Archives For cyber security

lighfish octopus

During the state of the blog update two weeks ago, I mentioned that Shadow Nation was slated for publication on Amazon, where it’s now available, as well as mentioned an open source library designed to make security for smaller applications, or applications that don’t want to use LDAP and maintain more control over how their user credentials work, easier. And that library is now out on GitHub as GuardFish. See, told you I was ready to start getting projects out the door for feedback, and with GuardFish, I’m also hoping for other programmers out there to add their own ideas and incorporate them into their experiments. So if you’re making an app or a website that requires some security and you’re wondering how to get your user and permissions data up and running quickly, here’s what you need to know about GuardFish and its components.

GuardFish.XSM is the DLL where all the main objects live and where the basic logic for logins, authentication, issuing tokens, hashing, and lockouts, is implemented. It helps you perform the basic CRUD operations on your key permission, role, and user objects as well as abstracting all the nitty gritty things like when to lock out a user, for how long, and watch for replay attacks and attempts to access accounts from IP addresses not commonly associated with the user trying to log in. All the default settings can be overriden in your config files to whatever you’d like so if an inspection of the users’ common IP addresses followed by a security question prompt before a login from a new one is allowed sounds like too much work, you have the choice not to do it. But the hashing practices are embedded into GuardFish so you will be using BCrypt for a fairly slow hash, relatively speaking of course, giving you another layer of defense.

GuardFish.XSM.WS is a WCF service wrapper around the GuardFish.XSM DLL so if you want to have multiple UIs use GuardFish for user authentication, you can run this service and hook it up to your UI. It works in concert with a simple access log service that I’ve oh so creatively called AdminLog.RMX which keeps track of what operations were accessed, by whom, and logs errors and exceptions for debugging and audits. One thing to keep in mind is that there is room for you to use the referenced GuardFish.XSM library to make sure only authorized users can modify any data but you should be fine with an allow list that accepts properly formatted requests from your trusted IPs implemented on the server. This way you’re not adding nearly as much overhead as you would with additional code. But again, please, play around and experiment and see what will work for you in your particular setup. If you have a lot of bandwidth, you have a lot of options.

And last but not least, there’s QueryLogic, a key library used by all the other projects to talk to your database. It’s essentially a provider-agnostic wrapper for executing stored procedures and bringing back query results in hash maps. It’s built to be almost as fast as data reader classes, which fetch data and work with it as it comes in, and allows you to simplify your unit testing when you use mockable objects. Just build a QueryLogic hash map, populate it with the data you want to test, and return the result from your mock setup. There’s a catch though. Since the DLLs for stored procedures can be different from setup to setup for Oracle, MySQL, Postgre, etc, what’s available now defaults to a Microsoft SQL command and warns you that another engine has not been implemented yet. But the code is structured in a way that lets you add your provider DLLs, then add your objects and extensions to enable it. Yes, it will take work on your part, but hey, it’s open source and what’s the fun of open source if you can’t modify it as you see fit?

Before wrapping up this post, I believe that an obligatory discalimer is in order. GuardFish is by no means a complete security solution that will stop any hacker and any exploit. There’s no such thing as perfect security because for every better anti-hacking technique, the internet gives us better hackers. What this library does is introduce good security practices recommended by most security experts, and makes them easy to incorporate into your projects. Its goal is to frustrate a hacker by making exploits so time consuming due to tokens and slow hashes that he or she just moves on to a more promising target. Ultimately what you do or don’t do with GuardFish is up to you but I certainly hope you’ll find something interesting in the code and get some good use out of this project. And if you have an idea for how it could be improved, fork it, try it out, and let me know. I’d love to see it and learn something new. If I didn’t like novelty, I wouldn’t be in IT.

[ illustration by VladStudio ]

bozo's botnet

Typically, a distributed denial of service attack, or DDoS, is not really that big of a deal. A few sites will slow down or will be temporarily unavailable, the packets from the attacking IPs will be blocked or null-routed, and everything will be restored with no long term side-effects. This is why few computer security professionals were bothered when Anonymous sieged RIAA, PayPal, and even and with their DDoS kits. They made waves in the news and that’s about all that happened. No data was lost or stolen, and no servers were compromised. However, that was your typical DDoS and one conducted primarily by humans. Laying hidden across the web are sleeping botnets of such monstrous size that they could actually be used as a weapon, and what’s worse, they’re for rent. In my usual regimen of industry news, I came across this account from a Russian-speaking newtork admin of what he called a thermonuclear weapon in the online world: a botnet capable of unleashing a horrifying, server-crushing 130 Gbps attack.

For those of you who don’t know what this means, imagine a network of computers that together flood a victim’s servers with roughly 127 megabytes of data every second. Those who own these computers don’t even know they’re doing it. They’re being controlled by attackers who could be half a world away through a back door installed by some casual game or toolbar they decided to download even though they’ve probably been told a thousand times that downloading a random freebee from the web is like having unprotected sex behind a dumpster in a seedy part of town with someone desperate for meth money. Sorry, sorry, I’ll calm down now. At any rate, when the botnets grow big enough, they can be instructed to bombard a site with a torrent of junk data. It would be a painful enough attack as is, but there are ways to make it worse and DDoS attackers are using them. One of these methods is to call a DNS server open to the entire web posing as the victim IP and make a request that spews out far more data than their botnets could.

It’s known as an amplification attack and you can think of it as introducing someone you just do not like to an extremely chatty guest at a party who replies to the simplest question with so many words, you start wondering how it’s humanly possible to talk so much. Your victim is now stuck in the vocal firing range of the chatty guest who keeps following him around as he tries to run for it without causing a scene. In the technical sense, the attackers are asking the DNS server to give them as much data about itself as possible and forwarding the reply to their victims to boost the sheer amount of data aimed for the target servers by a factor of 50 or 60. Keep doing that long enough and entire subnets can be muscled offline. Amp up the amout of bots and the junk data being sent and you can leave a small country effectively cut off from the outside world. The post from the Russian admin describes how banks on the attacked servers had trouble connecting to each other and keeping their sites reachable among other pleasantries and hints that this may have been the work of an adult site owner renting out a botnet to settle an online dispute.

But how could this be used as a cyber weapon? Well, dictatorships tends to structure their ISPs’ resources in a way that lets them pull the plug on the internet. But what if they can’t just shut off the networks they want to disrupt communications between political dissidents or rebel groups? They can bombard them with wave after wave of powerful DDoS attacks, forcing them to set up new connections and waste a lot of time trying to get back online while they line up their forces for either a physical attack or a series of raids. The bigger the attacking botnet and the bigger a typical packet being sent every second, the longer it takes to block the attackers and recover to full speed unless you run a massive cloud service with thousands and thousands of servers that will let you absorb the blow as you reroute the offending packets into a virtual black hole. So an offensive tsunami of junk data from a huge botnet may not do any real damage, but it’s a rather effective nuisance tactic and if you’re a big e-commerce site, could cost you some real money if enough transactions are disrupted, which may just be exactly what the aforementioned 130 Gbps monster that reared its ugly head in Russia and Ukraine was actually trying to do…

map of the web

Plenty of wailing and gnashing of teeth has accompanied the mostly closed door ITU sessions in which the fate of the free web is supposedly being decided. The global communications group’s head is worried about stopping cyberwarfare and criminals using spyware to pull off heists. The world’s authoritarians and dictators are asking for less online anonymity and more control over what’s being said on the web. The bureaucrats are asking for more centralized oversight on the international level, believing that U.S.-based ICANN to be the internet’s self-appointed masters, despite the ICANN hosting a global advisory board representing over 100 nations. And none of the parties involved in trying to reshape the internet seem to know what they’re doing, almost as if they believe that the global communication networks is a series of tubes they can re-rout with executive orders served to some nerds with gravity-defying ties and black-rimmed glasses. The truth is that whatever they try to do to tame the internet is almost certainly doomed to fail.

First, as it’s been pointed out several times on this blog, filtering and inspecting data generated by web users is impractical, expensive, and won’t catch what those administering the mechanism are trying to catch. Want to try to deep packet inspect all the traffic coming into an IXP? Best of luck there tiger. You will be looking at oceans of data, much of it containing completely useless information, data about background processes, and encrypted transactions. To find a nebulous target in this torrent of bytes is like standing in front of a tsunami and insisting on extracting just an ounce of water from it, and not just any ounce of water but from droplets that started out as a bit of meltwater flowing into a river across the ocean from you. Other than throttling down much of the web to a screeching halt as you parse petabytes of data per day, you’re going to have to give up on this idea. There’s a reason why dictatorships architect their internet infrastructure to easily cut the cord rather than surgically cut down the troublemakers. They know that trying to root out rebels and activists via deep packet inspection alone simply won’t work.

Secondly, you can demand that people use their real names on the web all you want, but there are tools to get around these requirements. Credentials can be spoofed, stolen, or hijacked by someone who has even a modicum of skill, proxies around the world can obscure your origin on the web, and it takes a very dedicated and expensive effort (like the Great Firewall of China) to even make it challenging to hide who you are online if you really don’t want to be tracked. If I run the Tor browser, disable scripts, cookies, and history, and refresh my identity on a regular basis during a browsing session, whatever sites I’m visiting will think I’m from Poland, or Norway, or the Czech Republic. Likewise, they won’t be able to see where I go since they can’t save cookies on my machine or silently load an app in the background via a hidden iframe since Javascript won’t be enabled. Yes, surfing the web like this is rough, but it does make you a lot harder to identify and find unless you’re already on the authorities’ radar for one thing or another, usually political activism outspoken enough to encourage a malevolent regime’s thugs to pay you a visit.

Finally, ICAAN is indeed powerful, but it’s not the end-all-be-all of internet management. It has a vast international advisory board and it handles top level domains and domain name issues; it’s the concierge for the user- and business-friendly aspect of the web. But without ICAAN, you can still have servers running websites. You might need to enter to get to Google in IPv4 or say, 2001:4a2b:6d4f:8f3f in IPv6 to get there, or set up your own DNS server to do your own DNS resolution rather than rely on a large group of professionals to do it for you, but it can be done. In fact there’s a small number of other DNS root providers who index niche domains or try to circumvent the ICAAN roots for ideological and security reasons, essentially creating what amounts to a competing mini-web. So it’s not as if ICAAN has any real monopoly on how much of the web is wired. Likewise, what would controlling ICAAN do for the world’s paper pushers? Their governments can easily register any top level domain they wish for what amounts to a laughable amount of money for them: $185,000 to start and $25,000 a year to renew.

And all that leaves us with the question of what the ITU is trying to accomplish. If they can’t deep packet inspect the web for safety, force people to use their real names, and force the wasteful and unnecessary experiment of creating a non-U.S. ICANN clone, what’s the point of all the big, dramatic meetings? Well, bureaucrats have meetings. It’s just what they do. Their job is to meet and talk about things, then talk about other times they met to talk about related things. Policy is made either at the blistering pace of a narcoleptic turtle on sodium pentothal or cobbled on the fly when an emergency strikes and new laws have to be enacted quickly to soothe the public or authorize a new course of action. But in the meantime, the bureaucrats meet and talk with little to nothing coming out of the meetings. If anything, this ITU summit looks like paper pushers with a more or less passing idea of what the web is — not the internet mind you, just the web — giving each other their wish lists for what they could do with it. And let’s remember what happens with a lot of wish lists. They get discarded when the wishes actually have to be turned into reality.


When a Bond movie comes out, you pretty much have to go see it. I mean come on, it’s a Bond movie, right? In the latest installment, 007 is taking on a computer hacker of sorts and shows us just how little research screenwriters tend to do about technology. While Bond’s brash and bold style of field work is somewhat passable with a little suspension of disbelief from the audience in the grand scheme of things — do we really need to go into detail why not staying low and using some very carefully crafted aliases and passports is a bad idea in spy craft? — the key crimes of the film’s villain, Agent Silva, sound as if the writer skimmed a few Wikipedia pages, pulled out a few impressive sounding buzzwords, and randomly jammed them into the film. And the resulting mix of buzzword salad and technobabble drew me out of the story like an icy slap to the face.

Look, I know, I know, it’s just a movie and a Bond movie at that, and so I’m willing to believe that an agent who needs to shovel painkillers and pour scotch down his gullet to function could still beat the living crap out of an international assassin on a very high level floor of a new Shanghai skyscraper. I’m also willing to give Bond the 600 foot fall that should’ve shattered his body into a million pieces. But when M is telling her assistant to “strip the headers” to pinpoint the source of a hack, my inner professional geek rebels, mostly because the headers is there the data she’d want can be found since it carries the request IP. She basically asked one of the top intelligence agencies in the world to do the equivalent of taking a letter out of its addressed envelope, throw that envelope away, and use the letter to figure out from where the envelope came. Ugh.

And when the tech jargon isn’t just plain wrong, it’s meaningless. When Bond is told that a hard drive containing the name of every NATO agent embedded in terrorist groups is “encrypted with an asymmetric encryption” we’re supposed to get the idea that it’s really tough to crack because the encryption is asymmetric. Classified data is generally encrypted using a Triple AES cipher, an updated block cipher first created in 1998 in a competition to create a brand new encryption standard, and as a block cipher, it’s strength is measured by key size. The bigger the key size, the harder it is to decrypt. So if MI6 wanted to explain to Bond how dire the situation is while still sounding computer literate, they would fret that Silva cracked say, a 2,048 bit key. That’s a very badass thing to do and would mean that Silva can summon NSA-scale resources, and well in line with some very basic information security jargon you can see on most tech blogs.

Finally we have an egregious scene in which Q tried to decrypt Silva’s hard drive contents. If we were to believe Q, only six people in the world could write polymorphic code and that using code obfuscators makes things ridiculously difficult to decrypt. There are exactly two problems with all that. One: polymorphic code in malware is so common that anti-virus companies have a special algorithm to detect it, an algorithm you can easily find online since it’s been published sometime in the late 1990s. Two: obfuscated code is generally quickly deobfuscated because for every obfuscator there is a deobfuscator out there. By the time a plain text password appeared in what was otherwise a wall of hex — which is what you would see if you tried to reverse engineer code you found suspicious — so blatantly obviously that even the computer illiterate Bond noticed it, I was slumped in my seat, sobbing softly into my sleeve. What in the hell was that?

Again, I know it’s just a movie, but at the same time, just consider that a few days of rudimentary research could’ve created a much better picture of real cyber threats facing world governments and might have even given the writers new plots for Bond movies. Silva mentioned destabilizing entire countries by manipulating stock markets. You could totally do that! I could even explain a hypothetical step by step process of how to make that happen with a mix of social engineering, high frequency trading algorithms, and customized hacking tools while you hobnob with the elite traders of the world’s foremost financial hubs. (Screenwriters in search of new ideas, you know how to reach me, just click the About page…) And that’s certainly a worthy task for Bond to dive into, isn’t it? Think of how much press a properly researched and computer literate movie about hacking and espionage could generate. Seriously Hollywood, stop being lazy about technology and do your homework. You’ll get fun plots and save the geeks in the audience a lot of angst…

Having established why antivirus software can’t really deal with cyberweapon-grade malware, let’s take a look at the really big news in the world of both information security and politics, an official reveal of Stuxnet’s origin as excerpted in the New York Times, and which at this point wasn’t much of a surprise to anyone. The entire web was certain that it was created by the NSA and that the process somehow involved Israel because some of the malware’s critical flow controls were peppered with references to Jewish history and myth. But as the world now acts shocked that what they very vocally and unambiguously suspected actually happened, the contingent of Americans convinced that a cyber attack could cripple the nation’s infrastructure are now waiting for the other shoe to drop. After all, while nations like Iran wouldn’t be able to offer a conventional response to a worm that crippled some of their centrifuges, isn’t creating malware much simpler and just as effective as a couple of bombs, and aren’t there thousands of network and software vulnerabilities to exploit as payback?

Well, if you recall one of my earlier posts on the subject, the second part of that statement is true but the first comes from a massive overestimation of what computers can and can’t do. As noted before, yes there are an amazing number of potential vulnerabilities, or infection vectors if we want to get fancy, but the vectors expose different functionality and far from all of the exposed functionality will actually let you do real damage. There’s a reason why it took a while to write Stuxnet; it had to use several different hacks to get into the right machine, it required expertise not only in how the centrifuges worked, but in how Siemens Step 7 operated and the OB35 data block structure, and finally, needed fake digital certificates to mask its true payload and convince humans to let it out of its sandbox and gain the access it needed to unpack and get to work. In other words, this wasn’t an easy task and by the nature of the beast, the software has to be extremely specialized. Drop any old worm into a control center of a power plant and it’s going to error out and be discovered when a system admin goes over the event log which would more than likely record the errors thrown by the worm during a crash.

Again, I’m sure that Live Free or Die Hard was a fascinating movie, but were it based in the real world instead of a technophobe’s nightmare, the hackers would’ve taken months to gain control of a small local power grid and would’ve spent tens of thousands of dollars at least to test their worms on real equipment they think was being used by the grid they were targeting. Spyware is an entirely different matter altogether and software a lot like Flame is nothing new. In fact, over the last five to seven years, hardly a few months go by without articles mentioning some mysterious spyware attributed to China found on computers of officials in big international organizations, or in a U.S. lab working on national security matters. Does anyone really think that the U.S. isn’t going to spy back or try to gather intelligence on regimes with which it has an antagonistic relationship? True, it is so far the only country known to have used malware as a weapon, but it did so for a subtle act of industrial sabotage rather than a conventional military attack, and acts like this very, very rarely result in war since spying and sabotage are facts of life for nations. In a high profile case there’s a lot of tough talk, a lot of threats, but as soon as the press coverage fades, the saber rattling fades with it as things more or less return to normal.

Contrary to the gripes of many security types, your antivirus software is not useless. Were you turn it off, many routine infections from contaminated websites, that nowadays are more likely to ask you to give to the poor than to pay for a live nude webcam show, would quickly turn your computer into a gold mine for a lazy identity thief armed with simple viruses. Really advanced and powerful malware using zero day exploits, however, will always elude it because that’s the nature of the arms race between virus writers and antivirus makers. Those with the means and motive attack systems and applications, the companies and researchers who discover a security breach either patch the vulnerability if possible, or add a new algorithm to look for the threat signature in the future, such a self-modifying files or local services suddenly trying to open an internet connection. And a piece of malware that slips by the antivirus and doesn’t get reported can work in silence for years, just like the widely reported cyberweapons Stuxnet and Flame did. To explain how these worms went unnoticed, both Ars Technica and Wired, published a self-defensive missive by an antivirus company executive which basically boils down to an admission of defeat when it comes to proactively recognizing sophisticated malware.

Slightly longer version? Some of the most advanced cyberweapons work a lot like typical software and uses a lot of the same tools, or uses legitimate frameworks and packages included in most legitimate software as a launching pad for deploying hidden code designed to act in the sort of malicious ways antivirus would flag as an attack but executed in a way that circumvents the channels through which it would scan. So when Flame is installed, the antivirus checks its components, probably saying to itself "all right, we got what looks like a valid certificate, SQL, SSH, some files encrypted using a standard hashing algorithm… yeah, it all checks out, that’s probably a network monitoring tool of some sort." And herein lies the problem. Start blocking all these tools or preventing their installation and you’re going to cripple perfectly valid applications or make them very difficult to install because every bit of them will have to be approved by the user. How does the user know which piece of software or what DLL is legitimate and which one is not? For the antivirus to help there, it would need to read the decompiled code and make judgments about which behaviors are safe to execute on your machine.

But having an antivirus suite decompile and check the code of every application you run for possible threats is not much of a solution because the decisions it makes are only as good as the judgment of the programmers who wrote it, and because a lot of perfectly legitimate applications have potentially exploitable code in them; a rather unfortunate but very real fact of life. Remember when your antivirus asked you if a program you installed just a couple of minutes ago could access the internet or modify a registry key? Just image being faced with a dialog asking you to decide whether some potentially exploitable function call in one of your programs should be allowed to run or not, faced with the following disassembly snippet to help you make a decision…

00000010 89 45 E4              mov    dword ptr [ebp-1Ch],eax
00000013 83 3D A4 14 9D 03 00  cmp    dword ptr ds:[039D14A4h],0
0000001a 74 05                 je     00000021
0000001c E8 5E 40 3D 76        call   763D407F

Certainly you can see why an antivirus suite that tries to predict malicious behavior, rather than simply watch if something suspicious starts happening on your system, simply wouldn’t be practical. No user, no matter how advanced, wants to view computer-generated flowcharts and disassembly dumps before being able to run a piece of software, and nontechnical users confronted with something like the scary mess above may just turn their computers off and sob quietly as they imagine their machines crawling with viruses, worms, back doors for identify thieves looking for their banking information, and other nightmarish scenarios. Conspiracy theorist after conspiracy theorist would start posting such disassembly dumps to Prison Planet, Rense, and ATS, and portray them as proof that the Illuminati are spying on them through their computers. Unless we want to parse every function call and variable assignment, look into every nook and cranny of every bit of software we’ve ever installed, or write our own operating systems, browsers, and applications, and never using the web, shutting off and physically disconnecting all our modems, we’ll just have to accept that there will always be malware or spyware, and the best we can do is keep our systems patched and basic defenses running.

A while ago, I wrote about the overhyped dangers of cyberattacks and the problems with using them to ruin an opponent’s infrastructure as imagined by doomsayers on Capitol Hill. And while the media is slowly but surely getting closer down to earth about the threat, a proper scholarly rebuke has been published to give the press even more guidance on what cyberwarfare is really like and why it’s not the long anticipated holy grail of asymmetric engagement for rogue nations. Short version? Since there’s a limit on how much an attack would do to a militarily superior enemy, an attacker would have to back up actions in cyberspace with planes, ships, missiles, and even good, old fashioned boots on the ground when a conventional response comes, and the militarily powerful nation states that may be targeted are far from helpless against hackers and malware, and will also launch their own cyberattacks on enemy infrastructure when provoked. So if you really think you could zap a major regional or global player into submission with a virus, you’ll need to rethink your strategy…

As mentioned in previous posts, an advanced energy and transportation infrastructure is huge, and though it’ll have its vulnerabilities, the sheer number of thoroughly researched and tested exploits it would take to impact even a small part of it would be daunting even for a fully fledged hacker army working around the clock. Salvos in a cyber war would rely on the assumption that the discovered vulnerabilities haven’t been patched, many of the targets are exactly what the hackers think they are, and that the exploits won’t be detected long enough for all the viruses to open back doors to critical systems while the IP addresses won’t change until the green light for the attack is given. Oh and once this massive effort is discovered, expect most of the exploits used to get a quick patch, which means that new exploits will have to be found to mount a new attack. Disguising an attack is also getting progressively harder as militaries and intelligence agencies find new ways around obfuscation tools or how to hijack them to trace previously untraceable attacks. And that raises the possibility of cyber war triggering a conventional one if the attack is severe enough or physically hurts the target nation’s civilians.

All that said, there may be an important caveat to consider. Both the academic rebuke and the objections to a lot of popular cyberwarfare gloom and doom address the idea of malware being used as a weapon, just like the Stuxnet virus was thought to have been used. In reality, cyberwars may actually employ spyware like the newly found Flame suite which has silently been infecting computers in the Middle East and North Africa for a few years at least. Rather than trying to crudely bludgeon each other’s infrastructure, nation states seem to be focused on gathering intelligence to better aim diplomatic brawls and conventional strikes. And that makes a great deal of sense. Why huff and puff to shut off a power plant two two after months if not years of painstaking effort when you can precisely identify where and how to carry out a attack, or sneak a peek at what your enemy might be planning behind closed doors? It’s much easier and more effective anyway since you have fairly well known and difficult to patch attack vectors to exploit, vectors like social media, e-mail, or servers which haven’t been properly updated and store easily accessible and weak passwords. Infiltrations can be subtle and last much longer without requiring esoteric knowledge. Unlike we’ve been told so many times, cyberwar won’t get here with a bang but with an insidious whisper, and its main goal won’t be to destroy, but to quietly steal.