A Light Look at Cyberwar Capabilities

There has been lots of news for several months about military-grade offensive security capabilities. Within the past couple of weeks this focus has ratcheted up. The tipping point, in my mind was when Mandiant[1] released a report on Chinese hackers that they were tracking. The report claimed a lot of things, among them that the individuals mentioned in the report were carrying out offensive attacks for the Chinese military, against the US military, military contractors and other companies. That's pretty scary stuff! But keep in mind that this report was heavily hyped and coincided with one of the biggest security conferences, so maybe pure altruism wasn't at the heart of the report, maybe it was also in large part driven by PR value.

So now there are lots of people at high levels in the government talking more openly about cybersecurity threats. Generals are testifying in front of congress, the president is meeting with CEOs (I guess they're security experts?), everybody in the government seems to be saying the US is under attack and needs to defend itself. The rhetoric is building to a fever pitch and I'm a bit concerned about what this means for the future. But for now let's look at what the current situation is like.

What a lot of the talk comes down to is one thing: we're being spied on. Well hey that's no surprise is it? Isn't that what the whole Cold War was about? "But" we hear "spying is a lot easier with computers because..." and then they go off and spout a lot of nonsense that comes down to "...we got caught off guard and didn't protect ourselves early enough." OK well that's too bad and we need to fix that problem so let's go do that.

But then if it's so easy for other people to spy on us, isn't it easy for us to spy on them too? Aren't we already doing that? That's a side of the conversation that not a lot of mainstream media talks about, but that a lot of people in the security industry are laughing about. Just within the last couple of years there have been reports of Iranian nuclear facilities being targeted by sophisticated malicious software and most of the evidence points to the US or US contractors as having created it. Ironically about a year before it was officially-unofficially reported that the Iranian cyberattacks were authorized by the President, he declared that cyberattacks against the US would be considered acts of war. Whoops.

So let's look at what we know about the US cyberwar capabilities. The first thing I'll do is to look at where these US capabilities come from. There's several different angles so I'll take a shot at enumerating them for discussion but I'm sure I haven't gotten them all called out so leave comments if you know of others.

• US Civilian Government Cybersecurity groups like those run in the NSA.
• US Militarty Cyberwarriors.
• US Government contractors.
• US allies like Israel who supposedly has a pretty potent force.

Alright, so let's see if we can take a guess about what resources we have to bring to bear.

• US Civilian Government Cybersecurity - I mentioned the NSA. The CIA probably also has some people. Maybe FBI. Maybe some others. I haven't run across much information here, but if you know of where some of that could come from I'd love to look at it. The White House wants a lot more of these people and I'm sure Congress is going to fund that. Now it's an interesting thought experiment to ask whether CIA analysts and traditional spies are actually cyberspies. They probably use computers as well as other techniques to carry out their jobs, but does that put them in the cyber arena? 
• US Military Cyberwarriors - There's a great article over at Foreign Policy magazine came up with 53,000-58,000 Cyber troops. That's the ones that you can count and I've got to suspect that there's more. Also important to note that these are just troops with an offensive mission, not a defensive one. Now to put that into perspective, this is about 4% of the 1.5M active duty troops and is more than all of the CIA (20K according to Wikipedia) and FBI (36K according to their site) agents combined! Hardly a small number. And that's just the obvious ones. No word on what they're spending, but probably a good deal of money here.
• US Government Cyber security contractors - This is probably one of the largest parts of the cyberwarrior force. There are a lot of reasons that the government would use private companies for this, including the fact that these companies can do things that are illegal if done by the government. Also there's a lot less red tape and oversight so you can hide a lot of money and efforts this way and get them out fast. Most people suspect this is who largely developed the malicious software that targeted Iran over the better part of the last decade. We also know that companies like HB Gary have been supplying cyberweapons to the government for a while, and companies like VUPEN sell attacks as well. I think it's safe to assume that if it's true, this is a pretty mature part of capabilities. 
• US allies - The US allies can provide a lot of things to the US, probably mostly access and information.  I don't have a lot of knowledge about this so I won't go into it too much but if you know something, share.

That's a lot of force that the US has to bring to the cyber fight without spinning up a bunch of hype and rhetoric. So why are politicians and others talking so much about this stuff? Why not just go out and do what you want? I can't really say. I think it either comes down to distraction from other problems they would rather not address (healthcare, finances, economy, drones) or they need popular support for some new thing that they want to do and they know you wouldn't support it unless you were scared of hackers.

"What does this mean for your weekend?" or "So what?" Well for starters I think it's important to understand that there's more than one side to every story. The reality is that the US has been engaging in cyberwarfare already. Definitely against Iran and most likely against

A lot more people a lot smarter than me have written good stuff about this too, here are some:
Cyberwar: You Lack Imagination by Erratasec
APT1: The Good, The Bad and The Ugly by Krypt3ia
Comments on Comment Crew by Kyle Maxwell
Mandiant APT1 Report has Critical Flaws by Jeffrey Carr
Chinese Hackers and Security Theater - a three-part series by Cyber Nonsense
Cyberwar: The Pentagon Cyberstrategy - a multi-part series by the excellent Marcus Ranum from a few years ago



[1] Mandiant seems to have gotten the lion's share of the attention (and rightly so, the report and the video they released are compelling to look at) but they're far from the only ones selling Fear, Uncertainty and Doubt (FUD). I'm not singling them out for that, just for the fact that their report and all the hype that followed in its wake seemed to make for a tipping point.

Lessons from Journalism in Threat Intelligence

Seth Godin has a great blog post that is relevant to information security professionals. He discusses the problem that the closer to the event, the more expensive and less reliable the information is. This problem directly correlates to issues we face in trying to get reliable information about threats, vulnerabilities or other news. That's because as time goes on the story gets shaped and influenced by multiple accounts, investigations and analysis.

Try this experiment. Find all of the Twitter messages about China and Hacking from the last 6 months and read them, as well as the linked articles. I'll wait. Ha - just kidding that'd take you years to take in (if you did exactly what I said I apologize - don't follow every instruction you read on the internet)! Now go take a look at a few articles on China and Hacking in a reputable business periodical like The Economist, Time, etc. In 45 minutes you're up to date on everything from 6 months of twitter feeds. 45 minutes versus 1+ years. That's a huge difference in terms of cost.

And reliability also suffers. In going through the Twitter exercise (again, really sorry about that lost year) you probably found that lots of the info was bogus, misleading, bad conclusions, duplicated, etc. Acting on that bad information costs money too (unless you spend lots of money to try and eliminate the bad information, but that again costs money).

Most companies have figured out that it's expensive to stay up to date on information. That's why there's a big business in Threat Intelligence services. Companies outsource that function. But it's still important to keep in mind that you'll never have a perfect picture of the news just after it's happened. Think of it like a Polaroid picture. No matter how much you blow on it or shake it, it still develops at the same speed.

Simple Way to Increase Security and Privacy and Reduce Spam

A few years ago I came up with a technique to reduce my spam messages. I'm sure I wasn't the first to think it up, but it's worked very well for years and I've never missed a real message or wasted too much time on spam. After IOActive released some privacy research they've done this week I realized this can help with that too. 

If you haven't followed the story, IOActive did some automated scanning of popular web services for high-profile executives. They were looking to find out whether people like Steve Ballmer use Dropbox, or if the CEO of Zappos uses Nikeplus.com (yes in both cases). This was accomplished by attempting to register for these sites using the executives' official corporate email address. 

Their approach was a pretty clever way to get the information. There may be a perfectly valid reason for some of the findings. For example, if an executive publicly announces his and his company's support for another service. But the number of results - 930 accounts across 840 executives - suggests that at least some of these are for personal use.

My Technique

I use a different email address for each new account I set up. But I don't have to create tons of new free accounts at Gmail or Hotmail. I own several domain names, one of which is just for creating throw-away email addresses. Any email to that domain gets redirected to my primary email account. Once it's there, it is put into a folder without ever hitting my inbox. 

Sounds like it might be tricky to remember all these addresses, but it's not really. I just use a consistent formula for coming up with the address. For example, "site.com@domain.com". To remember your account name just look in the browser bar. 

And ever since I started using a password manager it's gotten even easier and more secure. I just create a random name and password and store it all away. The software figures out my username and password, I just have to click a couple of buttons.

Fighting Grey-Mail

If you're not familiar with grey-mail, it's the emails you get that come from accounts you've signed up for on the Internet. Now these aren't quite spam, because they come from known senders to accounts you provided, but then they're also not something you want to wade through constantly. 

I woke up this morning to about a half-dozen new pieces of grey-mail in my email. But I didn't have to look at any of it, I only know the number because I clicked on the folder I have that collects it automatically. The system I use works perfectly because it's automated, I have total control and it never misjudges an email. 

I simply dump all the messages that come in but aren't addressed to me directly over to a folder. I check that every once in a while and try unsubscribing from the biggest offenders. It usually works, but sometimes it doesn't. And of course if I'm expecting anything then I go check that folder.

Increasing Security and Privacy

And this also adds a little more security to your accounts. But it's the security-through-obscurity kind of system, so don't rely on it solely. If you're the kind of person who reuses passwords - and just about everybody does this to some extent - then you have some additional protection against password reuse attacks. If a hacker has the account emails and passwords for one of your accounts, they can't then get into other accounts without a little extra work. That won't stop a determined attacker, but it will protect you against somebody just running a list.

The Result

I still get spam emails. Even with this system every day I get a handful of messages that show up in my spam folder. But it's not many - in fact, far less than the grey-mail number. In the last month I have gotten 9 spam messages, but over 150 grey-mail. 

The only people who have the email address I use are my friends. So either my friends' accounts have been compromised or somebody guessed my email address. But still, only 9 spam messages per month and no time wading through grey-mail is pretty spectacular! And as a side benefit I'm protecting my privacy and security a little bit more. 

Wall of Creeps

Lately there's been a lot of conversation about how to curb creepy behavior at Defcon. Last year women and goons had "red" and "yellow" cards that they gave to guys who were acting like asses. This plan backfired, as the cards became sought-after swag leading to high demand. The idea was floated this year and has been nearly universally shot down as ineffective, counter-productive and immature.

I propose a different tact - a Wall of Creeps. Creeps - men, women or otherwise - would have their photo on a physical or virtual wall, outing them. The idea is that public shame would act as a deterrent to keep people who are clearly over the line, more under control without forcing conformity. This tactic removes the incentive (scarcity and perceived exclusivity of the cards) and mixes in a strong social disincentive. It won't stop all acts of creephood, but should help cut down on the truly aberrant behavior.

The photo would be a mug shot taken by a goon, which means somebody has to be creepy enough to get dragged to a goon and have the goon stop what they're doing long enough to take the photo. That reduces false positives. Also there should be some criterion for redemption, such as a donation to a cause or a handwritten note or whatever else would make the offendee forgive. Maybe a TTL or a minimum sentence too. After 3 infractions though the creep's photo would be posted for the rest of the con.

Con-goers would be invited to heckle and deride offenders for as long as their face is up there, but not physical violence, doxing, harassment, or generally being a creep/ass, etc. The board could also be used for party organizers to blacklist certain people, etc. I'd love to hear feedback - what do you think?

Interesting Conversation from Gold Farmer

I saw this interesting conversation posted on a Diablo III fansite today and it has a lot of relevance to Information Security. The interview is around the act of gold farming, or using automated bots to find massive amounts of in-game gold and items that can then be sold for cash. But at one point the conversation goes into how online game accounts are compromised.

The gold farmer claims that most game account compromises come from one source - forums. Attackers compromise a fan forum site and get the username, email and passwords (or hashes). These credentials are then used to attempt to log into the game, as well as email accounts, PayPal, banks, credit cards and other online services. The entire process of checking accounts is automated through tools. These accounts can then be either used by the original criminals or sold to other criminals.

See below for the relevant text or see the entire interview with a Diablo III gold farmer.

MeD: Do you have any information on the account hacking that people are reporting even with having the authenticator?

Farmer: Yeah, I know everything about that.

MeD: Would you be willing to share that information with us?

Farmer: They don’t hack the computers, the passwords.

MeD: When you say they don’t hack the computers, they don’t have the player’s computers or they don’t hack Blizzard’s computers?

Farmer: They hack forums and such and take the same email and password and test it on Blizzard.

MeD: That’s what I thought. And that is testament to all of you guys out there who are using the same email and password for forums and such for your game.

Farmer: If they have 1 million stolen emails and passwords they might get 1% to 10%

MeD: What type of websites are targets for this?

Farmer: Diablo websites or Blizzard in general.

MeD: So you are talking about Diablo fansites that have forums that you know have been succesfully hacked these and get the log ins and passwords.

Farmer: Yeah, correct, it’s easy.

MeD: And in the forums of BLizzard are you able to get anything out of there?

Farmer: No. Blizzard is bullet proof, logically.

MeD: I ran forums quite a while ago and we had 130k+ members and we had issues with hack attempts at our forum accounts quite often. We were very puzzled about it. There was one time when they got everyone’s log in and password but they didn’t log into anyone’s forum account. Do you suppose that when they got into our forums do you think they were just looking to match up

Farmer: Yeah. They used it to try on people, mail and Blizzard and such. It’s called combo.

MeD: Is that a mispronunciation of your program or is that what it’s actually called?

Farmer: Nah. It’s made to make combo lists.

MeD: We reset everyone’s password, we did that for them. We were worried they were trying to hack into the forum accounts. This was many years ago by the way. What I didn’t realise then but I’m realising now is that this was all about accessing the game accounts and it had nothing to do with our forums. I bet that alot of these forums that are getting compromised are getting compromised over and over again. Would you say that is correct?

Farmer: Yeah and Paypal and banks, Facebook and so forth and small percent Russian spammers.

MeD: They are testing this against multiple things, they are not just testing this against Diablo account they also test against Paypal and their bank log ins.

Farmer: They test it against everything and sell it.

MeD: How much do they sell these for?

Farmer: It depends on what’s on them.

MeD: 10c an account, $10 an account? Do you know the range there?

Farmer: ??? Doesn’t sell.