Category Archives: Commentary

These posts are commentary and thoughts on world events, mostly on technology and event interactions.

The Value in Releasing Information

Then we assumed that the attack against the centrifuge drive system was the simple and basic predecessor after which the big one was launched, the attack against the cascade protection system. The cascade protection system attack is a display of absolute cyberpower. It appeared logical to assume a development from simple to complex. Several years later, it turned out that the opposite was the case. Why would the attackers go back to basics? […]

In other words, blowing the cover of this online sabotage campaign came with benefits. Uncovering Stuxnet was the end of the operation, but not necessarily the end of its utility. Unlike traditional Pentagon hardware, one cannot display USB drives at a military parade. The Stuxnet revelation showed the world what cyberweapons could do in the hands of a superpower. It also saved America from embarrassment. If another country — maybe even an adversary — had been first in demonstrating proficiency in the digital domain, it would have been nothing short of another Sputnik moment in U.S. history. So there were plenty of good reasons not to sacrifice mission success for fear of detection.

via Stuxnet’s Secret Twin – By Ralph Langner | Foreign Policy.

In previous posts, I have discussed how information has value. This is both in the eyes of attackers as well as the information’s original controllers. I have also written several tutorials, such as those on GPG or OPSEC, that by implication state that anonymity has worth. After all, what is the point of privacy if it has no value? What the article above demonstrates is a corollary to that theme. Specifically, when you utilize stealth, one of its powers is found in giving it up.

The mathematics that investigates competitive self-interest is known as game theory. Simplified, it states that rational actors will behave in a logical manner. Specifically, rational actors will attempt to maximize success, however that is quantified in the models involved. It is utilized in everything from economic modeling to poker. In this case, we will see how utilizing a more obvious weapon than its predecessor is rational.

It was no secret that the United States was working against Iran’s nuclear research programs. What was not clear was what efforts, if any, were being made outside of economic sanctions or other “non-violent” means (the applicability of the adjective “non-violent” of sanctions are outside of this discussion).

What the article quoted above indicates is that the Iranian nuclear research facilities had been compromised for some time. While it did not bring the research to a stop, it would both delay it and raise doubts as to the capabilities of the technical staff involved. This would hopefully allow time for other avenues to bring the research to a complete halt. However, despite the value in this, the technique was modified to instead utilize the payload found in Stuxnet.

This would increase the visibility of the attack, but it is possible that at this point that was the desired goal. It would continue causing delays in the research program, and with a smaller risk of escalation than a military strike (warning: PDF). Additionally, even if discovered it would most likely not cause a war given the ongoing debate over the role of cyber attacks in warfare. What it would do, however, is expose that they had the capability of doing so.

The results of this were obvious. First, the U.S. and their allies faced retribution. While not desirable, such attacks were easier to absorb than the projected asymmetric physical responses, such as car bombings. The response was found in software-based asymmetric responses instead such as Saudi Aramco and various Western banks. The correlation between the methods used both in the initial attack on Natanz and the response indicates that this may have been the desired response.

Given that asymmetric response was going to happen, and that malware and other information-based attacks are already utilized and asymmetric (warning: PDF), perhaps it was desired due to its existing threat. Assuming that those making the decision were in fact rational actors, it means that they saw the many revelations that would come from Stuxnet would inform other actors of their capabilities. By doing so it showed that in the event of such an attack on its own infrastructure the U.S. could respond in-kind.

The Difficulty of Doing Network Security Correctly: The U.S. Defense Department as a Case Study

The U.S. military has over 1,000 military bases, distributed over 20 countries, containing at least 290,605 buildings (warning: PDF). Each of those hook into the military networks that remain targets, and prominent ones at that. There are countless stories about successful breaches of military infrastructure to gain information, at least according to what is publicly available. There are also those who target them as part of political activism. Overall, their role as one of the largest targets in the world is a known problem.

The U.S. Department of Defense announced in September that they intended to create a Joint Information Environment. This would involve integrating the various networks that they control into a single controlled design. In doing so, it would dramatically reduce the threat surface that the largest network in the world faces.

Currently, the Department of Defense has broad guidelines (warning: PDF) to allow for communication between branches. This has led to the development of improved systems that are foundational to the next stage of integration. For instance, C2 Central allows the sharing of information between the hundreds of networks across the branches. It also demonstrates the scale of the problem. The difficulties faced with the BACN project have also shown the layers of sensors, networks, and even basic lack of networking that the pieces of the military infrastructure contain.

The larger the environment, the harder it is to create universal policy. Powerful interests come into play at every juncture. Some of it is the desire to keep fiefdoms functioning. Some of it is disagreement over the choices made to remove the systems used in certain circumstances. There are as many reasons why not to integrate as there are players involved.

Regardless, reducing technologies and networks in play reduces the attack surface. It also increases the need for confidence in those technologies that are chosen in this reduced environment. The military has faced problems before in making poor choices on this matter. The project also faces potential conflicts with its BYOD strategy. The process involved would most likely take years, most likely at least a decade. It will involve process design, technology replacement, and retraining of every single person who interacts with the redesign. Even with the best of intentions, this will not be an easy task.


Value is in the Eye of the Beholder

When I am working with clients, sometimes the hardest lesson is in calculating the value of information. Part of this is the difficulty in figuring out the risk calculations that determine appropriate care. The secondary part is figuring out what others think that information is worth, to determine the chance of being targeted in an attack.

Sometimes you get to know how valuable the information you control is. The Federal Reserve, for instance, knows that the data they release is worth for a fortune. As a result, they set up elaborate security for each report release. Despite this, timings from trades related to the “no taper” decision announced in September 2013 indicated that it still managed to leak early.

When you know that value, you still want to know how people would acquire it. The technical term for this is penetration testing. This is when an outsiders are paid to pose as attackers, and gain all the access they can in order to illustrate the methods that the client is vulnerable for. A good example of this can be found in the description from Adam Penenberg. The technical explanation from that same story can be found in a writeup from his attackers.

What makes this much harder is when you don’t even know what is valuable under your control. These are circumstances where the information you control becomes much more valuable to a given attacker. Examples of this can be pulled from the the attack on Mat Honan. There, the value was found in the mere knowledge of his email address, and then the last four digits of his credit card address, which Amazon displays once the account is compromised.

This illustrates how “trivial” information can have great value to the right audience, and why data security needs to be confirmed for all information under control and not just that which the controller believes to have worth. You will be compromised not for what you think is important, but for what your attackers decide they want. When you plan around everything having value, you can plan better how to protect yourself and those who depend on your business.


Economics of Malware: Presentation

Thanks for those of you who have been following my series on the economics of malware (part 1, part 2, part 3). I presented about that topic at Madison’s Nerd Nite today (October 30, 2013). This is the presentation, along with notes necessary to give it. It is available under a Creative Commons – Attribution/Non-Commercial/Share-Alike license.



For over a decade now I’ve been responsible for maintaining security resources and advising Sophos customers and partners about security best practices.
I also do a fair bit of public speaking for Sophos on emerging threats and protection strategies and am always in contact with IT professionals and end users.
What I haven’t done so well is make sure that those closest to me get the same benefit from my experience.

So here’s a checklist of what I did.

via Security begins at home – how to do a “back to basics” security overhaul on your family network | Naked Security.

This is a good addition to my previous articles on personal and wireless security. It offers a few other backup options to consider. My only major issue with the article is how it only suggests encrypting backups in the cloud. Data should be encrypted in all locations, especially those outside your total control. Despite that, it is overall a short, useful checklist.



Now that we have enough details about how the >NSA eavesdrops on the Internet, including today\’s disclosures of the NSA\’s deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves.
For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided by whistleblower Edward Snowden. I wasn\’t part of today\’s story — it was in process well before I showed up — but everything I read confirms what the Guardian is reporting.
At this point, I feel I can provide some advice for keeping secure against such an adversary.

via Schneier on Security: How to Remain Secure Against the NSA.

I’m split preparing for presenting at Madison, Wisconsin’s Nerd Nite on October 30, 2013. Schneier covers several important notes as to how to handle security in general against a state-level actor, but the lessons are useful to implement in general.

Lesson three in particular is valuable. If you assume someone CAN be listening to your activity, it is easier to avoid doing something stupid. Where you should be worried about being discovered, act on those fears. Air gaps or one-way network connections can protect confidential information better than any firewall.


Obscurity itself, however, when added to a system that already has decent controls in place, is not necessarily a bad thing. In fact, when done right, obscurity can be a strong addition to an overall approach.

via Security and Obscurity Revisited | Daniel Miessler.

This is a good exploration of why “bad” defenses can still help, if used in addition to “good” defenses. As long as the additional layers do not undermine known-good policy or procedure, add them.

The Economics of Malware: Governments

Note: This is the third of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

In part one, I talked about the history of vulnerability research, and the development of the market that exists around them. Part two involved the criminal side of the purchasers of those vulnerabilities, and how they make their profit.

Today’s subjects are those who operate with a level of sanction. These are government agencies and contractors, all of which operate with different goals than the criminal elements discussed in part two. Broadly, those goals fall under three categories.

  1. Monitoring their own Citizens – This goal applies to any instance where the government or its agents (public or private) act in order to observe people under their banner. This can fall under censorship desires, such as the Chinese Great Firewall of China being used to control what is discussed. Alternately, they can be under the guise of law enforcement Saudi Government looking for technologies to “monitor terrorists“.
  2. Gathering Information from outside their Borders – External espionage is perhaps the most common governmental use of malware. In this case one of the best know examples is Flame. The control servers used in Flame(r) left lots of evidence about its longevity (perhaps five years) and extensive data collection (upwards of 8gb of encrypted data in a mere 10 days). This is far from the only example, however. as the Chinese government has used similar tactics in order to gain data on weapons programs.
  3. Disrupting Targets – For instances like this, the attacks can be more direct. The quintessential modern example is Stuxnet. With these, governments (assumed to be the United States or Israel, or both), created some of the most successful malware packages. Stuxnet was used to (supposedly) slow the Iranian nuclear weapon program by disabling centrifuges used to enrich uranium. There also exist examples of North Korea launching overt attacks against South Korea, or rumors of Iranian involvement on attacks on financial institutions within the United States.

As with all things, these goals unify with the overall desire to increase the power and influence of their constituent nations. With that in mind, they work in different ways from the criminal element. Luckily, the multi-prong form used by the NSA can be used as a case study.

These are examples of how modern governments are major purchasers of exploits, just like the criminal elements of part two. Once purchased, they go to use. The NSA has used and is preparing for expanding malware use. One of the United State’s ongoing major programs is to develop better techniques and methods for handling large scale assaults.

The attacks begin at the network layer. Most people depend on the appearance of a lock in their address bar to know that they have SSL protection when they browse the Internet. At some point, the NSA compromised the value of SSL, TSL, and VPN, at least on some level. Attacks on alternate anonymization technologies assist them in ensuring they can collect data especially those who want to hide themselves.

In order to do so, they used multiple methods. First, they used the extensive collection of zero-day vulnerabilities they acquire either through their own research or the gray market that exists today. Additional work is farmed out to contractors, expanding what is perhaps the greatest growth industry in defense. They also pay employees of major tech companies to insert backdoors that allow them access.

Works spill over into other arenas. Importantly, the NSA use of malware and exploits has led to fear of legitimizing their utilization, although that appears to be a moot point. While governments such as Germany show anger at the revelations of the last year, they are also not innocent of using their own similar tools.

The biggest issue here is that as more specific details come out about nation state programs using malware, there has been more anger from the targets. While this anger would be valuable if it was directed towards auditing algorithms and software to look for manipulation, it is instead appearing to fracture the universality of the Internet instead.

While new systems may be good, working to improve universal standards may be better. For several years there has been questions about National Institute of Standards and Technology’s (NIST) SP 800-90 for elliptical curve cryptography. The fundamentals of the math are not in question, only the implementation details. Unfortunately, governments will attempt to continue to influence these implementations, as anyone with their power would do as rational actors attempting to increase their own power.

And that is the main lesson of government use of malware. It is functionally not very different from anything from the last few decades. Phone companies have been required to allow interception by legitimate requests for over a century, and espionage has a history dating back millennia. Perhaps the scale is different, but policy solutions have been shown to inevitably fail. Technical solutions are possible, but require a great deal of work and are far from certain to work.

The Economics of Malware: Criminals

Note: This is the second of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

In part one, I talked about the history of vulnerability research, and the development of the market that exists around them. Today we will look at the criminal side of the purchasers of those vulnerabilities, and how they make their profit.

Malware is created using vulnerabilities, either purchased through the markets described previously or self-researched. There are broad categories of malware, each of which has a different profit mechanism.

Account Credential Theft

Attacks in this category include any mechanism by which a user’s form of authentication is taken for uses outside of their control. This can include user and password combinations for financial institutions, games, websites, or IM/VoIP clients, or password and certificate combinations used for encryption (such as a GPG pair). These can be either be sold in black markets, or used in attacks described later in this article. Typically, it is done either by phishing (directing users to fake login pages and having them enter their credentials), or through keyloggers.

Bot Activity

While the previous attacks were somewhat passive, listening in or gathering information, those that cause bot activity take control over the compromised machine. Machines can be used in this way to send spam to continue to grow the botnet, or solve captchas, or launch DDOS attacks either to attack an enemy or as part of a ransom attack (see below). They can also be used for click fraud, either to drain the funds of a target or if they control the ad network in question to raise revenue. Finally, it can be used to anonymize any other attack described here, so that they look like they are only coming from another victim (this is a common objection to offensive security since you will not be responding to the initiator of the attack, just the attack itself).

E-Mail Attacks

Email attacks are those used once you have the credentials necessary to access them. Once accessed, a multitude of attacks are available, although the automation of these attacks varies widely. For instance, Stranded Abroad attacks (also used in social media reputation attacks) use the email account to contact associates with a call for monetary assistance due to some need overseas, and ask for money to be wired overseas to accounts under the attackers control. Emails can be sent containing malware to other people to gain other access. The accounts can also be mined to look for registration emails from websites, and used to reset the passwords on all of those sites and gain access to those to perform other attacks. Finally, the information in the emails itself can be of great value, if mined correctly or a precision attack is made.

Financial Credentials

The most obvious of value from malware is in financial institutions. Being able to log into an individuals bank, stock, 401k, or other similar account can immediately result in a windfall, depending on the security of the institution in question. In these cases, often smaller withdrawals are made to look for triggers that would cause questions to be raised. There are also attacks made on the financial institutions themselves, where money is either shifted into other accounts or simply created out of thin air.


Machines can be totally removed from the control of their owners. In those cases, the malware will either encrypt data on the machine, requiring that they pay the attacker in order to have it unlocked, or make it appear that such action is required. Sometimes this will be cloaked in the façade of the user having done something illegal and it being a fine (sometimes with hilarious results), other times it is just an open ransom request. With the system controlled, it will sometimes take advantage of an embedded webcam and take compromising pictures, and demand ransom for that.

Reputation Hijacking

That last example can also fall under the category of reputation hijacking. With reputation hijacking, typically social network accounts are used to post information that compromises the value of the target’s identity. Individuals may find their Facebook account posting incriminating photos or statements, Businesses may find their Yelp profiles dragged through the mud by competitors. In these cases, they are usually paid character assassinations.

Server Compromise

If a compromised machine has useful characteristics, it will be used for them. This is different from the normal bot behavior described above, in that they will often be used to host services for users other than the attackers. This includes sites that serve warez or child pornography, and do not want to use machines that can be traced back to an individual. They often can be used for phishing or other malware-related sites.

Virtual Good Theft

Finally, the machines compromised can include various information of worth. If license keys can be found in recoverable form they are easily resellable. Also with high value are gaming accounts and goods from those accounts. Gaining access to either Amazon or iTunes accounts can also grant value for the compromiser.

These methods are often used in tandem via malware packages. As of March 2013, thirty-eight percent of all malware was distributed by the Blacole or Cool kits, both created by the same person team, led by a user known as Paunch. Almost all of malware traffic comes from packages now. Interestingly, these packages are sold similar to other software-as-a-service. This includes data analytics, user targeting, upgrades, and more. The Blacole kit could be rented for approximately $700 a month, while Cool retailed for $10,000.

With all of these avenues for making money, perhaps the hardest part is actually gaining access to it. Organized crime who are the largest users of malware packages will retain money mules to gather the money. At times, this money never reaches its destination, either due to the mules being interceded by authorities or the attackers concerned about their ability to recover it.

The reason why that concern is justified is that these criminals are high value targets. You may notice that many of the articles I have linked to involve arrests. This is because every point on the chain of making and expatriating the money involved is a target. For instance Paunch and his team, mentioned above, were arrested earlier last week in Russia. Despite this, it is extremely lucrative for the time they operate.

Part three of this three part series will cover the last of the major users of retail vulnerabilities, governments and their agents.

The Economics of Malware: Vulnerabilities

Note: This is the first of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

The quintessential problem of information security is how to address the technology involved. The architectures in question each have their own potential and known vulnerabilities. These can be discovered by multiple different players, and today’s article will be about why they each look for these vulnerabilities.

Over the years, an entire market has developed around the sale of vulnerabilities. This article will talk about the players involved in discovering and selling vulnerabilities. The market feeds the entire use environment, from criminals and their support organizations (which will be part 2 of this series) to governmental actors who use it for intelligence gathering (which will be part 3 of this series).

First, lets define what a vulnerability is. A vulnerability in this case is a method by which unplanned or unauthorized behavior is induced. This can include both within the target of the vulnerability itself or in the broader system it runs within. For instance, a vulnerability in a database software may give the attacker unauthorized access to data within it, or it may be used to gain access to system resources outside of the database.

Multiple players research vulnerabilities. Until recently, academics (warning: PDF) were the most common discoverer of vulnerabilities. One of the great historical battles over vulnerabilities was over the concept of “full disclosure“. Researchers would reveal discoveries to developers, and be promptly face legal threats. They then stopped revealing them to the developers, and just announcing all the details. This pushed developers into releasing patches finally, but was ugly. The middle ground that exists now over “responsible disclosure” involves telling the developer that the details will be revealed after a certain amount of time.

When malware was first identified in 1982, initial malware was designed by those who discovered the vulnerabilities exploited. People began trading information on vulnerabilities for prestige (warning: PDF) and knowledge they desired. A divergence began, however, when the search for vulnerabilities was not longer just academic.

It was bug bounty programs that offered rewards for those who disclosed vulnerabilities. The first was in 2004 and offered by Mozilla for discovered flaws in the Firefox web browser. Vulnerability research began to be big business around 2007. One of the major drivers in bounties from companies was that they were now competing against black market trading.

This influx of cash has driven many more people into the research arena, and feeds those looking for new tools to exploit. Both organized crime and governmental agents had deep pockets, and were willing to spend hundreds of thousands of dollars for zero-day vulnerabilities. Zero-days are vulnerabilities not known to either the developer of the vulnerable software in question nor anti-malware actors.

Part two of this three part series will cover how the organized crime drivers of the vulnerability marketplace use them.