on the chip.  That means that, for every 1% of chip space you use up for your programming, you lose 1% of manufacturing capacity.  So you have to have deep pockets to fund this.  Your chip also has to be at least as capable as the competition.  It also has to be as reliable as the competition.  You have to test that the payload you’ve put in place does not adversely affect performance, until you tell it to.  And you have to test it in a variety of situations and applications.  All the while making sure nobody finds out your little secret.

Next, you have to trigger your attack.  The trigger can’t be something that could just happen randomly.  And remember, traffic on the Internet, particularly with people streaming videos out there, can be pretty random.  Also remember that there are hundreds of thousands of kids out there with nothing better to do than try to use their computers, smartphones, music players, radio controlled cars, and blenders in exactly the way they aren’t supposed to.  And several thousand who, as soon as something odd happens, start trying to figure out why.

Bad hardware definitely is a threat.  But the largest part of that threat is simply the fact that cheap manufacturers are taking shortcuts and building unreliable components.  If I was an attacker, I would definitely be able to find easier ways to mess up the infrastructure than by trying to create attack chips.

[1] Get it some night when you can borrow it, for free, from your local library DVD collection.  On an evening when you don’t want to think too much.  Or at all.  WARNING: contains jokes that six year olds, and most guys, find funny.

Forensics & The Fabled Chain Of Custody

I’m not very big into forensics any more, but occasionally I’ll get asked to take on a case or two, and whenever I do, the one thing that people always manage to seem to get wrong is the chain of custody.

Now for those of you who have no idea what I’m talking about here, here is the blurb from Wikipedia on Chain Of Custody.

Chain of custody (CoC) refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct which can compromise the case of the prosecution toward acquittal or to overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is in fact related to the alleged crime, rather than having, for example, been planted fraudulently to make someone appear guilty.”

I have seen so many cases through the years, where a single has just gone and asked a user to please shutdown their PC, and then taken it away from them, jumped in a cab, and as it was late, taken the PC home with them for the night. Then the next morning, they’ll walk into my office and ask me to do forensics on the host, as the user in question has been doing x,y and z wrong on company property and they want to fire them and prosecute. It’s very hard trying to explain to senior management, that while, I can do the forensics for you, and I’m sure that I’ll find something, can you please just prove to me that you didn’t put it there to frame the person? This usually results with the same old conversation, that kind of goes along these lines.

Manager: “Of course I didn’t put it there! I’m a senior manager, why would I do that, what do I stand to gain?”

Me: “Well, it could be that you just don’t like this person, or on a personal level, they’ve done something to upset you”

Manager: “Well, I’m telling you that I didn’t put anything on his PC, and I’m a senior manager! So get started with the forensics asap, and let me know!”

Me: “You seem very defensive, it sounds like you may be hiding something?”

Manager: “I am not hiding anything, I just want you to prove that he was doing something wrong so that I can fire him and then get legal to prosecute!”

Me: “Okay, I’ll do what I’ve been asked. Just remember though, I’m a IT Security guy, and you sound guilty to me, even though you may not be, imagine what a lawyer would do with you? We have forensics procedures, that are visible to the entire company in regards to bringing in user’s PC’s, next time can you please take the time to read these?”

The senior manager then usually storms out of the office.

Following proper procedures for forensics purposes is of the utmost importance, as if you do need to lay charges you need to be able to prove that you did everything by the book. If you don’t have detailed procedures for your in-house forensics, maybe now is the time to start thinking about writing some…

National Strategy for Trusted Identities in Cyberspace

There is no possible way this could potentially go wrong, right?

Doesn’t the phrase “Identity Ecosystem” make you feel all warm and “green”?

It’s a public/private partnership, right?  So there is no possibility of some large corporation taking over the process and imposing *their* management ideas on it?  Like, say, trying to re-introduce the TCPI?

And there couldn’t possibly be any problem that an identity management system is being run out of the US, which has no privacy legislation?

The fact that any PKI has to be complete, and locked down, couldn’t affect the outcome, could it?

There isn’t any possible need for anyone (who wasn’t a vile criminal) to be anonymous, is there?

KHOBE: Say hello to my little friend(*)

Guess what? You personal firewall/IDS/Anti Virus/(insert next month’s buzzword here) isn’t going to save you from an attacker successfully executing code remotely on your machine:
http://www.zdnet.com/blog/hardware/update-new-attack-bypasses-every-windows-security-product/8268

So no, it’s not the doomsday weapon, but definitely worthy of the Scarface quote in the title.
This isn’t surprising, researchers find ways to bypass security defenses almost as soon as those defenses are implemented (remember non-executable stack?). Eliminating vulnerabilities in the first place is the way to go, guys, not trying to block attacks hoping your ‘shields’ hold up.

(*) If you’re reading this out loud you need to do so in a thick cuban accent

Printers, the forgotten threat.

It seems that in this day and age, people have finally grasped the concepts of why it’s a good idea to patch systems regularly, run an anti-virus application, and have funky network appliances like firewalls and Intrusion Detection Systems. Which is a really great move in the right direction.

One thing that I will never understand though is that people will spend a fortune on new security tools and appliances, adn they’ll forget the basics.

Please people, remember to lock down the items on your network that may seem insignificant to you, as nine out of ten times, they are a foothold for a hacker. A prime example of this would be printers, I have managed to obtain really sensitive information off of printers attached to networks in their default state in the past, and also waste valuable time and company resources.

Here are few of the things that i’ve done on various assignments over the years in regards to printers:

– Modify the default web console pages, and load them up with browser exploits

– Find valuabe documents saved as files on the printers

– Use the printers as zombie hosts for nmap zombie network scans

– Tie up the printer for a day or so printing out the contents of my hard drive

– Waste paper and ink from doing the above

– Leave obscene messages on the console display
– Shut down the printer and fake the logon page to accomplish all of the above

Here’s a pretty useful link for all those with HP printers on their estate as well.
So in going forward, please remember that if it’s attached to your network, it needs to be secured. Most printers these days come with security configuration options, but they have to be enabled, so take the extra 5 minutes to make the world a better place.

LinkedIn as a recruitment resource

I’m working on an article about the risks in social networking right now, and I’ve come across yet another blog posting about how to use LinkedIn (and Facebook, and Twitter, etc.) to look for job candidates.

I’ve never quite been able to figure out the attraction of using LinkeDin as a source of employment candidates.  The one thing you know about active socnet users is that they are active socnet users.  If you are at all concerned about your employees wasting time at work, you know right off the top that this is a person who will do that.

Of course, if your company is trying to “get into” the socnet world, you might think this is a good thing.  But it’s quite a leap of faith to think they would do it for you, rather than themselves.

(For us in infosec, there would be the added concern that this person is either telling way too much about themselves, or “tailoring” the facts.  So you either have a failure of confidentiality, or integrity.)