Thursday, January 31, 2013

Become a "Friend of Suits and Spooks"

Whether you"re coming to Suits and Spooks DC or not, you can become a "Friend of Suits and Spooks" and have your name or your company"s name listed on the inside cover of our program. The listing includes your company"s name, logo, tag line or description, and contact information. The cost is only $500 but you have to act fast. My deadline is Monday, Feb. 4th by 1200 EST.

Current Friends include George Washington University, Invincea, and Iron Bow. Add your name to the list today. Once you"ve paid, just send me an email with the info that you'd like to have displayed in the program. Most of our speakers and attendees are decision-makers in the public and private sector so you'll receive terrific visibility in one of the world's most unique security events.

Wednesday, January 30, 2013

The New York Times / China Hack: What Really Happened and Who Really Did It?

The New York Times reported that it has been fending off a persistent attack by hackers which coincided with its publication on October 25, 2012 of an article on the wealth of the family of China's prime minister Wen JiaBao. However that appears to be an assumption because according to Jill Abramson, nothing was taken:
“Computer security experts found no evidence that sensitive e-mails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied,” said Jill Abramson, executive editor of The Times.
What did the hackers actually do?
  • They first accessed the network around September 13
  • Installed malware that wasn't detected by Symantec's anti-virus
  • They installed backdoors.
  • Obtained passwords for 53 Times employees who didn't work in the Times' newsroom
  • They "created custom software that allowed them to search for and grab Mr. Barboza’s and Mr. Yardley’s e-mails and documents from a Times e-mail server" but that conflicts with Ms. Abramson's above statement.
So no customer data was stolen, and nothing about the Wen family was accessed, downloaded or copied. That's not really much of a story so far. Better add everyone's favorite bad guy - China.

Why blame China?
“If you look at each attack in isolation, you can’t say, ‘This is the Chinese military,’ ” said Richard Bejtlich, Mandiant’s chief security officer.
But when the techniques and patterns of the hackers are similar, it is a sign that the hackers are the same or affiliated.
“When you see the same group steal data on Chinese dissidents and Tibetan activists, then attack an aerospace company, it starts to push you in the right direction,” he said.
Mandiant has been tracking about 20 groups that are spying on organizations inside the United States and around the globe. Its investigators said that based on the evidence — the malware used, the command and control centers compromised and the hackers’ techniques — The Times was attacked by a group of Chinese hackers that Mandiant refers to internally as “A.P.T. Number 12.”
What's Wrong With This Picture?
This article appears to be nothing more than an acknowledgment by the New York Times that they found hackers in their network (that's not really news); that China was to blame (that's Mandiant's go-to culprit), and that no customer data was lost (i.e., the Times isn't liable for a lawsuit).

I think that Mandiant does good incident response work and I know Richard Bejtlich and some other Mandiant folks to be honest, hard-working professionals however their China-centric view of the hacker world isn't always justified in my opinion. Here are a few of the reasons mentioned in the New York Times article for why Mandiant believes that China was responsible. None of them hold water.

The Beijing Workday Argument. The hackers could have been from anywhere in the world. The timezone that Mandiant imagines as a Beijing workday could easily apply to a workday in Bangkok, Singapore, Taiwan, Tibet, Seoul, and even Tallinn - all of whom have active hacker populations.

The Lanxiang Vocational School Argument. The article mentioned that the hackers were traced back to the "same universities used by the Chinese military to attack U.S. military contractors in the past." If memory serves, one of those was the Lanxiang Vocational School in Jinan, the capital of Shandong province and home to a PLA regional command center. Actually, Jinan is an industrial city of six million people and more than a dozen universities. IP Geolocation to one school means absolutely nothing.

Furthermore, even if the Chinese government was involved in cyber espionage against the New York Times, it wouldn't use its military for that. It would use its Ministry of State Security (China's equivalent of the CIA). And they wouldn't be stupid enough to run the attack from their own offices, which if you're interested in checking IP addresses, is in Beijing - 274 miles from Jinan.

The Hackers' Techniques. The article mentioned the hackers use of a Remote Access Tool (RAT). One such widely used tool is called GhostRAT. The fact that it was used in an attack against the Dalai Lama in 2008 (GhostNet) doesn't mean that all of the later attacks which used this tool originated with the same group. In fact, even the GhostNet researchers refrained from attributing this attack to China's government.

Another tool whose use is often blamed on Chinese hackers is the "xKungFoo script". Like GhostRAT, the xKungFoo script is widely available for anyone to use so even if it was originally created by a Chinese hacker, it doesn't mean that it is used by Chinese hackers in all instances. I personally know Russian, English, and Indian hackers who write and speak Chinese.

The Wen JaiBao Argument. Mandiant believes that the hackers gained access to the New York Times network around September 15, 2012, during the time that the Wen story was being researched. We also know that the hackers gained access to the emails of the Times Shanghai Bureau Chief David Barboza and it's South Asia Bureau Chief in India Jim Yardley. Does this mean that China was responsible? Maybe it does, but the Wen story could have been a coincidence. Check out how many stories Mr. Barboza and Mr. Yardley worked between August and December, 2012 - several dozen between the two of them. And Yardley's name isn't associated with the Wen story at all.

Asian politics and economics are pivotal in some way to every developed and developing nation in the world. And the New York Times has its finger on the pulse of that region. The list of potential culprits who could have breached the Times network for information on Asia is far longer than just China. 

Kaspersky Labs Researcher to Present Operation Red October at Suits and Spooks DC

I'm very pleased to announce that Kaspersky Labs researcher Roel Schouwenberg, a senior malware researcher with Kaspersky Lab's Global Research & Analysis Team, will be presenting at Suits and Spooks DC on February 8-9, 2013. His presentation will cover:

  • Earliest variants of the malware (2007)
  • Victim profiles
  • C&C domains and servers
  • Mobile malware components: known and unknown
  • An overview of +1000 malware plugins discovered during the research
  • Possible links with other campaigns
I've suggested in the past that Red October may have been run by a NATO member country, which makes it an ideal topic for the Suits and Spooks conference. I'm particularly happy that with the inclusion of Kaspersky Labs to our other international speakers, that Suits and Spooks is rapidly acquiring a global reputation as a unique, security event that's not to be missed. We are rapidly approaching standing-room only capacity so register today.

Monday, January 28, 2013

Meet the New Director of INTERPOL's New Digital Crime Centre

I just received confirmation that the newly appointed director of INTERPOL's new Digital Crime Centre will be attending Suits and Spooks DC on February 8-9, 2013. The time frame between his appointment and the dates of our event were too short to enable him to get clearance for his talk but he is making himself available to meet with attendees and sponsors during the event and chat informally about what INTERPOL is seeking to accomplish by standing up this new center.

If you haven't already registered to attend this event, there are still a few seats available. We also have some last minute sponsorship options available. Information on those can be obtained by emailing me. I'm looking forward to meeting everyone in DC.

Tuesday, January 22, 2013

New Direction for Taia Global

UPDATE (2/19/2013): Our press release is out with details on the start of development of our data classification engine called Chimera.
For the last two years, Taia Global (my startup security consultancy) has been a services-focused business. We've been privileged to have been able to provide counsel on improving security operations center practices, identifying supply chain weaknesses and generally helping executives understand their threat landscape and how to shrink it at some very large defense, telecommunications, and entertainment companies as well as smaller sized firms.

Thanks to that diverse set of experiences, I've been able to identify a problem and a solution which is scalable and unique in the information security marketplace and have begun a second angel round to raise capital for product development.

I'm grateful to my angel investors from 2010 who have continued to support me in this latest round as well as for a new investor that has just come aboard. 2013 will be the year that Taia Global moves from being services-based to services with a product. Watch this blog and my Twitter feed for more details in the weeks and months to come.

Wednesday, January 16, 2013

Has a Foreign Intelligence Service Been Targeting Russian Embassies?

Yesterday I posed the theory that the Russian Business Network (RBN) was behind the Red October attacks however in the interest of alternative analysis, I'd like to propose a different theory that also fits the facts contained in Kaspersky's report; that a Foreign Intelligence Service has been targeting Russian and CIS embassies.

Kaspersky's FAQ on ROCRA says that it was brought to their attention by a "partner" who prefers to remain anonymous. Considering that the primary target of ROCRA were Russian embassies and government agencies, that un-named partner was most likely the FSB. After all, Kaspersky Labs does significant business with the Russian government according to Noah Shachtman's Wired profile on Eugene Kaspersky:
One of GREAT’s frequent partners in fighting cybercrime, however, is the FSB. Kaspersky staffers serve as an outsourced, unofficial geek squad to Russia’s security service. They’ve trained FSB agents in digital forensic techniques, and they’re sometimes asked to assist on important cases.
The Red October report listed many embassies in multiple countries as victims but didn't identify whether those were Russian embassies or those of other nation states. Since the malware was looking for Cyrillic characters in documents, it makes sense to assume that the target was Russia's embassies in foreign countries. It would be nice if GREAT would confirm or deny whether that was the case.

Many of ROCRA's command and control servers were registered with Russian registrars. However, Russian law and regulations require the registrant to provide accurate contact information and to confirm that information with an authoritative document (something that we in the U.S. should also require, but don't).  Normally this would be a Russian citizen’s internal passport. So the perpetrator was either using compromised documents (Russian passport numbers and tax IDs have been posted on Runet) to obtain domain names or the websites themselves were compromised bots.

As far as which FIS might be responsible, there's no way to say but there's certainly no lack of suspects. The use of Acid Cryptofiler suggests that it might be a NATO or EU member country. 

Monday, January 14, 2013

RBN Connection to Kaspersky's Red October Espionage Network

Kaspersky made an astonishing announcement today with its discovery of a sophisticated cyber espionage network (most likely Russian) that has been operating since May 2007 and continues to this day. It has successfully infiltrated embassies, research organizations, military and government agencies, energy facilities (including nuclear power plants) predominantly in the Commonwealth of Independent States, India and countries in Central Asia, among many others.

The developers behind this campaign have built a toolkit similar to Flame but more sophisticated which Kaspersky researchers have named ROCRA (short for Red October). Some of the key functionalities which make this toolkit stand out as unique are:
  • The attackers have been active for at least five years, focusing on diplomatic and governmental agencies of various countries across the world. Information harvested from infected networks is reused in later attacks. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords and network credentials in other locations. To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries (mainly Germany and Russia). The C&C infrastructure is actually a chain of servers working as proxies and hiding the location of the true -mothership- command and control server.
  • The attackers created a multi-functional framework which is capable of applying quick extension of the features that gather intelligence. The system is resistant to C&C server takeover and allows the attacker to recover access to infected machines using alternative communication channels.
  • Beside traditional attack targets (workstations), the system is capable of stealing data from mobile devices, such as smartphones (iPhone, Nokia, Windows Mobile); dumping enterprise network equipment configuration (Cisco); hijacking files from removable disk drives (including already deleted files via a custom file recovery procedure); stealing e-mail databases from local Outlook storage or remote POP/IMAP server; and siphoning files from local network FTP servers.
According to Kaspersky's report, the oldest domain name used in the Red October network was registered in November, 2007, and the newest in May, 2012. The November, 2007 date immediately rang a bell in my memory as the date that the Russian Business Network went dark (November 4, 2007) and temporarily moved operations to China. Then, after a few weeks, they disappeared again.

The developers behind ROCRA, who are Russian, are comfortable using Chinese malware and adapting it for their own use according to the Kaspersky report. This fits the RBN profile to a 't'. I ran 13 IPs listed in Kaspersky's report against the RBN list maintained by James McQuade and found matching IP blocks for five of them:

Malicious servers  matches to 178.63. matches to 188.40. matches to 78.46. matches to 88.198.

Mini-motherships matches to 91.226.

It has been my belief for many years that the RBN has a working relationship with the Russian government; that it disappeared from view when the FBI sought the assistance of the FSB to shut down their operations in 2007 (as detailed in chapter 8 of my book); and that it has continued operating below the radar all this time. It provides distance and deniability to the FSB for certain offensive cyber operations and, in exchange, the FSB allows the RBN to operate as a criminal enterprise; a portion of which involves selling the data that it steals to whomever is interested.

Red October is already the most significant find of the new year. If, in fact, Kaspersky has uncovered an RBN-controlled espionage ring, it's going to be one of the most important discoveries of the decade.

Thursday, January 10, 2013

No Proof That Iran Is Behind U.S. Bank Attacks

A recent New York Times article reported that the U.S. government was convinced that the government of Iran was responsible for DDoS attacks against U.S. banks. No specific names of U.S. officials were mentioned which is troubling for several reasons:
  1. Government policy makers and administration officials are generally not very astute about the complexities of cyber attacks, incident response, and attribution. 
  2. The article's authors failed to interview any of the multiple cyber security experts who disagree with the sources quoted and/or referred to in the article.
  3. The reasons given by the Times' sources didn't exclude other possibilities besides the government of Iran.
On the other hand, multiple informed, authoritative sources have expressed skepticism about these attacks being state-sponsored, let alone by Tehran. Here are two authorities who were quoted in this Mashable article "Is Iran Behind A Wave Of Cyber Attacks Against U.S. Banks?":
Roel Schouwenberg, senior researcher at Kaspersky Labs (which identified several recent cyberattacks against Iran), didn't confirm or deny the attacks' origins. However, he doesn't believe the attacks are so complicated they must be the work of a government. 
“We can confirm that the attacks being reported are happening; however, the malware being used, known as ItsOKNoProblemBro, is far from sophisticated," wrote Schouwenberg in an e-mail. "It's really rather simple. It’s also only one part of the puzzle but it seems to be effective, which is all that matters to the attackers. Going strictly by the publicly known technical details, we don't see enough evidence that would categorize this operation as something only a nation-state sponsored actor could pull off.” 
Claudio Guarnieri, security researcher at Rapid7, agreed the complexity of the attacks is "disputable" and doesn't necessarily mean a government is behind them. 
"The malicious code involved is effective but very simple," wrote Guarnieri. "The link with state-sponsored entities could be justified by the fact that there is no direct gain for the attackers besides the disruption of the targets' operations. However, considering that there is no obvious evidence and that it could potentially be the work of generic cybercriminals, it's hard to confirm it.”
Then there's Dancho Danchev's expertly written article "Dissecting 'Operation Ababil' - an OSINT Analysis" which cast doubt on who was actually behind Operation Ababil, my article "Fact-checking the Iranian DDoS Attacks Against US Banks", and Anthony Freed's article "Bank DDoS Attacks: Is it the Russian Mob, Iran, or a False Flag?"

The public statements made by this group sound more like an Anonymous operation than something run by paramilitary Basij members or the IRGC, who's responsible for Iran's offensive cyber operations. The group's announcement of an equation based on page views of the offending film to determine the duration of attacks against the banks is too clever by half to be an official strategy. And at least one announcement failed to use proper punctuation for the word "God" and "Prophet" when referring to Allah and Mohammad (the author used lower case "g" and "p" instead of capital letters):
"The table below shows the result of search for the movie that insulted the god, his prophet and Muslims:"
I can't imagine a devout Muslim forgetting to capitalize God or Prophet but remembering to capitalize Muslim. I can imagine that mistake being done by someone who was using religious outrage as a pretense to support a false flag operation with Iran as the victim.

Relations with Iran are already tense. What we don't need is an internationally respected newspaper like the New York Times adding fuel to the fire by putting their name behind a story that presents no evidence and no objective examination of the facts by actual authorities in threat research, forensics, and incident response. You guys can and should do a lot better.

Tuesday, January 8, 2013

What's Missing in your Threat Landscape Picture?

ENISA (European Network and Information Security Agency) recently published its "ENISA Threat Landscape" report for 2012. Overall it's a good document as far as traditionally known threats go, but it's a re-hash of the threat landscape that we've accepted as complete because we've relied on security vendors to create it. A vendor tends to focus on the part of the threat landscape that their product addresses and ignore what's irrelevant to their product line. Customers often accept that as accurate because, after all, they aren't in the business of information security or threat assessment and rely upon the advice from their vendors, which I'm sorry to say is often incomplete.

The following threat table from ENISA illustrates what I mean:

According to ENISA's paper, the above table was created from 120 reports issued from Virus/Malware protection vendors, CERTS, security agencies, commercial companies in the area of security, industrial associations and committees, and Networks of Excellence (p. 10). Unfortunately, they tend to mirror each other in terms of what they report. In the Intelligence Community, this is a cognitive bias known as mirror-imaging. Customers, especially governments and multi-national corporations, need to go beyond these types of traditional and limited threat landscapes and expand it to include at least two more very important areas:

  1. Vendor-to-Government relationships (V:G)
  2. Offices in Foreign States (OFS)

Vendor-To-Government Relationships
U.S. companies, especially those in the Fortune 100, rely upon vendors, both foreign and domestic, for everything from development work to marketing. Yet very few take the time to do a deep dive into who their vendors' executives are and what their relationships are with other partners and government officials. As an example, we (meaning my company Taia Global) regularly perform this type of due diligence for our client firms and at least 70% of the time discover significant foreign government relationships with both U.S.-based and foreign-based vendors who have unrestricted access to valuable data owned by our clients. Frequently, prior to our investigation, no one was aware of those relationships.

Offices in Foreign States
U.S. companies who have offices in Russia and China, including Hong Kong, are at high risk for technology theft through both legal and illegal means. It may be through a local vendor who provides "secure" paper shredding services off-site when in reality those documents aren't destroyed but are sold to interested parties. It may be through legal intercepts on all landline, VOiP, mobile and satellite communications from the foreign offices of a U.S. company in Russia or China. It may be through a legal request to review your products' source code for "national security" reasons. The bottom line from a threat landscape perspective is - if you're doing business in a foreign state, there are a dozen ways for them to access your company's crown jewels; all of which have nothing to do with spear phishing, APT, or botnets.

If your company has overseas offices or uses vendors who do, the traditional threat landscape - even one created from over 100 sources - is incomplete. And if your security plan is built around that limited threat landscape, you're intellectual property is still at risk. Contact us for more information.

Wednesday, January 2, 2013

Five Critical Panels on the Use of Offensive Tactics in Cyberspace

On February 8-9, 2013, 24 world-renowned speakers will address and interact with about 80 attendees from the public and private sectors in a beautiful conference center high above the Potomac river on some of the most important issues in cyberspace - the controversial use of offensive tactics in defending networks (i.e., Active Defense). The full agenda can be seen here, but five critical panels are as follows:
  • How is Russia and Georgia engaging in Active Defense?
    • Featuring Ambassador David J. Smith (ret.) and Ms. Khatuna Mshvidobadze (Georgian Security Analysis Center)
  • How Duqu, Flame, Gauss, and Shamoon can be reconfigured and reused against different victims (i.e., Iran against Saudi Arabia)?
    • Featuring Dr. Boldizsár “Boldi” Bencsáth (Associate Professor, Laboratory of Cryptography and Systems Security (CrySyS), Department of Telecommunications, Budapest University of Technology and Economics) and Brig. Gen. Jim Jaeger (USAF, ret), Vice President of Network Defense & Forensic Services, General Dynamics
  • How Much Leeway is there in the Computer Fraud and Abuse Act and International Law for Offensive Actions in Cyberspace?
    • Featuring Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University),  Mr. Stewart A. Baker (Partner, Steptoe & Johnson), Mr. Frank J. Cilluffo, Director, Homeland Security Policy Institute at George Washington University, and Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU)
  • What’s the Downside of Private Sector Offensive Engagement?
    • Featuring Dr. Anup Ghosh (Founder and CEO at Invincea), Mr. Jeffrey Carr (Founder and CEO, Taia Global, Inc.), Mr. David Dittrich (Chief Legal Officer, The Honeynet Project), and Mr. Robert Bigman (former CISO, Central Intelligence Agency).
  • If the ITU Assumes Ownership of the Internet, How May That Impact International Offensive Cyber Operations by Nation States?
    • Featuring Mr. Marco Obiso (Cybersecurity Coordinator, International Telecommunications Union (ITU), Dr. Catherine Lotrionte (Director of the Institute for Law, Science + Global Security, Georgetown University), Mr. Robert Bigman (former CISO, Central Intelligence Agency), and Brig. Gen. Jim Jaeger (USAF, ret), Vice President of Network Defense & Forensic Services, General Dynamics
There are only 28 seats remaining and the Early Bird discount expires in one week so register today to be a part of the year's most unique and informative security event - Suits and Spooks DC 2013. If your employer is interested in joining RSA and Basis Technology as a sponsor, please contact me via email for details.