Category Archives: security

Sector 2016

Posted on by
Reply

sector

This October marked the 10th anniversary of Toronto’s main security conference, Sector. I had the pleasure and privilege of being a speak, as well as working with a terrific team of volunteers. It was thrilling to be part of this event, plugged right in, to welcome people to our city and then to deliver a talk I had really wanted to give.

There was fanfare. Edward Snowden – yes, for real- was video conferenced in as the keynote speaker Day 1 and he did not disappoint. He has put his time away to good use, becoming expert on matters of privacy and rights. There was a second terrific keynote panel on Day 2 by a group of very successful and talented women about their experiences and insights on careers in InfoSec. The selection of talks and speakers was truly impressive, featuring leading experts and exciting new voices.

Here is my presentation, that started from a story on the Defensive Security podcast back in March. What caught my attention was how a bank heist in Bangladesh for a billion dollars was bungled because of a spelling error, and how far things almost went. Bank heists make great stories.  This year, we’ve got some really good stories to tell courtesy of a trusted network known as SWIFT, and some banks that believed they were inherently protected by virtue of being connected – except they weren’t. Hundreds of millions of dollars have revealed some ugly truths and dangerous assumptions.  In this security fairy tale we’ll talk about scary godmothers, big bad wolves, fire breathing dragons and what’s inherently wrong with the banking system. Because the emperors have no clothes on. Click on it to go to the site.

sectorslide

Irongate & Customized ICS Malware: Don’t Hit the Snooze Button This time

Posted on by
Reply

icspic3

ICS or Industrial Control System networks are integral to running our critical infrastructure, industrial and manufacturing processes, hospitals.  These are specialized systems that have been kept separate or “air gapped” from main networks, but that has been changing over the past few years as everybody finds ways to get connected. However, a mindset persists that because these systems are “special” and “different”, and because they have been segregated from conventional networks for so long, they are inherently protected. This past week heralded the discovery of “Irongate”, customized malware for ICS that is still in the testing stages and has not been used against production facilities – yet. The fact that somebody has carried on from where Stuxnet left off is a warning to us all that our assumptions on what keeps us secure no longer apply.

Stuxnet showed us that specialized systems offer attackers, especially at the nation state level, a unique opportunity for this reason. Nobody is looking when they think they are secure. The fact is that attackers live within our networks for long periods. We have seen this proven in recent months through the rapid escalation of ransomware and lateral movement through networks to accumulate info and destroy data; in the attack on the power grid in the Ukraine where attackers harvested credentials to access the VPN and get into supposedly secure systems; and the SWIFT banking heists where attackers learned the most intricate details of how to manipulate printer outputs and redirect huge monetary transactions.

‘Airgaps’ are great in theory, but don’t hold up given the growing reality of the Iot and now the IIoT. With pressures to cut costs, increase productivity, and just make things easier, these systems are being connected to corporate networks and the “Cloud”. There’s a whole lot of scary here because the truth is that ICS systems are not well monitored. Experts like Chris Sistrunk and Robert M. Lee have made this pointedly clear in emphasizing the need for NSM, network system monitoring and DFiR, digital forensics, to look for what attackers leave behind.  You can’t find the danger if you aren’t looking.

While the big announcement of Irongate was this week, researchers actually found samples late 2015, and reports show that the malware can be dated as far back at 2012, and was submitted to VirusTotal through the web interface in Israel in 2014. There is no evidence of this having been used in any campaign, nor is it associated with known threat actors.  Siemens ProductCERT confirmed that “the code would not work against a standard Siemens control system environment”. As it stands, it is not proof-of-concept for an actual weapon or adversary. Yet, the code was found when searching for droppers compiled with PyInstaller; Irongate droppers are Python scripts converted to executables from that same software. Somebody saw the need to make this, and the opportunity for exploit.  We need to read into that and act on it before it moves from test to production.

According to Robert M. Lee,

“ICS is a viable target and attackers are getting smarter on how to impact ICS with ICS specific knowledge sets… The unique nature of ICS offers defenders many advantages in countering adversaries but it is not enough. You cannot rest on the fact that ‘ICS is unique’ or ‘ICS can be hard to figure out’ as a defense mechanism. It is a great vantage point for defenders but must be taken advantage of or adversaries will overcome it.”

Right now, there is a lot of speculation around why this exists in test, without a known contributor. Dan Scali, senior manager for FireEye Mandiant ICS Consulting, posits “Is someone trying this in a simulated [environment] before taking it to a production environment? Or is it a researcher saying ‘look what I can do … a Stuxnet-type thing?”

Robert M Lee expressed concern that this illustrates a fundamental security problem with ICS/SCADA. “It’s a sign of the interest in this by pen testers, security companies, as well as adversaries…I am not confident that a majority of the industry could respond to it. We don’t know what’s out there; antivirus companies aren’t finding it and even if they had, who would know what to do with it [the threat]?”

If we’re not looking, we’re not finding. And we won’t be able to prepare for attacks which are already in the works. We would be foolish to think otherwise.

This argument is made by Lior Frenkel, CEO of Waterfall Security.  He expects attacks similar to Stuxnet “are in the pipeline”.

these attacks will increase in their sophistication and complexity so any solution needs to be completely comprehensive and robust to cover the full perimeter of an ICS site … (adding that) unidirectional gateways are the optimal solution for these attacks”.

Add to that this assertion by Sean McBride, attack synthesis lead for FireEye iSIGHT Intelligence: “I would not be surprised to see sandbox evasion and file replacement attacks incorporated by future ICS malware deployed in the wild.” This is yet another wakeup call for ICS SCADA, and other sensitive segregated systems.

Irongate is

  • sophisticated,
  • has the capacity to be persistent,
  • is evasive
  • undetected by AV
  • introduces new features to existing knowledge of customized ICS malware.

The key feature is a man-in-the-middle (MitM) attack, where the malware replaces existing DLL (Dynamic Link Library) files with malicious ones, enabling it to come between a PLC and legitimate monitoring software to engineer the next step. Like a scene from a movie, where the security camera footage is manipulated, the malicious DLL records five seconds of ‘normal’ traffic from a PLC to the user interface. This “footage” goes on replay while other data gets sent back to the PLC. Hence an attacker can alter a controlled process without alerting the process operators.

Causes for concern should be:  this malware was undetected by AV, even though some strings had the word “dropper” and there was an actual module named scada.exe; the malware is evasive, and will not run if it detects the use of VMware or Cuckoo Sandbox environments – something Stuxnet could not do.

Although Irongate is not as complex, the similarities to Stuxnet stand out:

  • Both types of malware search for a single, highly specific process.
  • Both replace DLLs to manipulate processes
  • Both are evasive. IRONGATE looks for sandbox or VMware that allow observation of malware; Stuxnet sought out antivirus software.
  • Both manipulate process data. IRONGATE actively records and plays back to conceal it manipulations however.

A key difference is that unlike Stuxnet, “Irongate has no worm-like spreading function, nor any apparent ties to nation-state actors”.

Recommendations on how to secure against this latest variant of ICS malware include integrity checks and code. But it really comes down to following through on best practices and those areas already identified as weak. The problem is that what we’ve been doing will fail us going forward, and we’re failing at doing the basics right. Know your baselines and actively look for anomalies. NSM needs to happen, as does DFiR within ICS, comprehensively and without further delays and excuses. Otherwise, we are turning a blind eye to attackers who know these systems better than we do.

This latest variant of customized ICS malware may be in the testing stages as we found it. But you can bet if someone else is working on this, things have already moved toward production and deployment. Irongate is yet another major wakeup call and we can’t keep hitting the snooze button.

Resources:

https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html

https://www.helpnetsecurity.com/2016/04/13/ics-network-attacks/?utm_content=buffer3b349&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

http://www.darkreading.com/threat-intelligence/shades-of-stuxnet-spotted-in-newly-found-ics-scada-malware-/d/d-id/1325753

https://www.helpnetsecurity.com/2016/06/03/ics-focused-irongate-malware/

Yes Virginia, Dreams Really Do Come True!

Posted on by
1

securityunicorn

Sorry to have neglected you this past while. Big changes have happened. But that’s a good thing. A really good thing. And something I hope to carry forward.

You may have heard about the lack of talent in cyber security. And the lack of women in tech. And the resulting lack of women in cyber security. I am thrilled to tell you that I have now changed that statistic by one.

Yes Virginia, dreams really do come true. Because  I was offered the role of my life. My dream job.

I now do Threat Intel with the cyber security team at KPMG. As a cyber security consultant.

Repeat after me:

OMG! OMG! OMG!  Now breathe. (that really was fun, wasn’t it!)

Now I can stay up all night, every night, looking for cyber boogeymen and playing what-if til I can’t keep my eyes open. And people actually want to know about what I find. Oh, holy cow – it is amazing!

I have to learn more about all. the. things. Which is fantastic because I like all the things. Networks. SCADA ICS. Mainframes. Web Application Firewalls. And of course my 3 favourite letters: APT or Advanced Persistent Threat. Because the biggie of all those, Stuxnet, is what led me here in the first place.  I get to work with amazing people whose knowledge and skill just inspires me every day to do more.  We plan and build and evaluate things most people have no idea about, but that will actually make the world a better and safer place for everyone. And that is the realization of one of many childhood dreams. I still haven’t walked onto a Starfleet Enterprise class ship yet, but believe me, this is what it would feel like.

And this is where I tell you the really good stuff. That you have it in you to make your version of this happen. I stopped listening when people told me “you can’t do that” or “you  got that all wrong” or “maybe you’d be better at’.  I listened to that voice inside me, that passion pushing me further even when it seemed impossible. Even when I couldn’t understand it the first time, or someone said no, and said no again.  Because something inside of me wouldn’t let it go. I loved it too much.  Listen to that piece of you that won’t let go.  Find that thing you love enough to fight for it – and fight.  You deserve the sweetness of this victory. And oh, if it can happen for someone like me without all the proper degrees and traditional routes, then it can happen for you. Believe.

So come along and join me for my next incredible, amazing adventure. I’m only just getting started!

(Necessary Disclaimer bit that all these posts are my own and not my employer’s)

The Future of Ransomware

Posted on by
Reply

ransom

Ransomware is like like a nasty game of tag: you can try to avoid it but once you’re hit, you’re out. For all we know about doing defence right, following the best practices advocated by NIST and SANS, this particularly malevolent threat has been on an upward trajectory out of the gate since 2016, after trending through 2015.  It’s gone way beyond just phishing for targets and locking down individual files.  Current strains are evasive: like tag, they figure out what anti-virus and security is running on the target system that might detect it and stay hidden. They now go after websites. They lock down entire servers. And they don’t care who the victims are – not even hospitals.

Samsam-ransomware-attack-chain-768x391

If you’ve been reading along with me on Twitter, or happen to be up at 2:00 a.m. like I am, you know that ransomware is what keeps me up at night. Along with some other brilliant minds in our security community who are dedicated to tracking and shutting down this ever-growing threat. These guys really know what they’re doing. Countless hours of research, investigation and analysis have produced this paper:  Ransomware: Past, Present, and Future.   There are definitive pieces that give the lay of the land and map out the course ahead. That is what this piece does. Sincere appreciation for the efforts of  @da_667 @munin @ImmortanJo3 @wvualphasoldier (and others) who put this together. They understand just how widespread the risk is, and time is not a luxury we have. This is essential reading for anyone in tech, security, business, critical infrastructure. Essentially, anyone who needs to safeguard the data and networks their daily business relies on.

From the Talos blog: A fictional Adversary’s workflow of compromise and takeover

dadiagram

Right now, here is what I would advise anyone.  Back you stuff up, frequently, and separately from the network.  Check your patch management situation. Where are your exposures?  How are you handling security awareness, especially around phishing? Do you monitor your systems regularly, so that you have a baseline to compare events against?

And finally, take the time now and please read this: Ransomware: Past, Present and Future by Talos. Because the more people who know about ransomware and where it’s headed, the better we can all work together to secure things.

Thank you for stopping by!

My Layman’s Terms: The Java Deserialization Vulnerability in Current Ransomware

Posted on by
1

There has been a recent wave of ransomware attacks against hospitals, highly publicized and for good reason. Who the hell attacks hospitals with malicious code that locks up access to critical care systems, and puts our most vulnerable at further risk? Well, there’s more to this story than I can reveal here but I’ve been following the trend for months, and here’s what you need to know.

tweet ransom

FIRST: This was never about the hospitals. They weren’t the specific target. Law enforcement also relies on constant access to critical systems and they are being hit. But this goes so much wider, and we’re missing the bigger picture here. Therein lies the danger.   Samsa/Samsam has been a cash grab for the attackers, with no costs, no penalties. Don’t expect them to stop looking for more revenue streams to hit.

SECOND: This ransomware is not the same old ransomware. We can’t rely on our standard approaches to detect and defend against future attacks. This one goes after servers, so it can bring down entire networks, and doesn’t rely on the social engineering tactics to gain access.  It’s so bad US-CERT has issued this recent advisory.

I’ve laid out what’s been made available on just how this new strain of ransomware works. And I’ve done it in terms to help anybody take a closer look at the middleware running in their systems currently. Because a little knowledge could be dangerous thing used to our advantage this time.

tweetsamsa

WHAT: Extremely dangerous and wholly underated class of vulns

Attackers can gain complete remote control of an app server. Steal or corrupt data accessible from the server. Steal app code. Change the app. Use the server as launching oint for further attacks.

  • No working public exploits against apps til now
  • Remotely executable exploits against major middleware products
  • Powerful functionality that should not be exposed to untrusted users in the ability to hijack deserialization process.

IMPACT: Millions of app servers open to compromise

  • Not easily mitigated
  • Potential for millions of apps to be susceptible
  • Many enterprise apps vulnerable

AFFECTS: All apps that accept serialized Java objects

Remotely executable exploits against major middleware products:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS

HOW: Vulnerability is found in how many JAVA apps handle process of object deserialization.

Serialization is how programming languages transfer complex data structures over the network and between computers. Disassembly is the process of breaking an object down into a sequence of bits.

Deserialization is reassembly of those bits. (unserialization)

A Java object is broken down into series of bytes for easier transport.

Then is reassembled back at other end. Think the fly or tranporter

PROBLEM:  many applications that accept serialized objects do NOT validate or check UNTRUSTED input before deserialization or putting things back together. So yes, this is the perfect point to sneak the bad stuff in.

Attackers can INSERT malicious object into data stream and it can execute on the app server

Attack method:  special objects are serialized to cause the standard Java deserialization engine to instead run code the Attacker chooses.

Each of the 5 middleware applications listed above has a Java library called  “commons-collections.” This has a method that can lead to remote code execution when data is deserialized. Because no code should execute during this process.

NEEDS TO HAPPEN:

Enterprises must find all the places they use deserialized or untrusted data. Searching code alone will not be enough. Frameworks and libraries can also be exposed.

Need to harden it against the threat.

Removing commons collections from app servers will not be enough.   Other libraries can be affected.

Contrast Sec has a free tool for addressing issue.  Runtime Applicaton Self-Protection RASP.  Adds code to deserialization engine to prevent exploitation.

Sources:

Why the Java Deserialization Bug is a Big Deal Dark Reading by Jai Vijayan

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability

Paypal is the latest victim of Java Deserialization Bugs in WebApps

Back it up! Back it UP!

Posted on by
Reply

Because today is World Backup Day – A cautionary tale and my little take on “Shake It Off” by Taylor Swift

I left it too late
Got nothing on my plate
That’s what my disk drive says mmm-mmm
That’s what my disk drive says mmm-mmm

Now my files are all gone (sob)crash3
And I know something is wrong
At least that’s what the server says mmm-mmm
That’s what the server says mmm-mmm

So I keep losing
All the work that I was doing
It’s like I got this hole
In my drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waybash
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Shellshock is gonna bash, bash, bash, bash, bash
And the hackers gonna hack, hack, hack, hack, hack
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

When we got hacked todayransomware
By Ransomware – won’t pay
That’s what they say don’t do mmm-mmm
That’s what they say don’t do mmm-mmm

Get the backups- Let’s restore! (backup and restore)
Is this all- why aren’t there more? (why, why aren’t there more?)
So I tell them I don’t know, mmm-mmm
I tell them I don’t know, mmm-mmm

And we are losing
The work that we’ve been doing
It’s like we got this hole
In the drives
And it’s not gonna be alright

‘Cause the data’s gone away, way, way, way, waysonypictureshack-640x1136
And now it’s way too late, late, late, late, late
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Our site is getting hacked, hacked, hacked, hacked, hacked
Our accounts are getting jacked, jacked, jacked, jacked, jacked
Baby, I’m just gonna cry, cry, cry, cry, cry
I shoulda backed it up, backed it up

Back it up, I’ll back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up
I, I’m gonna back it up, back it up

Yeah ohhhh!!!!

Yeah the price we had to pay, pay, pay, pay, paydrive crash
But today’s a different day, day, day, day, day
Baby, I’m just gonna save, save, save, save, save
Now I back it up, I back it up

If the hard drive’s gonna crash, crash, crash, crash, crash
Or tornadoes gonna smash, smash, smash, smash, smash
Baby, I’m not gonna cry, cry, cry, cry, cry
Cause I back it up, I BACK IT UP!

You know what you gotta do – go do it!

Why The Internet Is Broken … Again

Posted on by
Reply

drown1

In the ongoing saga of our quest for powerful encryption online for all, free from backdoors and government restrictions, this week we stumbled again over the inherent brokenness of what the existing standard is.  Yet again, there is a massive vulnerability impacting the TLS or transport layer security.  And it stems back to a very short-sighted decision by the US Gov’t during the ’90’s.

DROWN attack renders messages vulnerable that are sent online between HTTPS servers – yes, that is correct, you saw the letter ‘s’. When stuff like this happens, it kind of defeats the whole purpose of making things HTTPS. The acronym is pretty self-explanatory. It stands for “Decrypting RSA using Obsolete and Weakened eNcryption”. Obsolete and Weakened says it all.

The impact is huge. It means that TLS connections to over 33% of HTTPS servers are open to attack using fairly fast and easy methods. That’s the other problem. The attackers won’t have to work hard for the money on this one. More about how later.

TLS matters because encryption matters, so it is the most important security protocol on the internet.  It began as SSL, or Secure Socket Layer, back when dinosaurs sat in power. And if we recall from previous briefs about similar problems, those stem back to the US government meddling in the ‘90s and making encryption work for their purposes ie dumbing it right down to do business abroad.

So the cause, simply put, is dangerously outdated SSLv2.  Gone but so not forgotten.While browsers or clients have gotten rid of SSLv2, many servers still support the protocol.  This can be attributed to carelessness and obsolete embedded devices that don’t get updated.  And while OpenSSL was supposed to offer a configuration option to disable SSLv2 ciphersuites, it doesn’t seem to be working because even when that option is selected or set, clients still can choose the SSLv2 option.  Here is an excellent explanation of why this is so serious by cryptography expert Matthew Green, and you can read his thoughts in detail in his recent blogpost on DROWN

If you’re running a web server configured to use SSLv2, and particularly one that’s running OpenSSL (even with all SSLv2 ciphers disabled!), you may be vulnerable to a fast attack that decrypts many recorded TLS connections made to that box. Most worryingly, the attack does not require the client toever make an SSLv2 connection itself, and it isn’t a downgrade attack. Instead, it relies on the fact that SSLv2 — and particularly the legacy “export” ciphersuites it incorporates — are pure poison, and simply having these active on a server is enough to invalidate the security of all connections made to that device.

So what happens is that a server is using both SSL/TLS. Double the flavour, double the fun  would necessitate separate certificates and private keys. Except that people don’t want to do more or pay more: so they use the same thing on both.  And yes, Virginia, a buggy SSLv2 will impact the security of TLS.

drown2

NOTE: a patch for this matter was issued in January but not well publicized. This doesn’t help because we need folks to get the patches up on their systems. Otherwise, we have what is still ongoing because of Shellshock Bash.  Unpatched instances propogating exploits. So please, do everyone a favour and patch your systems.

How does the bad stuff happen? In what is called a cross-protocol attack. It uses bugs in one protocol say SSLv2 to attack the security of connection made in another and different protocol ie TLS.  The irony is that while TLS is designed to defend against well-known attacks on this encryption  SSlv2’s export suites have been proven not to do that (via the Bleichenbacker Attack, and that’s all you really need to know about it here).

What we need to acknowledge is just how realistic an attack actually is. The answer is very. It will only cost a few hours and $440 dollars using the available power of Amazon EC2. The attacker would watch about 1000 TLS handshakes to find a vulnerable RSA ciphertext, use 40000 queries to the server and 2to the 50th offline operations. That may sound like a lot, but it really isn’t given today’s resources. We know attacks only get faster and more sophisticated.  Researchers have now found a new version that can decrypt a TLS RSA ciphertext in ONE minute on a single CPU core.

What can you do?  Start by checking your systems. Follow this link here:  https://test.drownattack.com/ (the link is safe). While there is a patch again that should help, it only works when applied. The DROWN Attack site will help you to learn more about how this vulnerability impacts various systems and how to disable SSLv2.

Read more here:

http://www.symantec.com/connect/blogs/drown-vulnerability-could-sink-secure-internet-connections

https://drownattack.com/

http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html

Hope that was helpful! Thanks for reading.

Ransomware: Don’t Get LOCKY’d Out

Posted on by
Reply

locked-computer

LOCKY made its debut a week ago, and impacted half a million users around the globe in a day. The numbers have escalated alarmingly since then as this latest crypto-ransomware, developed by the same dark minds behind Dridex banking malware, spreads across platforms and continents.

What YOU Can Do

We’re warning users to beware of phishing emails. Even if it says it is from your bank, they will not send you an email for something requiring your urgent attention with a link or an attachment. The same goes for the CRA or other major financial institutions. MS Word documents masquerade as invoices requiring urgent payments, or bank statements. These will contain malicious macros that launch the malware. Once it gets onto a computer connected to ANY network, it will spread and contaminate rapidly. And any removable devices will also become contaminated, putting others at risk.
DO NOT ENABLE MACROS!

If you suspect you’ve been hit, time is crucial. Contact your support people immediately. We’re here for you. And shut your computer down. You need to cut yourself off from the network immediately. Expect that you will not be using your computer for some time and that you may need to shutdown the network. Given that the encryption is so powerful, the only recourse victims have is to restore from an untainted backup. Or face paying the ransom with no guarantees.

locky

As detailed by researchers at Naked Security for Sophos, LOCKY encrypts a wide range of file types. These include videos, images, PDFs, program source code, and Office files. As well as files in any directory on any mounted drive that the infected computer can access. This is important because this will also include removable drives plugged in at the time or network shares that are accessible like servers and other people’s computers. That is a lot of potential damage. Extend that to a case where an infected user is connected to the network using administrator access and controls; the damage could be widespread. Locky will also encrypt Bitcoin wallet files it finds, thereby stealing any bitcoin that could have paid ransom.
Where’s My Shadow Copy Backup?

But then LOCKY takes things further by removing any Volume Snapshot Service (VSS) files or “shadow copies.” If you use Windows, you know those are the current of live backups Windows takes of work in progress – we all rely on those for when we forget to save, or the system crashes. Unfortunately, for some users these shadow copies have simply become their backup system.

Steps to Stay Safer

  • Make regular backups and keep one off-site
  • Do not enable macros in emails and attachments
  • Be suspicious of attachments from unknown/untrusted sources
  • Do not stay signed on with administrator privileges any longer than you need
  • Keep your security patches up to date
  • Have a DRP with a business continuity plan in place to minimize downtime

 

Watching Your Backdoor

Posted on by
1

It’s a thing. Backdoors. Add no, not the fun kind with screens that keep out mosquitoes. The kind I’m going to reference here are the ones that actually let worse things in.

backdoor

Backdoors in tech aren’t just the stuff of legend, or part of the plot in tales of espionage. They are very real,  and there is nothing secure about them. They exist as an intrusion point, hidden, secret. These deliberate manipulations of code allow access into a network or application and bypass the necessary security protocols.  What matters to me isn’t so much that these are used by foreign governments to spy on us, or for corporate espionage. Rather, it’s the further legitimization of attacks on our privacy.  How do we secure against this mindset? Backdoors are essentially a weakness built into the code. Something unsecured that when discovered can be readily exploited, because nobody is supposed to know it’s there. Until it’s too late.

Several backdoors have recently been revealed just over the past few months.Here’s the rundown of shame by John E Dunn in his article in Forbes:

NSA Clipper Chip, 1993

The most reviled backdoor in history, the NSA’s infamous Clipper chip, endorsed by the Clinton administration, still gets people’s backs up more than two decades on from its heyday. In 1993, encryption was new and strange. Few used it but the experts and Government spooks could, however, imagine a world in which they might. Their answer was to neuter the possibility of unbreakable security with an escrow-based system based around the Clipper chip that would cache keys. Assuming anyone had agreed to use it the NSA would have had a ready means to decrypt any content.

As Whitfield Diffie, creator of the famous Diffie-Hellman key exchange protocol observed at the time, the problem with building in backdoors is that they are deliberate weaknesses. Should a third-party find them they become less a backdoor than an open one.

Borland InterBase backdoor, 2001

This weakness in the firm’s InterBase database was essentially a secret backdoor account that allowed anyone with knowledge of it access to data. Making the serious comic, the username and password in question were ‘politically’ and ‘correct’. At the time, the assessment was that while deliberate the hole was probably put there by one or a small number of programmers as a convenience. But we’ve included it because the fact that perhaps only one person knew about it doesn’t mitigate its seriousness for the seven years until it was discovered.

Huawei v the US, 2011

The huge Chinese equipment maker spent millions trying to reform its image after being accused of building backdoors into its telecoms equipment. In 2012 a US Congressional investigation concluded that the firm (and mobile vendor ZTE) should be banned from the world’s largest market over state surveillance worries. In the UK BT had been installing Huawei equipment since 2007 so it was all too late to do much about it beyond GCHQ setting up a special unit to monitor its systems in cooperation with the company itself.

Irony or all ironies, a Snowden leak then suggested that the NSA’s Tailored Access Operations (TAO) had set up an operation to spy on Huawei to work out how far any collusion went.

The modern (i.e. post-Aurora and Stuxnet era of backdoor scandal began here.

Cisco et al, 2013

Dragged out of Snowden’s famous cache by a German newspaper, this concerned unpublished security flaws in the networking equipment of a group of vendors, headed by Cisco but including Juniper, Samsung among others. These weren’t classic backdoors except in the sense that they allegedly offered a huge amount of surveillance control over the equipment. Very unusually, Cisco’s CSO John Stewart issued a statement denying any knowledge of the compromise.

“As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products,” he stated. The fact he was even having to say this was a sign of changed times.

More recently in 2015, a backdoor compromise called SYNful Knock was discovered on Cisco equipment. Described by security fir FireEye as a Cisco router implant, already it was clear that the simple idea of intelligence engineers building in massive holes from day one of a product’s life was probably out of date. Why build them in when juicy ones could be found later on?

Juniper, 2015

Discovered just before Christmas 2015, this looked like a biggie in Juniper’s NetScreen ScreenOS from the off. The company finally admitted to suspicious researchers that the Dual_EC_DRBG encryption random number generator contained a backdoor that would allow anyone with knowledge of it to eavesdrop on secure VPN connections. This flaw might or might not have been deliberately put there by the NSA, which was he source of the RNG, but it was exploited at some point, possibly by a third-party government. A backdoor in a backdoor or just weak coding?

Fortinet, 2016

Hard-coded passwords are an absolute no-go for any system these days so it was disconcerting to discover that Fortinet appeared to have one in an SSH interface accessing its FortiOS firewall platform. Researchers looked on this as a backdoor although Fortinet strenuously denied this interpretation. In fairness, this was probably correct although the lack of transparency still bothers some.

CESG’s MIKEY-SAKKE, 2016

Was the revelation that this protocol, promoted by the UKs CESG for end-to-end encryption in VoIP phone calls, a real backdoor or simply part of the spec? According to Dr Steven Murdoch of University College London the escrow architecture used with MIKEY-SAKKE simply has not been fully explained. Was this a way to spy on conversations without anyone knowing? According to GCHQ, that’s exactly what it was. As an enterprise product, escrow was perfectly appropriate and organisations deploying this technology needed a system of oversight.

In fairness to MIKEY-SAKKE setting up end-to-end encryption without some form of backdoor is now unthinkable for large enterprises that need control over their encryption infrastructure. Whether this compromises the system in a wider sense seems over-blown assuming the architecture has been correctly documented.

 

My First ShmooCon – This Time It’s Personal

Posted on by
1

There are many security cons you can attend. Only one is Shmoo.

In our security community, Shmoo is beloved. Testament to that is how people will go out of their way to attend. The ticket sales tell the story. Two rounds were sold out in mere seconds. Say F5 and everyone knows which con you mean. Yet, no one wants to increase the number of attendees, because then it wouldn’t be Shmoo. This is as far from the hacker throngs at DefCon as it gets. Nor is it the suited industry version, like RSA. Steve Ragan or @SteveD3 put it best: Shmoo is family.

This is a con where hackers come to play. You can set up the actual network on the night before things get started. There’s a massive wireless CTF; a crypto challenge; Hack Fortress; locks to pick; the Tour de ShmooCon contest. You can even win a prize by hacking the barcode.  Because we learn when we play.

Lobbycon at Shmoo is legendary.  A who’s who of InfoSec stand shoulder to shoulder in hoodies with beer. Or Bourbon. Or shine. I loved having my fellow Canuck and very Infosec mentor, Lee Brotherston @synackpse, as my intrepid guide. I got to meet Dave Kennedy – yes, one of the nicest and most knowledgeable members of our community – amidst those mysterious Friday night fire alarms. I was also thrilled to meet the fabulous Katie Moussouris @K8em0 in her Karaoke attire.

But there is nothing like that moment when you actually meet a friend you’ve only known online. For me that was Sarah Clarke @s_clarke22 @infospectives, who came all the way from Britain.  You can read her witty account of ShmooCon here on her blog Infospectives, and I highly recommend reading her regularly.  And then there is the joy of reconnecting with those you already know, like @fl3uryz, @theSweetKat, @snoww, @mzbat and so many more. ❤ to you all. For me, one of the best rewards came when introducing extraordinary people to each other, and facilitating those conversations that would spark ideas, launch projects, and encourage change. This is why we Shmoo.

shmoosat

 

With so many great moments to share, here are some of my favourites:

  • Playing Cards Against Humanity with @da_667. You haven’t lived til you do
  • Being swung around the dance floor by @bigendiansmalls – who knew!
  • Having Georgia Weidman @georgiaweidman sign my copy of her Pentesting book
  • Meeting up with @maliciouslink and enjoying a great lockpick session.
  • Saturday night Lobbycon pizza from a mysterious benefactor
  • Enjoying the creative force who is Tarah Wheeler Von Vlack @tarah at play
  • A wonderful celebration of Rance @revrance, filling the lobby with his spirit and our voices

At con, there is no bedtime. I’ll have memories that last a lifetime from staying up to listen and learn from @ihackedwhat, @ussjoin, @steveD3 and @viss.  Oh the things you can do with Windows XP.

There were, of course, outstanding talks.  Fire Talks are always great, and the line-up this year featured a good mix of new voices and heavy hitters. First timer Wendy Knox Everette @wendyck came to win, but I have to admit my bias for @da_667’s gift for storytelling.

Jesse Irwin shared her distinctive wit and wisdom on bringing non-tech users in. I caught an excellent panel discussion, “You Ain’t Seen Nothing Yet: New Paradigms for Policy, Regulation, and Community Engagement” addressing some of the hot-button issues we all love to hate when it comes to government and cyber.  Kristin Paget brought her creative brilliance to preventing RFID tags from being read in “Be Free, Little GuardBunny”.  And “Attack on Titans: A Survey of New Attacks Against Big Data and Machine Learning” by Andrew Ruef and Rock Stevens explored another attack vector on our ever-increasing and vulnerable data.

I’m truly grateful I got to see Andrew Kallat @lerg’s talk, “Online No One Knows Your Dead”.  I love the rapid fire banter between Andrew and Jerry on their Defensive Security podcast, but this talk was different. It addressed the unimaginable issues of putting our digital affairs in order when we’re overcome by grief and loss. There were hard lessons offered through the poignant retelling of a real-life story. Thank you to Beth for being both brave and generous enough to share her experience.

Something I heard mentioned often was “Imposter Syndrome.  The term was created in 1978 by clinical psychologists Dr. Pauline Clance and Suzanne Imes, “referring to high-achieving individuals marked by an inability to internalize their accomplishments and a persistent fear of being exposed as a fraud.” Ironically, a good many of us feel just this way. I know I do – I’m no hacker. I don’t have a comp sci degree, or any tech degree. But as we exchanged stories over drinks in Lobbycon, it was reassuring to learn I wasn’t alone in my convoluted path to InfoSec. The truth is that the diversity of our backgrounds and experiences is what makes our community so strong and vibrant. We all belong here; we all have a meaningful contribution to make.

russiahouse

And that led to the Saturday night community building sessions. We pulled up more chairs as people joined, to talk openly about diversity, gender issues, learning styles. How to make first-timers and those new to InfoSec feel welcome. Here are some of the great ideas by an enthusiastic group of great people:

  • Create opportunities, like scholarships, to help more people get to these cons
  • Have ice-breaker events to help n00bs meet more of the community faster
  • Have a welcome/orientation event for con first-timers so they don’t feel overwhelmed and miss things.

In the end, it isn’t about the actual events like parties and talks so much as it is the overall experience and what we come away with. What matters is how Shmoo, and other smaller cons, are more personal; they encourage us to open up and share in a very relaxed and welcoming environment. Shmoo feels like family. For some of us, however, our families haven’t been there. Support and acceptance enable us to pursue our aspirations and to be confident in ourselves.  In my experience, InfoSec is a haven, and a home, because this community takes care of its own.  And that made this con very personal for me. Thanks to the kindness and generosity of good friends, I was able to attend Shmoo. You know I’ll be paying it forward, finding ways to bring people here, to learn, grow, and share with family. A reverent ‘Thank You’ to Heidi and Bruce Potter, and to their fantastic team who made it happen. Shmoo all the things!