Anti-Forensics

The recent terrorist attacks in Paris and California has brought to light an interesting (albeit frightening) cybersecurity phenomenon: the use of commercially available encryption by ISIS.  For security professionals, the reason why these two incidents have become even more newsworthy is that the western world’s intelligence apparatuses appear incapable of breaking their encryption.  Although some in the intelligence and law enforcement communities blame Edward Snowden for tipping off terrorists to America’s surveillance capabilities, the realty of the situation is even more ominous (Gallagher, 2015).  The fact is that terrorist and criminal organizations have been using encryption and other anti-forensic techniques for decades.  Since the late 1990’s we’ve known that Al Qaeda used steganography and other obfuscation techniques to conceal electronic documents on CDs and USB drives.  The latest evolution of this trend has been ISIS’ use of end-to-end encrypted communications applications such as WhatsApp, Signal, and Telegram to encrypt communications and anonymize the recipient of the messages. 

In the spirit of depressing hopeful forensic analysts, let’s take a look at what the good guys are up against.  The broad range of anti-forensics is a category of tools and techniques that attempts to make investigations on digital media more difficult and therefore more expensive. Some of the more common approaches include (De Lucia, 2013):

– Data Hiding, Obfuscation and Encryption

Obviously, the great advantage of hiding data is to maintain the availability of these when there is need. Regardless of the operating system, using the physical disk for data hiding is a widely used technique, but those related to the OS or the file system in use are quite common. In the use of physical disk for data hiding, these techniques are made feasible due to some options implemented during their production that are intended to facilitate their compatibility and their diffusion, while other concealment methods take advantage of the data management property of the operating system and/or file system. At this stage, we are going to attack, as we can imagine, the first phase of an investigation: “Identification.”  If evidence cannot be found, in fact, it will be neither analyzed nor reported.

– Unused Space in MBR

Most hard drives have, at the beginning, some space reserved for MBR (Master Boot Record). This contains the necessary code to begin loading an OS and also contains the partition tables. The MBR also defines the location and size of each partition, up to a maximum four. The MBR only requires a single sector. From this and the first partition, we can find 62 unused sectors (sector n. 63 is to be considered the start of cylinder 1). For a classic DOS-style partition table, the first partition needs to start here. This results in 62 unused sectors where we can hide data. Although the size of data that we can “hide” in this area is limited, an expert investigator will definitely look at its contents to search for compromising material.

1.4 – Use of Slack Space

The “Slack Space,” in a nutshell, is the unused space between the end of a stored file, and the end of a given data unit, also known as cluster or block. When a file is written into the disk, and it doesn’t occupy the entire cluster, the remaining space is called slack space. It’s very simple to imagine that this space can be used to store secret information.  The use of this technique is quite widespread, and is more commonly known as “file slack.” However, there are many other places to hide data through the “slack space” technique, such as the so-called “Partition Slack.” A file system usually allocates data in clusters or blocks as already mentioned, where a cluster represents more consecutive sectors. If the total number of sectors in a partition is not a multiple of the cluster size, there will be some sectors at the end of the partition that cannot be accessed by the OS, and that could be used to hide data.  Another common technique is to mark some fully usable sectors as “bad” in such a way that these will no longer be accessible by the OS. By manipulating file system metadata that identifies “bad blocks” like $BadClus in NTFS, it’s possible to obtain blocks that will contain hidden data.

1.6 – Steganography / Background Noise

In information security, steganography is a form of security through obscurity. The steganographic algorithms, unlike cryptographics, aim to keep the “plausible” form of data that they are intended to protect, so that no suspicion will be raised regarding actual secret content. The steganographic technique currently most widespread is the Least Significant Bit or LSB. It is based on the fact that a high resolution image is not going to change its overall appearance if we change some minor bits inside it.  For example, consider the 8-bit binary number 11111111 (1 byte): the right-most 1-bit is considered the least significant because it’s one that, if changed, has the least effect on the value of this number.  Taking into account a bearing image, therefore, the idea is to break down the binary format of the message and put it on the LSBs of each pixel of the image. Steganography, obviously, may be used with many types of file formats, such as audio, video, binary and text. Other steganographic techniques that should surely be mentioned are the Bit-Plane Complexity Segmentation (BPCS), the Chaos Based Spread Spectrum Image Steganography (CSSIS) and Permutation Steganography (PS).

1.7 – Encryption

Encryption is one of the most effective techniques for mitigating forensic analysis. We refer to it as the nightmare of every analyst. As just mentioned, using strong cryptographic algorithms, for example AES256, together with the techniques described above, adds a further fundamental level of anti-forensics security for the data that we want to hide. In addition, the type and content of the information that we want to protect or to hide, can never be compared to anything already known, because the resulting cipher-text of a good cryptographic algorithm are computationally indistinguishable from random data stream, adding the so-called “plausible deniability” on top of all our encrypted documents.  The most widely used tool for anti-forensics encryption is certainly TrueCrypt, an open source tool that is able to create and mount virtual encrypted disks for Windows, Linux and OS X systems. 

2.3 – Timestamp Alterations / MACB Scrambling

In a few words that summarize this sub-chapter, the purpose of these activities is to prevent a reliable reconstruction of the operations performed by a user or during the breach of a system.  Usually, these events are reconstructed in a “timeline” primarily through the use of MACB timestamp parameters of the file system, where MACB stands for “Modified, Accessed, Changed, Birth.”  It’s important to note that not all file systems record the same information about these parameters and not all operating systems take advantage of the opportunity given by the file system to record this information.  When we are going to change these attributes to confuse a forensic analyst, the tool that certainly comes first to mind is “Timestomp.” The software’s goal is to allow for the deletion or modification of timestamp-related information on files. The practice to completely delete these attributes, however, is not advisable as it is already evidence of changes occurring in the system.  It’s important to note that “Timestomp” can modify only the SI ($STANDARD_INFO) MACE values and, after modification, a forensic analyst could still compare these valueswith those in FN ($FILE_NAME) MACE to check the accuracy of the information found. The comparison with the FN MACE is the only point where it is useful to look for changes occurred in the timestamp parameters (excluding other data from external systems). This means that if we can modify FN MACE attributes, we can also profoundly confuse even an expert analyst.

2.4 – Log Files

There’s not much to say about the log files. Every computer professional knows of their existence and the ease with which they can be altered. Specifically, in contrast to a forensic analysis, the log files can be altered in order to insert dummy, misleading or malformed data. Simply, they can also be destroyed. However, the latter case is not recommended, because a forensic analyst expects to find some data if he goes to look for them in a specific place, and, if he doesn’t find them, will immediately think that some manipulation is in place, which of course could also be demonstrated. The best way to deal with log files is to allow the analyst to find what he is looking for, but of course making sure that he will see what we want him to see.  It’s good to know that the first thing that a forensic analyst will do if he suspects a log alteration, will be to try to find as many alternative sources as possible, both inside and outside of the analyzed system. So it is good to pay attention to any log files replicated or redundant (backups?!).

– Data Deletion

The first mission of a forensic examiner is to find as much information as possible (files) relating to a current investigation. For this purpose, he will do anything to try to recover as many files as possible from among those deleted or fragmented. However, there are some practices to prevent or hinder this process in a very efficient way.

– Wiping

If you want to irreversibly delete your data, you should consider the adoption of this technique. When we delete a file in our system, the space it formally occupied is in fact marked only as free. The content of this space, however, remains available, and a forensics analyst could still recover it. The technique known as “disk wiping” overwrites this “space” with random data or with the same data for each sector of disk, in such a way that the original data is no longer recoverable. Generally, in order to counter the use of advanced techniques for file recovery, more “passages” for each sector and specific overwriting patterns are adopted.  “Data wiping” can be performed at software level, with dedicated programs that are able to perform overwriting of entire disks or based on specific areas in relation to individual files.

– Physical Destruction

The technique of physical destruction of media is certainly self explanatory. However, we should focus on the most effective and clean of these: disk degaussing.  “Degaussing” refers to the process of reduction or elimination of a magnetic field. This means, when referring to hard drives, floppy disks or magnetic tape, a total cancellation of the data contained within these.  Although it’s very effective, degaussing is a technique rarely used because of the high costs of the equipment needed to put it into practice. In view of modern magnetic media, to use this technique means to make the media totally unusable for future writings. (De Lucia, 2013)

I’d like to report that there’s some good news for those agencies hoping to thwart evildoers, but it only gets worse.  Agencies like the NSA no longer receive backdoors into these tools from the developers.  Moreover, “even if the US government were to press forward a demand for companies such as Apple, Facebook, and Google to provide a way to tap into message traffic, that would do little to prevent the use of existing peer-to-peer encryption and other encrypted social media tools by terror organizations (Gallagher, 2015).”  Long story short is cybersecurity professionals need to stay vigilant.  The best tool we have moving forward is staying current on trends and techniques.  See you at the next Def/Derby-con.  

References

De Lucia, E. (2013). Anti-forensics: Part 0x01. Forensics. Retrieved from http://resources.infosecinstitute.com/anti-forensics-part-1/

Gallagher, S. (2015). ISIS using encrypted apps for communications; former intel officials blame Snowden. Ars Technica. Retrieved from http://arstechnica.com/information-technology/2015/11/isis-encrypted-communications-with-paris-attackers-french-officials-say/

Cybersecurity in the 2016 Presidential Election

Colossal data breaches, persistent cyberattacks, and contentious legislation all dominate the headlines except when an executive branch hopeful is involved.  To date, presidential debate topics have included the economy, gun control, overzealous policing, and even the regulation of fantasy sports, but not cybersecurity.  This is ironic considering last week the Senate passed the Cybersecurity Information Sharing Act (CISA), a carbon copy of the same privacy destroying bill first defeated in 2012.

A little background on CISA: “supporters say that it could prevent security breaches in the future by encouraging private companies to voluntarily share information on cyberattacks with the government. Opponents don't like the potential for abuse, especially after the details of the National Security Agency's surveillance program were made public” (Wagstaff, 2012).  To date, the only major candidate with a stance on CISA or national cybersecurity legislation has been Bernie Sanders.  Although Sanders supported the Cybersecurity Act of 2012, like Paul Ryan he opposed CISA on privacy grounds.  Hillary Clinton on the other hand hasn’t taken a public stance on the legislation at all.  Although the former Secretary of State has campaigned on the importance of enhancing America’s cyberdefenses, her stance on this subject is somewhat muddled by her use of an insecure personal email server.

On the Republican side of this equation, none of the major candidates have issued any definitive opinion on cybersecurity.  Jeb Bush comes the closest with his criticism of President Obama’s handling of the OPM breach.  The former Florida governor has written at length on the issue of cybersecurity on his website outlining his position on the topic.  And unlike Carson or Paul, Bush supports CISA, writing that the United States should “reduce legal and technical barriers to cybersecurity information sharing between the federal government and private sector” (Wagstaff, 2012).

Unlike many of the other topics dominating the headlines, few experts see cybersecurity as a partisan issue.  There shouldn’t be a Democrat or Republican position on this matter.  Although the president holds little budgetary power, the executive office does nominate the heads of the Departments of Justice, Defense, and Homeland Security; all influential positions when it comes to cyber.  Given the lack of appeal this topic represents for most Americans, it isn’t unusual how little cyber is talked about in the president cycle, it is however still somewhat unsettling.   

References

Wagstaff, K. (2015). Why aren’t presidential candidates talking about cybersecurity? NBC News. Retrieved from http://www.nbcnews.com/tech/tech-news/why-arent-presidential-candidates-talking-about-cybersecurity-n451826

Enhancing Cybersecurity

One of the most discussed cybersecurity topics in recent years has been the concept of regulatory compliance.  Many agencies and industries within the United States are covered by some form of legislation or at least a set of best-practices, and yet most of this guidance fails when it comes to “advising organizations on the ins and outs of information security” (Sharkasi, 2015).  This is where organizations like ISACA and NIST play an important role in covering the gaps in IT education.  In a recently published article by ISACA entitled, Addressing Cybersecurity Vulnerabilities, Sharkasi covers a lengthy framework of improvements organizations should address to improve their overall security posture.  The following are some of the more salient points.

Emerging Technology Risk

“Assessing and minimizing the risk of emerging technology security are the first things enterprises do before using Internet of Things (IoT) technologies to manage IT systems, building equipment, smart phones and other web-enabled intelligent systems. To reduce risk, enterprises should pay more attention to newly proposed technology initiatives, ensure involvement of IT auditors in the early stages of any IT project, and extend the audit scope to include new technologies and management systems. Additionally, the performance of post-implementation review should be considered or viewed as a value-added audit project by the audit team. The audit team needs to have the right level of support and sponsorship to engage in the early stage of any IT projects. Auditors should play a significant role in IT projects and be part of the monitoring processes to ensure quality inputs and the merits of the project, rather than simply being involved with the outcome.”

Mind the Internal Threat

“While the majority of enterprises use networks as the backbone for secure data exchange transactions, standard encryption and firewall technologies can provide some measure of protection from outside attacks and theft by competitors, hackers or mercenaries. But what about the internal threat committed by the enterprise’s employees armed with computer access and passwords? The employee element is commonly overlooked. In fact, one of the most common bugs exploited by hackers to gain access to the inner workings of equipment is using default passwords. Default passwords are, from a manufacturing point of view, a convenient way of ensuring that its engineers can get into the company’s own computers when carrying out maintenance. Too often, security administration is overwhelmed with the task of trying to do it all (e.g., managing operating systems, applications, network, mobile devices, physical security). Security administration must segregate duties and define and deploy a security policy for one area before moving on to another hot spot. In conjunction with preventing internal irregularities, segregation of duties (SoD) should be applied so that the person responsible for assessing users’ level of access authorization is not the same person who implements the access controls.”

Struggling to Deal With Legacy Systems

“Now that Microsoft has pulled the support plug for Windows XP, financial institutions (FIs) and companies that have not switched to Windows 7 need to explore their options. For FIs, this means upgrades to Windows 7 and Agilis 3 are required to keep up with the latest patches and maintain Payment Card Industry Data Security Standard (PCI DSS) compliance. Most FIs began a legacy system replacement early in 2014. But some FIs failed to truly understand the complexity of management reporting they had developed internally over the years, not to mention integrating multiple systems from different vendors. Specifically, neglecting the reliance on numerous system features or databases that tied to the old system required processing and culture changes to switch software and get off of those old functions. For these reasons, FIs felt that they needed a more comprehensive compliance plan before jumping in with upgrades. As a best practice, many FIs found it possible to get by with a special contract with Microsoft in which they could keep Windows XP and get the necessary security patches to remain compliant until they are ready to upgrade in conjunction with other planned changes. Now that the Windows XP transition deadline has passed, continuing to ignore the upgrade puts FIs at risk. And because other requirements are coming, it makes sense to create a plan that addresses not only a Windows 7 upgrade, but future needs as well.”

Cybersecurity Test Tools

“Cyberattacks on enterprises and banks worldwide reflect a frightening new era in cyberwarfare. As many security experts say, ‘You cannot hack or protect what you cannot see.’ Traditional network security strategies have become increasingly complex and costly, yet they do not deliver the level of reliability that modern mission-critical computing environments require. The solution is moving to a deeper, inside-out software-based approach that greatly reduces the number of vulnerabilities that hackers and cybercriminals can exploit. Cybersecurity stealth tools do exactly this and are an innovative, software-based approach to security that saves money, increases security, and is an agile component that adapts to changes in critical business networks and rapidly evolving regulatory requirements. To that end, it is good to see developers starting to introduce security tools that bring together maintenance and help-desk products with the security system. Security professionals should become familiar with the tools, techniques and weapons used in attacking their security infrastructure. Then they will be prepared to make a number of wise acquisitions, bringing in the best-of-breed products.”

The report goes on to detail a host of additional topics, all of which represent critical points of entry into a facilities IT infrastructure.  The point Sharkasi and ISACA are making is that “attackers need to find only one weakness to get into an enterprise system and spread their reach.”  While one weakness is all an attacker may require, as defenders we are responsible for securing the whole system.  This involves a holistic approach that encompasses hardware, software and wetware (people) and must be a concerted effort embraced by both the public and private sectors to be effective.

References

Sharkasi, O. Y. (2015). Addressing cybersecurity vulnerabilities. ISACA Journal. Retrieved from http://www.isaca.org/Journal/archives/2015/Volume-5/Pages/addressing-cybersecurity-vulnerabilities.aspx

FTC's Ruling on Cybersecurity

A recent decision by the Third U.S. Circuit Court of Appeals has ruled that the U.S. Federal Trade Commission now has the authority to investigate and charge individual companies with “unfair trade practices” for failure to “protect customers from the theft on on-line data” (Raysman & Morris, 2015).  The judgment originally stemmed from a lawsuit filed by the FTC against the Wyndham hotel chain.  The Commission sued the hotel chain based on a set of data breaches that resulted in $10.6 million in fraudulent charges to customer’ credit cards (D’Annunzio, 2015). 

Until now the FTC has routinely been filing and settling similar claims against corporations based on faulty security controls such as antiquated software, insufficient firewalls or routine security practices not being followed.  Given the federal government’s lack of a clear cybersecurity regulation for companies, legal observers view this latest ruling as just the first of many more lawsuits to come.  According to Scott Vernick, a Philadelphia-based Fox Rothschild attorney who represents Fortune 500 companies in data breach matters, the FTC’s newfound authority could affect data breaches similar to those of Sony, Ashley Madison, Target and Home Depot (D’Annunzio, 2015).

As a result of this newest exposure to claims by government regulators, Raysman & Morris (2015) advise CIOs to act defensively to mitigate the potential damage from data breaches and resulting lawsuits.  Some defensive steps to be considered include:

Compliance with NIST Cyber Security Framework.  The National Institute of Standards and Technology has issued a “Framework for Improving Critical Infrastructure Cybersecurity,” which is becoming a de facto standard of cybersecurity for U.S. regulators. The Framework is the equivalent of a GAP analysis, with a company setting up its own profile.  If a company can demonstrate to the FTC that it has implemented the Framework, it may help to persuade the FTC that there are no grounds to file a complaint.

Updating of data and privacy policies. Every company has a data privacy and security policy. However, many of those policies may have been written several years ago and may not reflect recent standards and practices. A company should regularly update those policies to comply with the most recent cybersecurity requirements.

Report by respected third-party consultant. Virtually every major information technology consultant now has a cybersecurity practice.  Although it is an added expense, and its worth may only be demonstrated if a hack is uncovered, a CIO should retain a respected consultant to perform an annual data security review, should update the company’s security to comply with the report’s recommendations and obtain from the consultant a report confirming that the company has implemented the most current anti-hacking processes and protections.

Risk manager involvement. The CIO should actively coordinate with the company’s risk managers, so that they too document the company’s compliance with the most recent protective steps for cyber security.

Cybersecurity insurance.  Cybersecurity risks are often not included in a commercial general liability insurance policy.  The CIO should review the company’s cybersecurity policy to ensure that it provides the necessary coverage in the event of a hack and subsequent regulatory and legal action by the FTC and others. (Raysman & Morris, 2015).

References

D’Annunzio, P. J. (2015). FTC ruling will lead to more cybersecurity suits, lawyers say. Pittsburgh Post-Gazette. Retrieved from http://www.post-gazette.com/business/legal/2015/09/15/FTC-ruling-will-lead-to-more-cybersecurity-suits-lawyers-say/stories/201509150004

Raysman, R. & Morris, F. (2015). What CIOs need to know about the FTC cybersecurity ruling. The Wall Street Journal. Retrieved from http://blogs.wsj.com/cio/2015/08/31/what-cios-need-to-know-about-the-ftc-cybersecurity-ruling/

Cisco 2015 Midyear Security Report

Cisco published their midyear report last week.  The information detailed within paints an interesting picture of the changing landscape of digital attacks. Some of the more salient points indicate that adversaries continue to deploy rapidly evolving exploits. This in turn creates a dilemma for organizations attempting to counter them. Often time security gaps are filled based on present intelligence only to become ineffective in a relatively short amount of time. The Cisco 2015 Midyear Security Report does an excellent job in identifying trends in threats, targets, and attackers. The following are excerpts pulled from the report.

Major Discoveries

Exploits of Adobe Flash vulnerabilities are increasing. They are regularly integrated into widely used exploit kits such as Angler and Nuclear. Angler continues to lead the exploit kit market in terms of overall sophistication and effectiveness. Operators of crimeware, like ransomware, are hiring and funding professional development teams to help them make sure their tactics remain profitable. Criminals are turning to the anonymous web network Tor and the Invisible Internet Project (I2P) to relay command-and-control communications while evading detection. Adversaries are once again using Microsoft Office macros to deliver malware. It’s an old tactic that fell out of favor, but it’s being taken up again as malicious actors seek new ways to thwart security protections. Some exploit kit authors are incorporating text from Jane Austen’s classic novel Sense and Sensibility into web landing pages that host their exploit kits. Antivirus and other security solutions are more likely to categorize these pages as legitimate after “reading” such text. Malware authors are increasing their use of techniques such as sandbox detection to conceal their presence on networks. Spam volume is increasing in the United States, China, and the Russian Federation, but remained relatively stable in other regions in the first five months of 2015. The security industry is paying more attention to mitigating vulnerabilities in open-source solutions. Continuing a trend covered in the Cisco 2015 Annual Security Report, exploits involving Java have been on the decline in the first half of 2015.

No Industry Is Immune to Attack

Cisco has refined and simplified its methodology for tracking high-risk verticals for web malware encounters in order to deliver more precise results. We no longer compare the median encounter rate for all organizations that use Cisco® Cloud Web Security with the median encounter rate for all companies in a specific sector that are using the service. We now compare the relative volumes of attack traffic (“block rates”) with those of “normal” or expected traffic.  Figure 19 shows 25 major industries and their relevant block activity as a proportion of normal network traffic. A ratio of 1.0 means the number of blocks is proportional to the volume of observed traffic. Anything above 1.0 represents higher-than-expected block rates, and anything below 1.0 represents lower-than-expected block rates. For example, block rates for the retail and wholesale industry are in proportion to the volume of traffic that was observed for that industry. In examining the block rates of Cisco customers, we determined that the electronics industry has the most blocked attacks among the 25 industries tracked. Cisco attributes the electronic industry’s high proportion of block rates to an outbreak of Android spyware. As seen in Figure 19, most industries hover at the “normal” level (the 1.0 line) for the ratio of attacks to normal network traffic. However, singling out industries currently above the 1.0 line as being significantly more vulnerable to attacks may be misleading, especially as this analysis only covers the first half of 2015. In addition, no industry should consider itself “safer” than other industries in terms of being a target. Every organization in every industry should assume that it is vulnerable, that attacks will happen, and that it should implement defense-in-depth strategies accordingly.

Geographic Overview

Cisco researchers also examined the countries and regions where malware-based block activity originates, as seen in Figure 20. The countries were selected for study based on their volume of Internet traffic. A block ratio of 1.0 indicates that the number of blocks observed is proportional to network size. Malware acquires a foothold on vulnerable devices. Countries and regions with block activity that we consider higher than normal likely have many web servers and hosts with unpatched vulnerabilities on their networks. A presence in large, commercially viable networks that handle high Internet volume is another factor for high block activity. Figure 20 relates to where servers are hosted. This graphic does not attribute patterns of malicious web activity to the depicted countries or regions. Hong Kong, which ranks number one on the list, is an example of a region where a high percentage of vulnerable web servers are observed. A small number of networks hosted in France participated in an outbreak midway through the reporting time period, which raised its profile more than expected.

Types of Web Based Attacks

Figures 21 and 22 show the various types of techniques that adversaries are using to gain access to organizational networks. Figure 21 illustrates the most commonly seen methods, including Facebook scams and malicious redirects. Figure 22 shows lower-volume attack methods observed in the blind sample we examined. Note that “lower volume” does not mean “less effective.” Lower-volume attack methods, and the malware associated with them, can represent emerging threats or highly targeted campaigns. Therefore, when monitoring web malware, it is not enough to simply focus on the types of threats most commonly seen. The full spectrum of attacks must be considered.

Cybersecurity Call to Action

Cisco security experts suggest that change is imminent for the security industry. A wave of consolidation and integration is needed to develop innovative, adaptive, and trustworthy security solutions that can reduce time to detection and prevent attacks. In addition, our geopolitical experts provide insight into the importance of cybergovernance for supporting innovation and economic growth in business on the global stage.

References

Cisco. (2015). Cisco 2015 Midyear Security Report. Retrieved from http://www.cisco.com/web/offers/lp/2015-midyear-security-report/index.html

The OPM Mega-Hack

In perhaps one of the most prolific hacks in American history, anywhere from 4 to 18 million current and former federal employees had their personal information stolen a few weeks ago.  The data was being stored in a vast database run by the Office of Personnel Management (OPM).  Based on early identification of the methodology used to obtain the data, law enforcement officials attribute the intrusion to the same Chinese hackers that attacked Anthem Insurance earlier this year.  According to U.S. officials, “the breach, which was revealed Thursday and affected current and former federal workers from nearly every government agency, could be the biggest ever of the government's computer networks” (Liptak, Schleifer, & Sciutto, 2015).  Cybersecurity professionals believe the goal behind the attack was to build a database of federal employees with the intent of fostering future “insider” attacks.  Within the OPM database was security clearance information including which federal employees claimed family and friends living in China.  Experts theorize that this information could eventually be used to blackmail U.S. citizens with high-level security clearances to leverage classified information.  Weeks later, it appears the federal government is no closer to discovering how the massive breach occurred or at least has not been entirely forthcoming about the details.  “The cybersecurity experts added that some government agencies have not been following the government's own best practices for cybersecurity, such as updating operating systems with latest protections” (Liptak, Schleifer, & Sciutto, 2015).

And while the Chinese government neither confirms nor denies its involvement in the breach (surprise), this incident falls squarely into everything the cyber community knows about China’s modus operandi.  In 2014 the computer security firm Mandiant released a ground breaking report detailing a lengthy and sophisticated hacking campaign by a unit within China’s Peoples Liberation Army.  The report entitled APT1 (Advanced Persistent Threat 1) detailed three years of observation into a Chinese military unit’s cyber activities based in mainland China.  Mandiant’s findings were alarming in the complexity and persistence of the Chinese government’s development of their offense cyber capabilities.

In the end, the OPM hack although extraordinarily massive in its scope is just another example in China’s pattern of using offensive hacking to further their long-term geopolitical agenda.

References

Liptak, K., Schleifer, T., & Sciutto, J. (2015). China might be building vast database of federal worker info, expert says. CNN. Retrieved from http://www.cnn.com/2015/06/04/politics/federal-agency-hacked-personnel-management/

Mandiant. (2014). 2014 Threat Report. Retrieved from https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf

2015 IRS Hack

It appears the Russians hacked us…again.  In true Soviet fashion, their government of course denies any official involvement.  The report from Congress last week is that cyberattackers acquired taxpayer information from approximately 100,000 Americans.  This time it was courtesy of the IRS’ “Get Transcript” tool (Reisinger, 2015).  Ignoring the fact that this revelation comes on the heels of other recent Russian intrusions against the White House and State Department, the most interesting part of this story isn’t the “who” but the “how.”  Employing previously acquired PII such as names, addresses, and social security numbers, hackers used a weakly defended internet based tool to make off with an estimated $50 million in tax refunds.  That’s right; we did this to ourselves…again.

The IRS has an online database of American taxpayer information called “Get Transcript.”  Hackers conducted targeted attacks against this system to the tune of 200,000 attempts in order to successfully acquire 100,000 fraudulent tax refunds.  Although the IRS claims this to be a sophisticated attack against their systems, there appears to be a number of amateurish steps cyber professionals should have picked up on.  According to Reisinger (2015), the 200,000 attempts were made from “questionable email domains with more than 100,000 of those attempts successfully clearing authentication hurdles."  This begs the question “how” did this attack succeed.  Apparently every year the Treasury Inspector General for Tax Administration audits the IRS to assess its security systems.  “As of March this year, a list of 44 upgrades suggested to the organization remained uncompleted—ten of which are now three years old. They included security patches to close loopholes that could be exploited” (Condliffe, 2015).  Shortly after the disclosure, the current Treasury Inspector General J. Russell George told Congress that “it would have been much more difficult if they had implemented all of the recommendations we made.”  Although insiders claim a lack of funds is to fault for the security lapses, testimony given before Congress seems to contradict this assertion. 

Whatever the reason for the lapse, the ultimate moral of the story is we are our own worst enemy when it comes to cybersecurity.  FISMA is a 2002 congressional requirement and yet it is still not being implemented in the federal government correctly.  It would seem that IT auditing and compliance related careers should and will be the first line of defense against ourselves…and the Russians of course.

References

Condliffe, J. (2015). IRS failed to update security systems making recent hack more likely. Gizmodo. Retrieved from http://gizmodo.com/irs-failed-to-update-security-systems-making-recent-hac-1708659493

Reisinger, D. (2015). Russian hackers behind $50 million IRS scheme, report says. CNET. Retrieved from http://www.cnet.com/news/russian-hackers-behind-50-million-irs-hack-report-says/

Public and Private Cyber Collaboration

With an increasing number of cyberattacks directed against the United States, the need for a national comprehensive cybersecurity policy is critical.  The extent of this effort has been the creation of guidance by the federal government often without Congressional approval or private sector mandates.  Given the fact that most of America’s critical infrastructure is in the hands of private entities, this must change.  Corporations have largely pushed back against any cybersecurity mandates and without official legislation, the “relationship between businesses and the government has been mostly all carrot and no stick” (Ravindranath, 2015).

As a result of this correlation, the federal government has become increasingly proficient at utilizing the carrot.  This comes in the form of government entities such as the National Cybersecurity Center of Excellence; an organization with the lofty goal of working with businesses to improve their cybersecurity posture, often by helping them find commercially available technology.  Similarly, the Commerce Department’s National Institute of Standards and Technology (NIST) has spent the last few years churning out reams of policy papers advising best practices for virtually every area of information technology.  These policies are increasingly seen as seminal works in the field of computer security with their guidance being implemented by a growing number of private organizations alongside their public counterparts. 

One of NIST’s most comprehensive and widely utilized guides, is 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations).  In this 500 page publication, the Commerce Department’s regulatory agency details a framework for designing an organizational cyber policy. 

The publication goes further by discussing 17 security control categories and then detailing over 250 individual security controls that organizations should objectively consider implementing. 

All of this adds up to an impressive body of work that no one outside the federal government is required to abide by.  It would appear however that some private entities see the benefit in adopting a standard set of cybersecurity principles. 

“Last week, Department of Homeland Security’s cybersecurity and communications office’s chief technology officer, Peter Fonash, said businesses need to be able to exchange up-to-the-minute threat information with the government for instance.  Dodson said her team is working to hand over some projects to the private sector.  For instance, NIST’s Center for Excellence jump-started the Identity Management Ecosystem Steering Group, which aims to combat fraudulent online identities, beginning in 2012.  Today, the group is made up of commercial companies, including Microsoft and IBM.  That group is meant to serve as a forum in which members can discuss and implement better ways to conduct and verify online credentials and transactions” (Ravindranath, 2015).

References

NIST. (2013). Security and Privacy Controls for Federal Information Systems and Organizations. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

Ravindranath, M. (2015). Nextgov. NIST official: Businesses need to take more responsibility for cybersecurity. Retrieved from http://www.nextgov.com/cybersecurity/2015/05/nist-official-businesses-need-take-responsibility-their-own-cybersecurity/113332/

Putin Hacks America...again

In early April, the White House announced that Russian hackers had penetrated the White House through a seemingly innocuous email account.  Their target was the "Executive Office of the President" network; an unclassified yet highly sensitive system that processes among other things, President Obama’s emails, schedule and policy notes.  The attack bears the same hallmarks of a similar intrusion last year at the State Department.  Based on the level of sophistication, U.S. officials believe the Russian government is the culprit (Sales, 2015).  If this incident wasn’t serious enough, a couple weeks after the White House disclosure, officials were forced to admit that Russian hackers had also accessed an unclassified Pentagon network in early 2015.  The breach which was only recently declassified illustrated another sophisticated cyberattack against the U.S. government most likely perpetrated by Moscow (Crawford, 2015).  These attacks targeted the same weak link in the cybersecurity chain: Us.

Much like the Sony Pictures attack, officials believe the White House incident was perpetrated through a successful spear-phishing campaign.  For the uninitiated, this type of attack entails the detailed targeting of a high-level official with a malware laden email.  Often times, the official mistakenly opens an infected attachment and the rest is history.  This type of attack is so successfully employed that Wired believes 91% of hacking attacks begin with a phishing email (Sales, 2015).  The Pentagon attack on the other hand appears to be a little less straight-forward.  Understanding that the Department of Defense has only recently declassified portions of the incident, it is unclear how exactly hackers gained access to a highly-guarded yet unclassified Pentagon network.  Initial reports point to an unpatched vulnerability, which indirectly leads us back to inadequate human involvement in the security chain.  Given the fact that the Office of the National Counterintelligence Executive has labeled Russia “a national long-term strategic threat to the United States,” it would seem to be a foregone conclusion that we as security professionals need to increase our training and awareness (Cilluffo & Cardash, 2015). 

References

Cilluffo, F. J. & Cardash, S. L. (2015). How to stop Putin hacking the White House. Newsweek. Retrieved from http://www.newsweek.com/how-stop-putin-hacking-white-house-321857

Crawford, J. (2015). Russians hacked Pentagon network, Carter says. CNN. Retrieved from http://www.cnn.com/2015/04/23/politics/russian-hackers-pentagon-network/

Sales, F. (2015). White House hack: By way of Russia with help from spear fishing. Tech Target. Retrieved from http://searchcio.techtarget.com/news/4500244197/White-House-hack-By-way-of-Russia-with-help-from-spear-phishing

Canada's Cyber Offensive

In yet another bombshell released from Edward Snowden’s cache of top secret documents, it turns out Canada has an ambitious and surprisingly advanced offensive cyber capability.  This revelation comes on the heels of an upcoming vote to authorize new powers for the nation’s cyber agencies.  Among the documents published was a confidential presentation by Canada’s intelligence agency Communications Security Establishment (CSE) in 2011.  The CSE, which is Canada’s version of the NSA outlines how by 2015, it “will seek the authority to conduct a wide spectrum of effects operations in support of our mandates” (False flags & cyber wars, 2015).  This authority comes in the form of the C-51 bill which is currently being pushed through the Canadian parliament by the nation’s conservative party.  The legislation has been proposed as a way to combat terrorism, but skeptics view this as another attack on personal privacy.  As a result, filibusters by opposition leaders and public demonstrations have been staged to oppose the bill.  Snowden’s leaked presentation details 32 techniques able to be employed by the CSE in both the defense and offensive arenas.  Some of the more notable weapons in the Canadian cyber-arsenal include:

Malware. The CSE has reportedly been building malware to bring down the networks of rival organizations. The malware was developed by the NSA as part of its QUANTUM hacking project. In fact, the NSA and the CSE have been collaborating for quite a while, gaining access and exploiting computer network targets in the Middle East, North Africa, Europe, and Mexico, say the documents. 

Deceiving attacks. The CSE used what are called “deception techniques” to attack networks while making it seem like they came from other organizations.  For instance, it directed victims to a fake site, then potentially used that site to “siphon classified information about computer networks.”  Additionally, the report says Canada launched attacks to block website traffic, redirect money transfers, and even delete emails.

Social engineering. The country also used a variety of social engineering methods to destroy other organizations' reputations.  Tactics included faking online poll results, posting fake Facebook messages, and even diffusing “negative information about targets online to damage their reputation.”

Network targeting. Lastly, the report indicates Canada's cyber-toolkit targeted specific networks to either garner foreign intelligence or inflict network damage.  Targets may have been aimed at "electricity, transportation or banking systems” (Weissman, 2015).

According to the leaked files, these capabilities have potentially already been employed against the Brazilian mining and energy ministry.  Leaked NSA documents in 2013 detail alleged CSE attacks against cellphones using specially crafted malware entitled WARRIORPRIDE.  Similarly, Canada is known to employ a government sponsored botnet to anonymously attack international targets.  These facts have prompted accusations of industrial espionage by at least one foreign nation against Canada and the United States (False flags & cyber wars, 2015).  As a security professional this level of public outrage is understandable but not new.  What I find more interesting about Snowden’s revelation is the level to which the Canadian government has risen in the field of attacks and espionage in the cyber realm.  I guess it shouldn’t come as a surprise that an advanced nation in the 21^st century employs these tactics.  For whatever reason though, seeing overly polite Canada do it has been a real eye-opener.

References

False flags & cyber wars: New Snowden leaks reveal Canada spy agency’s deception toolbox. (2015). RT.com. Retrieved from http://rt.com/news/243397-canada-cyber-spying-snowden/

Weissman, C. G. (2015). Here’s how Canada tapped into computers and phones around the world. Business Insider. Retrieved from http://www.businessinsider.com/canada-tapped-into-computers-and-phones-around-the-world-2015-3