Sunday, February 14, 2010

APT Dilemmas

The last month has seen a plague of comments and "expert" opinions materialize related to the Advanced Persistent Threat (APT). In the majority of cases, I'd have to class those very same comments and opinions as ambulance chasing tripe - by people that either have over active imaginations or are just simply looking to capitalize on the confusion generated by the media.

Sure, we're all entitled to our opinions, but there's more to all this. If many of these comments and expert opinions had been directed at an individual or corporation, those "experts" would have found themselves in court over slander charges many times over by now. So perhaps they're personally lucky that their ignorant and ill-educated comments haven't resulted in such actions. On the other hand though, they would appear to be adding kindling to a growing wildfire which will likely affect us all.

There are of course multiple camps of thought in every argument. For many (former) military types, it often appears to be about Nation States driving and incentivising hacking teams to target the assets of a foreign entity. That's they way they were trained to think. Similarly, Nationalism comes in many shapes and forms - and varying degrees of dedication - ranging from wearing a lapel pin through to chanting a pledge of allegiance to a flag (or deity, or prophet) each day. Every country, population or group has different levels and ways of showing nationalistic pride or reverence.

I believe that this applies greatly to APT's. The ability to acquire, retain and motivate a team of hackers capable of orchestrating and executing an APT campaign against a target (global conglomerate, strategic technology provider or government department, etc.) goes beyond meeting a specified financial compensation plan. APT campaigns aren't for the feint of heart. They require a degree of dedication not normally seen in most cyber criminal attacks.

That is not to say that someone can't simply go online and hire a bunch of hackers and build out a team to launch an APT campaign. That's not particularly hard - especially if you've got the cash. However, to keep a campaign flowing and obtain the level of persistence needed to keep the cross-hairs on a target for a year or more - well, that requires something more.

For one thing, running such a long campaign is probably going to need a core team that shares similar (if not identical) core values - nationalistic, political, religious, etc. - and is willing to dedicate the time needed. The dedication element can be brought easily enough, while the core values aspect means that the hacking team will likely have shared many experiences in the past. This of course doesn't prevent the campaign from engaging other external entities and subcontracting out either more specialist attacks or delivery options, but it does mean that tactical elements of the campaign can be passed on to third-parties as and where needed.

So, the dilemma with APT's is that they're a campaign strategy rather than an exploit, hack or attack vector. Which of course confuses many people who think of things solely in terms of attackers and tools - rather than objectives and motivations.

Would I class APT's as nation-state strategies serving as a precursor or reconnaissance for cyber-war? In some extreme cases, yes. I've met and probably helped train (in some fashion or other) several of the individuals that work this angle and are prepared to engage in these kinds of activities. However, many more of these people would refuse to engage in these activities out of nationalistic pride or prejuidice - but are only too happy to offer their persistent attention and services for a fee; being ideal candidates for longer term corporate espionage (e.g. back-dooring of oil pipeline control systems, targeting pharmaceutical research laboratories, accessing patent filing and tracking systems, etc.).

Then again, motivations for engaging and conducting an APT campaign can vary a lot - searching for UFO evidence, saving the whales or even targeting car manufacturers that attempt to hijack and steal other peoples Internet domain names - are all past causes capable of wedding a team together and working towards a common objective.

So, a word of advice then. It's dangerous to think of APT's as being wielded solely by nation-states. Unfortunately APT's are a fact of life - and have been so for well over a decade now. It's just that they've only been spoken about in hushed voices within closely closeted communities before Google said enough is enough to the secrecy.

Monday, February 8, 2010

Internationalized Domain Names and IPv6 Security

There are three fundamental changes happening right this minute to the Internet we all know and love - each of which will allow it to grow and allow more people to access it or profit from it. As we know from experience, nothing ever stands still for the Internet. Like life on the African Savannah, the old and the sick are easy prey to those who are faster and more agile. Old and vulnerable software, along with aging infrastructure, quickly fall prey to swift and orchestrated attacks from around the world.

Which brings me to the discussion over three of the most important changes on the Internet for quite some time – all of which appear to be reaching their crescendo at the same time. While I’m silently hoping that most people are familiar with the three, I suspect that very few people are as up to speed as they need to be. Which three? IPv6, Internationalized Domain Names (IDNs) and DNSSEC.

Incremental testing and roll-outs of these three technologies has been ongoing for way too long – but it seems that they’re all hitting the Internet (and consequently the Enterprise) at round about the same time. DNSSEC, the late starter, would appear to be in pole position to reach widespread deployment first. Meanwhile IPv6, a technology that has been on the drawing board for over a decade, is finally finding its feet as prophets predict the end of the Internet as old-style IPv4 addresses run out.

From a security perspective, DNSSEC is most strongly affiliated with “making the Internet better” – that is to say, it was designed to overcome many of the security weaknesses and failures of past DNS specifications, implementations and deployments – in particular, certain types of attacks directed at cache poisoning. For enterprise environments, DNSSEC strengthens the overall security of DNS servers and will make them more resilient to many of the attacks that have plagued the Internet for the last couple of decades. There is even talk about how this technology, once deployed widely and mandated for Internet use, will help reduce persistent threats such as spam and phishing. That said, it’s one of the technologies I’d class as important from a security perspective, but isn’t really going to affect the criminals adversely. Great defensive advances from a hacker/cyber-war perspective, much less so from a criminals perspective.

The two other technologies – IPv6 and IDNs – on the other hand are much more interesting from a security and criminal perspective, as they potentially open the doors to many new forms of abuse and attack vectors. I use the term “potentially”, but in reality I mean that they will obviously enable new forms of attacks and enhance many of the existing attacks that have plagued the Internet throughout the last decade.

I’m not going to go in to the technical details of these technologies – if you’re interested in finding out more about them, go HERE for the IPv6 information and HERE for the IDNs information. What I will point out though is that these two technologies have a far reaching impact upon both the vectors through which the bad guys can attack an enterprise through, and upon the security technologies used to detect and analyze subsequent attacks.

IDNs and IPv6 shouldn’t be thought of as an upgrade to existing Internet standards or networks – i.e. migrating from Internet 1.0 to 2.0 – but could conceivably be thought of as a parallel universe where things are kind of familiar, but different at the same time.

How could I describe the changes between IPv4 & IPv6 and the traditional domain system & IDNs? By way of analogy, think about good, old fashioned, radio. The traditional domain name and registration processes (with all the 2LD and 3LD definitions), along with the traditional IPv4 networks can be thought of as operating over AM Radio. Meanwhile IDNs and IPv6 can be thought of as FM Radio. That is to say, moving from one to the other isn’t the same as just turning the dial left or right in search of a new station or frequency. Rather, we’re talking about a kind of change that requires a different kind of receiver – and without the right receiver (AM or FM) you’re not going to be able to pick up the new channels.

The analogy only goes so far though. But just like the electromagnetic waves of radio transmissions are undetectable without the correct receiver and the right tuning, the same concepts apply to IPv6 and IDNs advancements. Without ensuring that your security technologies can actually handle these changes to the Internet or enterprise network, there’s no way you’re going to be able to detect them being abused for malicious and criminal purposes.

A likely question from readers is going to be “Are the bad guys abusing these technologies already?” From casual observation and perhaps being tainted by too many years having to think and act out as one of the bad guys, the answer has got to be “Yes”. But, on the plus side, not to a noticeable or damaging level yet. The bad guys are still in an experimental and prototyping phase – examining the potential vectors for abuse – and largely waiting for the time when it becomes worthwhile launching meaningful attacks that abuse IPv6 and IDN rollouts. I have no doubt that many of the criminal service providers are priming themselves for the new revenue models and competitive edge.

The question I’d leave for readers in return though is “do you think your security systems are capable of detecting and reporting abuse of IPv6 and IDNs?”

Think about it. Which systems and processes do you have in place capable of detecting a brand new phishing site hosted as www.eBay.com where the “B” is the Cyrillic letter Ve and just happens to look exactly like the ANSI “B” character? and what if the SSL/TLS certificate matches, etc. Would you notice that a botnet agent is propagating and establishing peer-to-peer relationships between infected hosts within your own organization over IPv6? Would you be able to scan for, and uncover, a botnet Command and Control service running on a compromised host with an IP address of 2001:db8:85a3::8a2e:370:7334?

While DNSSEC works to close down several vulnerabilities, IPv6 and IDNs open the doors for additional forms of attack and attack vectors. Now would be a great time to double-check that your existing systems are capable of handling these changes – particularly new internationalized domain names such as www.g├╝nterollmann.com :-)

Security B-Sides - San Francisco

A number of people suggested that I offer to speak at the Security B-Sides next month when I'm in San Francisco for the RSA Conference. It looks to be an interesting collection of speakers and topics - but if you'd like me to speak, it would appear that you'll need to vote for my talk proposal.

To vote, go to your twitter account and send the following tweet:

I vote for "Your Computer is Worth 30 Cents" by @gollmann #BSidesSF

Whats the proposed topic?

Your Computer is Worth 30 Cents

In case you haven’t noticed, there’s a war going on. Malware vendors, SEO consultants, exploit pack developers, content delivery specialists and botnet masters are battling for control of your computer. They’re not battling you or the security systems you’ve deployed – they won that war quite some time ago. No, they’re battling each other over who gets to own your computer – and consequently who gets to make money from it.

The botnet ecosystem is evolving at a rapid pace. Specialized services have come to fill every niche of the hacking world. The frontline is rarely the mechanical process of exploitation and infection – instead it lies with innovative 24x7 support and helpdesk ticketing systems – quality of service is the competitive edge. How much is your computer worth to them? The price point is dropping day-by-day, but 30 cents is a pretty average trade value. Why is it so low? Because your computer is only part of the ecosystem – and a commodity one at that.

Tuesday, February 2, 2010

Messing with Virus Scanning Portals

OK, so there's been a bit of hubbub surrounding Kaspersky's experiment in abusing the sample sharing ecosystem that has evolved from the VirusTotal virus scanning portal. No surprise, just another example of another security feedback-loop that can be abused for good or ill purposes.

So, changing hats for a minute, I decided to think a little more on how you could intentionally abuse this feedback-loop if you set your mind to it. Needless to say, the opportunities for the so-inclined to mess the system up are present in abundance.

The new blog entry has been posed over at the Damballa site - Killing Antivirus, One DLL at a Time.

Is it likely that someone will do this? hell yeah! ;-)