Archives For infosec

lighfish octopus

During the state of the blog update two weeks ago, I mentioned that Shadow Nation was slated for publication on Amazon, where it’s now available, as well as mentioned an open source library designed to make security for smaller applications, or applications that don’t want to use LDAP and maintain more control over how their user credentials work, easier. And that library is now out on GitHub as GuardFish. See, told you I was ready to start getting projects out the door for feedback, and with GuardFish, I’m also hoping for other programmers out there to add their own ideas and incorporate them into their experiments. So if you’re making an app or a website that requires some security and you’re wondering how to get your user and permissions data up and running quickly, here’s what you need to know about GuardFish and its components.

GuardFish.XSM is the DLL where all the main objects live and where the basic logic for logins, authentication, issuing tokens, hashing, and lockouts, is implemented. It helps you perform the basic CRUD operations on your key permission, role, and user objects as well as abstracting all the nitty gritty things like when to lock out a user, for how long, and watch for replay attacks and attempts to access accounts from IP addresses not commonly associated with the user trying to log in. All the default settings can be overriden in your config files to whatever you’d like so if an inspection of the users’ common IP addresses followed by a security question prompt before a login from a new one is allowed sounds like too much work, you have the choice not to do it. But the hashing practices are embedded into GuardFish so you will be using BCrypt for a fairly slow hash, relatively speaking of course, giving you another layer of defense.

GuardFish.XSM.WS is a WCF service wrapper around the GuardFish.XSM DLL so if you want to have multiple UIs use GuardFish for user authentication, you can run this service and hook it up to your UI. It works in concert with a simple access log service that I’ve oh so creatively called AdminLog.RMX which keeps track of what operations were accessed, by whom, and logs errors and exceptions for debugging and audits. One thing to keep in mind is that there is room for you to use the referenced GuardFish.XSM library to make sure only authorized users can modify any data but you should be fine with an allow list that accepts properly formatted requests from your trusted IPs implemented on the server. This way you’re not adding nearly as much overhead as you would with additional code. But again, please, play around and experiment and see what will work for you in your particular setup. If you have a lot of bandwidth, you have a lot of options.

And last but not least, there’s QueryLogic, a key library used by all the other projects to talk to your database. It’s essentially a provider-agnostic wrapper for executing stored procedures and bringing back query results in hash maps. It’s built to be almost as fast as data reader classes, which fetch data and work with it as it comes in, and allows you to simplify your unit testing when you use mockable objects. Just build a QueryLogic hash map, populate it with the data you want to test, and return the result from your mock setup. There’s a catch though. Since the DLLs for stored procedures can be different from setup to setup for Oracle, MySQL, Postgre, etc, what’s available now defaults to a Microsoft SQL command and warns you that another engine has not been implemented yet. But the code is structured in a way that lets you add your provider DLLs, then add your objects and extensions to enable it. Yes, it will take work on your part, but hey, it’s open source and what’s the fun of open source if you can’t modify it as you see fit?

Before wrapping up this post, I believe that an obligatory discalimer is in order. GuardFish is by no means a complete security solution that will stop any hacker and any exploit. There’s no such thing as perfect security because for every better anti-hacking technique, the internet gives us better hackers. What this library does is introduce good security practices recommended by most security experts, and makes them easy to incorporate into your projects. Its goal is to frustrate a hacker by making exploits so time consuming due to tokens and slow hashes that he or she just moves on to a more promising target. Ultimately what you do or don’t do with GuardFish is up to you but I certainly hope you’ll find something interesting in the code and get some good use out of this project. And if you have an idea for how it could be improved, fork it, try it out, and let me know. I’d love to see it and learn something new. If I didn’t like novelty, I wouldn’t be in IT.

[ illustration by VladStudio ]


overcaffenated squirrel

Ok folks, I know my posting frequency this month has been atrocious and it’s been a long, slow slide down from daily analysis and opinions pieces to once to twice a week fact-checks, but if I can be bluntly honest with you, this has been a prison shower of a month so far and virtually all projects that have been planned for it ran into problems or have been going slower than they should often due to circumstances out of my control. However, I’m catching up and knocking as much of them out as I can and getting them polished and presentable to the outside world. And yes, this means more posts and more fun stuff for you to check out, discuss, or even use if you feel inclined to do so. What are these projects? Well, here are two of them for your review…

First and foremost, I’ve gone as long as possible in editing, reviewing, and beta-testing the draft of Shadow Nation, the first part of which was once posted on this blog in three blocks (one, two, three) to quite positive feedback. In fact, I still get the occasional question of when more of the book will be posted or when it will be available for sale. Well, after a couple of days and nights buried in InDesign to optimize Shadow Nation for Kindle Fire and get it as good as possible on the other Kindle devices, I’m releasing it on Amazon with a $3.99 list price. While much of what you’ll see in the previews posted here is still in the final version, there have been a few edits to these chapters, especially the first five. So if you’re interested in previewing Shadow Nation on Weird Things first, you’ll still get a pretty close peek into the book, and I’d certainly encourage you to do that, especially because I know I’d do exactly the same thing.

Now, it takes a little while for the book information to get loaded, so when the sneak peeks, the product cover, descriptions, etc., are up and running, I’ll make the official announcement with a full account of what the book is all about and why you should serious consider parting with the same amount of your hard-earned dollars for Shadow Nation as you would for a medium latte at your nearest coffee shop. Well other than the fact that the latte will be gone in minutes and the book will last you days and stay on your reader for years and hit on all the topics you’ve seen explored in depth on Weird Things, topics such as transhumanism, the future of warfare, alien contact and astrobiology, and of course, conspiracy theories and dealing with societal rifts. But more on that when the book is officially ready for download.

Secondly, if you’ve noticed a small up-tick in my posts about computer security, hacking, and the problems with how a lot of people approach security, you know I take security matters seriously and want to bash my head against the wall when I hear about terrible infosec practices giving a hacker the keys to hijack important data. So I decided to do something about several egregious security lapses and put together a tool to help enforce several of them. Its called GuardFish and it’s a library that keeps track of your application’s users, their roles, and enforces slow hashes, the use of expiring cryptographic tokens for important changes in user accounts, and allows for flexible and far more diverse security questions than most other systems. It’s certainly not a new encryption system or hashing algorithm and it’s not going to cover every security measure you’ll need to keep in mind, but it gives developers a good place to start and covers often overlooked parts of user management while encouraging you to build in security throughout your app.

GuardFish will be an open source project on GitHub for .NET as a DLL and as a web service at first, and will be given a UI shortly after. It should also be usable for Android and iOS projects in its C# .NET form with Xamarin, so there’s potential to extend its support for strong hashes and key security practices recommended by numerous experts as a good way to stop many a script kiddie from easily getting his mitts on your user data, deep into the mobile space as well. There will also be eventual support for Oracle as well as SQL Server so developers who don’t want to deal with directory services (which typically use easily crackable MD5 hashes) and giving every user the potential to access their networks, can get their apps’ security running in minutes with any of the three most frequently used database engines. It’s a little more nerdy than a book, I’m aware, but it’s a fun project with real uses and will hopefully provoke some interesting debates about basic security because too many people take it way too lightly



While reporting about cyberwarfare and information security has been getting better and better as of late, there are still some articles that posit baffling ideas about how to prevent a massive cyber attack launched by a government. The strange idea in question this time is one which has a good starting point, but ends up imagining cyber attacks as one would imagine a conventional siege, somewhat reminiscent of The Battle of Thermopylae. Rather than envisioning an attack from the cloud able to hit a target out of the blue, it tries to portray network topologies as a kind of unseen battlefield on which one side can gain an advantage by exploiting the landscape…

Cyberspace depends on a physical infrastructure of computers and fiber, and this physical infrastructure is located on national territory or subject to national jurisdiction. Cyberspace is a hierarchy of networks, at the top of which a small number of companies carry the bulk of global traffic over the Internet “backbone.” International traffic, including attacks, enters the United States over this “backbone.” The backbone is a choke point, relatively easy to defend, and something that the NSA is already intimately familiar with (as are the other major powers that engage in signals intelligence). Sit at the boundary of the backbone and U.S. jurisdiction, monitor and intercept malware, and attacks can be blocked.

Technically yes, you can use the main switches where the fiber stretching across the oceans will reach your shores and have a deep packet inspector check the headers of incoming packets to flag anything suspicious. But this really only works for relatively straightforward attacks and can easily be avoided. If you’re trying to inject a worm or a virus into a research lab’s computer, you’ll have to get through an anti-virus system which will scan your malware and compare its bytes to as many virus and worm signatures in its database as it reasonably can. With the sheer amount of malware out there today, these tools are good at stopping existing infections and their mutant versions. However, brand new attacks require reverse engineering and being ran in a simulated environment to be identified. This is how Flame and Gauss went undetected for years and they were most likely not even spread via the web, but with infected flash drives, meaning that efforts to stop them with packet inspection would’ve been absolutely useless.

A deep packet inspector sitting at MAE-East or MAE-West exchange points (or IXPs) would have to work like an anti-virus suite if it is to do what the author is proposing, so it can stop someone from downloading an obvious virus or bit of spyware from a server in another nation or deny an odd stream of packets from China or Iran thought to be malicious, but it’s not a choke point in any conventional sense. IXPs are not in the business of being a traffic cop so having them take on that role could have serious diplomatic repercussions, and aggressive filtering could have all sorts of nasty downstream effects on the ISPs connected to them. Considering that trying to flag traffic by country could be foiled by proxies and IP spoofing, and that complex new attacks would easily be able to slip by an IXP-based anti-virus system, all the effort may might be worth it in the long run and simply cause glitches for users trying to watch Netflix or surfing foreign websites to read the news in another language while trying to prevent threats users can easily manage.

So if creating IXP chokepoints would do little to stop the kind of complex attacks for which they’d be needed, why has there been so much talk about the Pentagon treating the internet as a top national security concern and trying to secure networks across America, or at the very least, be on call should anything go wrong? Why is the Secretary of Defense telling businesspeople that he views cybersecurity as the country’s biggest new challenge and has the Air Force on the job? My guess would be that some organizations and businesses simply haven’t been investing the time and attention they needed to be investing in security and now see the DOD as the perfect, cost-effective way to secure their networks, even though they could thwart attacks and counter-hack on their own without getting the military on the case, perhaps not even realizing that they’re giving it a Sisyphean task. If they know they’re targets, the best thing for them to do is to secure their networks and be aggressive about hiring infosec experts, not call in the cavalry and expect it to stop a real threat from materializing since it simply can’t perform such miracles…


dead cyber spy

Nowadays, if you hack into a company’s servers, the company might hack you right back. No, it won’t wipe your hard drive or infect you with a virus of course. The goal is to figure out who you are and what you’re after, primarily because some of the most advanced hacks over the past few years have been cases of industrial and military espionage. And this is where legal wonks are arguing that the government should step in, lest a company issue a retaliatory cyberattack only to find that its target is actually a foreign intelligence agency. Case in point, Google. After a very sophisticated attack on its servers coming from China and a messy international incident which saw a heated back and forth between the Chinese Communist Party and the company, the tech titan hacked back and found that its attackers were targeting defense and other tech companies with meancingly complex scripts and the group, dubbed the Elderwood Gang, is still at it.

Their easy access to zero day exploits and the coordination equired to pull off their favorite type of attack points to backing from someone who can afford to employ highly skilled programmers and wants to spy on foreign defense and tech contractors, trying to steal blueprints, e-mail, and source code.Basically, what I’m trying to say is that prevailing rumor paints the Elderwood Gang as a part of the Chinese cyber-army long suspected of stealing classified documents from the U.N. and a lot of First World military contractors and government agencies via spyware. As the vast majority of the wired world knows, the United States isn’t exactly a hacking lightweight and it more than likely deploys some very sophisticated spyware and malware of its own. So, say the legal wonks mentioned above, have the Air Force and the NSA tackle sophisticated hackers, not companies that find themselves riddled with foreign spyware. It could’ve come from a Facebook game someone way playing at work and is trying to steal logins to PayPal, or it might be a worm from another government and hacking them back would provoke an international incident which would have to escalate all the way up to the military. But is that a workable approach?

No, not really. Fact is that the vast majority of infections are trying to steal financial information and/or turn your computer into a bot for DDOS attacks. Not only that, but the malware kits used to make viruses and worms are exploitable too. Only a tiny sliver of all the nasty stuff you might catch surfing random sites without some very heavy duty firewalls and strict privacy and browser settings, is actually complex malware from a nation state, and even then you’d have to be a very highly visible defense or tech company since these attacks tend to come from whailing (which is like spear-phishing but targeted to high level executives) and compromised industry message boards, blogs, and forums. Little fries don’t interest the spies much so they quickly lose interest, so it’s really the Lockheed Martins, EADS’, and Northrop Grummans of the world that should be worried, but considering their cozy relationship with the militares of their home states, they can always escalate things when they need to. And since all this is being done in secret, I’d highly doubt that a foreign intelligence agency hacked in retaliation will cry foul. That would just be an admission of guilt and the start of a major diplomatic clusterscrew.

Were we to start reporting hack attempt after hack attempt and infection after infection, we’d so quickly swamp cybersecurity experts at the NSA and the Air Force, that they’d be buried under a massive backlog of things to investigate in weeks while the torrents of reports keep on coming. Antivirus makers already have vast databases that can identify who was infected with what kind of virus and how to remove it running 24/7/365, and can keep up with 99.9% of infections out in the wild. Considering that they’re the primary discoverers of cyber weapons in use, they’re more than up to the job and can do it without defense establishments getting involved in their daily work. And when we take into account the sheer number of random trojans and worms out there, a hacked company has a 99.9% chance of pinging random hacker crews rather than something as threatening as the Elderwood Gang or as sophisticated as Flame or Stuxnet, and even then, no one on the other end will make a peep because doing so would be a lot worse than keeping quiet and let the retaliating businesses get away with it. Treaties and tens of billions in trade may be at stake so it’s best to just let the accusations die down and resume the spying later. So if you get hacked, go ahead and hack back. You’re not going to start any wars by doing it.