Monthly Archives: May 2009

60-day Cyberspace Policy Review Released and the Crowd Falls Silent

Today, the 60-day cyberspace policy review has been publicly released. Melissa Hathaway, the Cybersecurity Chief at the National Security Council, was in charge of leading the effort and was one of the keynote speakers at RSA.

Here are some of the main points of the document:

  • Establish a person in the White House who’s responsibility it is to report to the president on matters of cyber security (cyber czar position)
  • Review the laws and policies that are currently in place and issue more by tying the position into congress.
  • Increase public awareness about the risks of the Internet
  • Increase public education about how to be secure when conducting Internet activities.
  • Expand federal IT workforce (A.K.A. The government needs to pay more)
  • Executives need to be more aware of cybersecurity.
  • Government and Private Sector need to work together.
  • Laws regarding “collusion” need to be relaxed so that companies can work together more. (Scary Thought)
  • Work with International Governments to form jurisdiction lines.
  • Build a framework for incident response.
  • Enhance information sharing across government bodies for better incident response handling.
  • Improve Cybersecurity across all infrastructures

The policy review should upset anyone in security field. It points things out the obvious. I expect much more from our National Security Council. Metaphorically, this paper is like taking your car to a mechanic and asking for a full diagnostic for the health of your vehicle. After 2 weeks, you come back and the mechanic gives you a piece of paper with the phrase, “Your Car is Black.”

This review is a complete miss from a security standpoint. Hopefully, it will bring awareness to multiple parties on what needs to get done, but it doesn’t help to fix anything.

Government was designed to move slow. The founders of this country did not want the government to make any hasty decisions, hence bureaucratic red-tape. The Internet on the other hand is designed to move very fast. As soon as something becomes popular on the Internet, the next thing is being developed.

It is hard to comprehend a government body that would be able to keep pace with the Internet. In fact, as soon as the policy review was completed, the Internet has already changed.

Advertisements

What Motivates Hackers?

Photo: Kristin Bradley

Photo: Kristin Bradley

Attackers are motivated by multiple factors. Previously, “experts” believed most attackers were social outcasts who were writing malicious software out of their parent’s basement. These attackers were not driven by any particular motive. They were more driven by the problem-solving aspect. They wanted to know if they could do it. This idea that attackers are socially inept kids based in the United States is quickly becoming inaccurate.

Most security articles are focused on the means of the attack. They don’t address what attackers are actually after.

The four motivating factors for attackers that have been identified are:

  1. Financial Gain
  2. Notoriety
  3. Political
  4. Vengeance

Financial Gain
Hacking, Malware, and Worm Creation is a money making opportunity. Worms, such as Conficker, are being tied to organized crime based in Soviet republics.

The tightly managed criminal organizations behind such scams—often based in Russia and former Soviet republics—treat malware like a business. They buy advanced code on the Internet’s black market, customize it, then sell or rent the resulting botnet to the highest bidders. They extend the worm’s life span as long as possible by investing in updates—maintenance by another name. This assembly line–style approach to crime works: of all the viruses that Symantec has tracked over the past 20 years, 60 percent of them have been introduced in the past 12 months.

This shouldn’t be surprising. If criminals have no problem killing another human and taking their wallet, why would they have problems stealing massive amounts of money electronically?

However, organized criminals aren’t the only attackers driven by financial gain. There is also evidence of financially driven attackers being petty criminals. These are the types that don’t have a great understanding of what they are doing. They can be found on websites specifically setup for trading credit card numbers or other Personally Identifiable Information (PII). Some researchers, such as Rios and Dhanjani, have done research into this subgroup.

Notoriety

There is still evidence of hacking for notoriety. Most of these attackers are the “13-19” year old kids described above. The reason these individuals attack systems is driven by their want to become famous.

A recent example is the Mikeyy worm created by Michael Mooney of StalkDaily. This sub-group usually will justify their attacks by stating, “I wanted to bring awareness to the problem.” This is a constructed answer but demonstrates their want to become famous. They are clearly stating, they were the ones who wanted to bring awareness to the issue. These attackers typically have a Robin Hood type mentality of bringing knowledge to the uninformed.

Political
These attackers are politically focused or driven by political means. This group includes “hacktivists” and foreign nationals driven to cause damage to an enemy country. Examples of these attacks are the Titan Rain and more recently Power Grid hacking.

Political motivation is frightening. Many countries will not deter attackers from hacking a foreign country. In addition, law enforcement has a hard time tracking down or arresting these type of attackers due to the lack of cooperation of foreign countries.

Vengeance

These attackers are the most dangerous. They will attack people who have somehow made them upset. Their driving factor is causing as much pain as possible for their victim.

These attacks typically target an ex-girlfriend or a celebrity. These are the electronic equivalent of breaking someones windshield. There is nothing that can really be done to prevent it other than to stop using the Internet.

How to Hack: Hacking by Numbers?!

Photo: stuartpilbrow

Photo: stuartpilbrow

A course will be offered this year at Black Hat entitled, “Hacking by Numbers: PCI Edition.” A quote from the appropriate literature:

The PCI Data Security Standard (DSS) has had a huge impact on the information security industry. One effect that it has had is to make annual penetration testing mandatory in some segments, and thereby spawn a whole new class of off-the-shelf penetration testers.

The term “off-the-shelf penetration testers” makes my stomach churn. It is my belief that hacking is more of an art than a science. Hacking is methodical, but takes a specific type of person to do it. Typical hackers are very methodical and analytic. In addition, ever hacker that I have ever met has a never-give-up mentality about them. This attribute is used as a feedback loop into the problem they are working on.

Sure some security work and/or security methodologies can be taught, but to be a “breaker” you have to have a certain personality type.

What are your thoughts on this? Feel free to tweet me about the topic. @miscsecurity

Information Gathering: A Way to Identify Who Uses Social Sites

Photo: Pro-Zak

Information gathering on targets is key for attackers. They need to understand their targets to construct more successful attacks.

Recently, I came across http://namechk.com/ I was blown away with the amount of information this site reveals.

The site promotes itself as a way to “check to see if your desired username or vanity url is still available at dozens of popular Social Networking and Social Bookmarking websites.”

From an attackers standpoint, lets say I want to identify all of the resources that Jeremiah Grossman, the CTO of WhiteHat Security uses. I simply type in his blogspot id, “jeremiahgrossman” and I identify that in addition to blogspot he also posts to delicious and youtube. This is great!

For an attacker, this resource provides a way to identify additional paths of research.

XSS – Understanding Cross Site Scripting

If it hasn’t already, Cross-Site Scripting (XSS) will soon be replacing SQL injection as the new buzzword in the security sector. XSS will continually be a topic on this blog as well as others [1],[2],[3],[4]. Due to this fact, I think a primer would be a good idea for those who don’t know or understand this problem.

Many articles have been written about Cross-Site Scripting and if you want to have a better understanding of the problem, I suggest you read those documents (Links at the bottom of the post).

Basically, There are 3 types of Cross-Site Scripting:

  1. Stored/Non-Reflective/Persistent Cross Site Scripting (User visits the XSS’ed page)
  2. Non-Stored/Reflective/Reflected Cross Sited Scripting (User clicks a link that embeds the script into the loaded page)
  3. DOM Based Cross Site Scripting (please read this article)

All of these names make it confusing for a first timer to understand XSS. There really should be a better web application security standards organization. Here is a breakdown of Persistent XSS and Reflective XSS. These are the big two that most people talk about when they are referring to Cross Site Scripting. If you understand these well, you will be able to participate in 90% of XSS conversations.

Persistent Cross-Site Scripting
Persistent XSS is arguably more dangerous than reflective XSS. This attack embeds the malicious script permanently into the web application. The script will then wait until people access the page it is located on.

Here is an attack using Persistent Cross-Site Scripting:

  1. The victim visits a website they trust, amazon.com.
  2. A script has been inserted by an attacker on a page they happen to visit while on amazon.com.
  3. The script executes in the context of amazon.com.
  4. The victim is then compromised.

Note: Obviously, someone can increase the chances of the victim visiting this page (step 2) through social engineering, phishing, etc.

Reflective Cross-Site Scripting
These are the ones the media usually reports on. [1],[2],[3]. In this attack, some type of social engineering is involved for the attack to be successful.

Here is an attack, using Reflective Cross-Site Scripting:

  1. The victim gets an email/Instant Message that contains a link.
  2. The victim clicks the link. (Requires User Intervention)
  3. A script has been inserted by an attacker on the page they then visit.
  4. The script executes in the context of that site.
  5. The victim is then compromised.

Note: I want to reiterate that this attack requires some type of user intervention (step 2).

Why is Cross-Site Scripting Bad?
Cross-Site Scripting can lead to all sorts of different exploits, including system compromise. For an attacker to do this, they need to break out of the browser’s context. We have seen examples that breaking out of the browser is not that hard to do.

In addition, an attacker can also establish a bi-directional channel using iframes. This creates a man-in-the-middle attack. The attacker can then intercept key strokes, use the victim as an intranet portscanner, and even stealing creditials. The attacker is only limited by their knowledge of scripting.


Example of a bi-directional channel

Hopefully, this gives you a better understanding of Cross-Site Scripting. Feel free to leave comments if you don’t understand something and I will address it in the article.

Additional Resources:
Cross-Site Scripting (XSS) FAQ
OWASP Guide to XSS
XSS tutorial
XSS Video Tutorial (via youtube)
XSS Attack API

5 Key Factors of Complexity

Brian J. Truskowski, General Manager of Internet Security Systems (ISS), gave a keynote presentation at RSA 2009. His talk touched on an interesting topic that he referred to as the “5 Key Factors of Complexity.”

He identifies that the key cause of compromise is human nature; the ability that humans are susceptible to social engineering. Instead of focusing on securing systems, Mr. Truskowski argues that we should design systems that are “resistant to human frailty.” He goes on to state, that designing these systems (by reducing complexity) is difficult.

According to Mr. Truskowski, the 5 key factors of complexity and the key to designing these systems are:

  1. Threats
  2. Compliance
  3. Technology
  4. Economics
  5. Business Needs

Contrary to security, Businesses have to keep focused on all of these factors or they will be unsuccessful. Vendors however, are according to Mr. Truskowski, only focused on one of these factors… Threats. He argues, If an enterprise doesn’t focus on compliance, they are fined. If a business doesn’t focus on business needs, the business can’t change.

“It’s like building the titanic. The ship’s designers optimized around being able to withstand collisions at the sacrifice of maneuverability. There have been many theories over the years over why the Titanic sank, from Brittle steel to sub-standard rivets. But, in reality, it is obvious why the Titanic sank. It couldn’t get out of the way of the iceberg. The Titanic’s designers focused on size, strength, resilience, and luxury but not on maneuverability.”

I think Mr. Truskowski’s talk was the hidden gem at RSA. It is an interesting idea for security vendors to begin focusing on things other than threats. Of course, if the idea gets legs, it will be 10-15 years before any change occurs. It is great to see people thinking holistically about security.

The video/webcast can be seen here: (5 Factors of Complexity starts at 19:49)

Information Gathering At Its Best: Using Google Alerts for Fun and Profit


Knowledge is Power.

Sun Tzu stated in the Art of War,So it is said that if you know your enemies and know yourself, you will fight without danger in battles.” Having intelligence on your enemy is a key to winning military battles. In business having any competitive edge, including intelligence, can be the difference between winning and losing a key-project, beating an advisory colleague, and getting a raise or promotion.

Google, a small start-up out of Mountain View, has a feature called Google Alerts that will help keep your enemies informed. Google Alerts is a way for people (or attackers) to stay informed of new pages that have been indexed by Google. When Google’s bots are scanning/indexing the Internet, they will look for specific keywords that the user sets up before hand, just like issuing a Google query. When Google’s bots identify these keywords they will email you a link to the page the keywords were found on.

This is a great feature that can be used to stay informed on all sorts of things. Say, you would like to stay informed of Gavin Newsom, the mayor of San Francisco, running for Governor of California. You could set up a Google Alert with “Gavin newsom” and “governor” as the keywords and be emailed any new pages that Google identifies.

It seems that Sun Tzu was correct. Knowing your enemy, and knowing what he knows, is the key to winning battles.