Category Archives: Commentary

These posts are commentary and thoughts on world events, mostly on technology and event interactions.

The Economics of Malware: Governments

Note: This is the third of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

In part one, I talked about the history of vulnerability research, and the development of the market that exists around them. Part two involved the criminal side of the purchasers of those vulnerabilities, and how they make their profit.

Today’s subjects are those who operate with a level of sanction. These are government agencies and contractors, all of which operate with different goals than the criminal elements discussed in part two. Broadly, those goals fall under three categories.

  1. Monitoring their own Citizens – This goal applies to any instance where the government or its agents (public or private) act in order to observe people under their banner. This can fall under censorship desires, such as the Chinese Great Firewall of China being used to control what is discussed. Alternately, they can be under the guise of law enforcement Saudi Government looking for technologies to “monitor terrorists“.
  2. Gathering Information from outside their Borders – External espionage is perhaps the most common governmental use of malware. In this case one of the best know examples is Flame. The control servers used in Flame(r) left lots of evidence about its longevity (perhaps five years) and extensive data collection (upwards of 8gb of encrypted data in a mere 10 days). This is far from the only example, however. as the Chinese government has used similar tactics in order to gain data on weapons programs.
  3. Disrupting Targets – For instances like this, the attacks can be more direct. The quintessential modern example is Stuxnet. With these, governments (assumed to be the United States or Israel, or both), created some of the most successful malware packages. Stuxnet was used to (supposedly) slow the Iranian nuclear weapon program by disabling centrifuges used to enrich uranium. There also exist examples of North Korea launching overt attacks against South Korea, or rumors of Iranian involvement on attacks on financial institutions within the United States.

As with all things, these goals unify with the overall desire to increase the power and influence of their constituent nations. With that in mind, they work in different ways from the criminal element. Luckily, the multi-prong form used by the NSA can be used as a case study.

These are examples of how modern governments are major purchasers of exploits, just like the criminal elements of part two. Once purchased, they go to use. The NSA has used and is preparing for expanding malware use. One of the United State’s ongoing major programs is to develop better techniques and methods for handling large scale assaults.

The attacks begin at the network layer. Most people depend on the appearance of a lock in their address bar to know that they have SSL protection when they browse the Internet. At some point, the NSA compromised the value of SSL, TSL, and VPN, at least on some level. Attacks on alternate anonymization technologies assist them in ensuring they can collect data especially those who want to hide themselves.

In order to do so, they used multiple methods. First, they used the extensive collection of zero-day vulnerabilities they acquire either through their own research or the gray market that exists today. Additional work is farmed out to contractors, expanding what is perhaps the greatest growth industry in defense. They also pay employees of major tech companies to insert backdoors that allow them access.

Works spill over into other arenas. Importantly, the NSA use of malware and exploits has led to fear of legitimizing their utilization, although that appears to be a moot point. While governments such as Germany show anger at the revelations of the last year, they are also not innocent of using their own similar tools.

The biggest issue here is that as more specific details come out about nation state programs using malware, there has been more anger from the targets. While this anger would be valuable if it was directed towards auditing algorithms and software to look for manipulation, it is instead appearing to fracture the universality of the Internet instead.

While new systems may be good, working to improve universal standards may be better. For several years there has been questions about National Institute of Standards and Technology’s (NIST) SP 800-90 for elliptical curve cryptography. The fundamentals of the math are not in question, only the implementation details. Unfortunately, governments will attempt to continue to influence these implementations, as anyone with their power would do as rational actors attempting to increase their own power.

And that is the main lesson of government use of malware. It is functionally not very different from anything from the last few decades. Phone companies have been required to allow interception by legitimate requests for over a century, and espionage has a history dating back millennia. Perhaps the scale is different, but policy solutions have been shown to inevitably fail. Technical solutions are possible, but require a great deal of work and are far from certain to work.

The Economics of Malware: Criminals

Note: This is the second of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

In part one, I talked about the history of vulnerability research, and the development of the market that exists around them. Today we will look at the criminal side of the purchasers of those vulnerabilities, and how they make their profit.

Malware is created using vulnerabilities, either purchased through the markets described previously or self-researched. There are broad categories of malware, each of which has a different profit mechanism.

Account Credential Theft

Attacks in this category include any mechanism by which a user’s form of authentication is taken for uses outside of their control. This can include user and password combinations for financial institutions, games, websites, or IM/VoIP clients, or password and certificate combinations used for encryption (such as a GPG pair). These can be either be sold in black markets, or used in attacks described later in this article. Typically, it is done either by phishing (directing users to fake login pages and having them enter their credentials), or through keyloggers.

Bot Activity

While the previous attacks were somewhat passive, listening in or gathering information, those that cause bot activity take control over the compromised machine. Machines can be used in this way to send spam to continue to grow the botnet, or solve captchas, or launch DDOS attacks either to attack an enemy or as part of a ransom attack (see below). They can also be used for click fraud, either to drain the funds of a target or if they control the ad network in question to raise revenue. Finally, it can be used to anonymize any other attack described here, so that they look like they are only coming from another victim (this is a common objection to offensive security since you will not be responding to the initiator of the attack, just the attack itself).

E-Mail Attacks

Email attacks are those used once you have the credentials necessary to access them. Once accessed, a multitude of attacks are available, although the automation of these attacks varies widely. For instance, Stranded Abroad attacks (also used in social media reputation attacks) use the email account to contact associates with a call for monetary assistance due to some need overseas, and ask for money to be wired overseas to accounts under the attackers control. Emails can be sent containing malware to other people to gain other access. The accounts can also be mined to look for registration emails from websites, and used to reset the passwords on all of those sites and gain access to those to perform other attacks. Finally, the information in the emails itself can be of great value, if mined correctly or a precision attack is made.

Financial Credentials

The most obvious of value from malware is in financial institutions. Being able to log into an individuals bank, stock, 401k, or other similar account can immediately result in a windfall, depending on the security of the institution in question. In these cases, often smaller withdrawals are made to look for triggers that would cause questions to be raised. There are also attacks made on the financial institutions themselves, where money is either shifted into other accounts or simply created out of thin air.

Ransomware

Machines can be totally removed from the control of their owners. In those cases, the malware will either encrypt data on the machine, requiring that they pay the attacker in order to have it unlocked, or make it appear that such action is required. Sometimes this will be cloaked in the façade of the user having done something illegal and it being a fine (sometimes with hilarious results), other times it is just an open ransom request. With the system controlled, it will sometimes take advantage of an embedded webcam and take compromising pictures, and demand ransom for that.

Reputation Hijacking

That last example can also fall under the category of reputation hijacking. With reputation hijacking, typically social network accounts are used to post information that compromises the value of the target’s identity. Individuals may find their Facebook account posting incriminating photos or statements, Businesses may find their Yelp profiles dragged through the mud by competitors. In these cases, they are usually paid character assassinations.

Server Compromise

If a compromised machine has useful characteristics, it will be used for them. This is different from the normal bot behavior described above, in that they will often be used to host services for users other than the attackers. This includes sites that serve warez or child pornography, and do not want to use machines that can be traced back to an individual. They often can be used for phishing or other malware-related sites.

Virtual Good Theft

Finally, the machines compromised can include various information of worth. If license keys can be found in recoverable form they are easily resellable. Also with high value are gaming accounts and goods from those accounts. Gaining access to either Amazon or iTunes accounts can also grant value for the compromiser.

These methods are often used in tandem via malware packages. As of March 2013, thirty-eight percent of all malware was distributed by the Blacole or Cool kits, both created by the same person team, led by a user known as Paunch. Almost all of malware traffic comes from packages now. Interestingly, these packages are sold similar to other software-as-a-service. This includes data analytics, user targeting, upgrades, and more. The Blacole kit could be rented for approximately $700 a month, while Cool retailed for $10,000.

With all of these avenues for making money, perhaps the hardest part is actually gaining access to it. Organized crime who are the largest users of malware packages will retain money mules to gather the money. At times, this money never reaches its destination, either due to the mules being interceded by authorities or the attackers concerned about their ability to recover it.

The reason why that concern is justified is that these criminals are high value targets. You may notice that many of the articles I have linked to involve arrests. This is because every point on the chain of making and expatriating the money involved is a target. For instance Paunch and his team, mentioned above, were arrested earlier last week in Russia. Despite this, it is extremely lucrative for the time they operate.

Part three of this three part series will cover the last of the major users of retail vulnerabilities, governments and their agents.

The Economics of Malware: Vulnerabilities

Note: This is the first of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

The quintessential problem of information security is how to address the technology involved. The architectures in question each have their own potential and known vulnerabilities. These can be discovered by multiple different players, and today’s article will be about why they each look for these vulnerabilities.

Over the years, an entire market has developed around the sale of vulnerabilities. This article will talk about the players involved in discovering and selling vulnerabilities. The market feeds the entire use environment, from criminals and their support organizations (which will be part 2 of this series) to governmental actors who use it for intelligence gathering (which will be part 3 of this series).

First, lets define what a vulnerability is. A vulnerability in this case is a method by which unplanned or unauthorized behavior is induced. This can include both within the target of the vulnerability itself or in the broader system it runs within. For instance, a vulnerability in a database software may give the attacker unauthorized access to data within it, or it may be used to gain access to system resources outside of the database.

Multiple players research vulnerabilities. Until recently, academics (warning: PDF) were the most common discoverer of vulnerabilities. One of the great historical battles over vulnerabilities was over the concept of “full disclosure“. Researchers would reveal discoveries to developers, and be promptly face legal threats. They then stopped revealing them to the developers, and just announcing all the details. This pushed developers into releasing patches finally, but was ugly. The middle ground that exists now over “responsible disclosure” involves telling the developer that the details will be revealed after a certain amount of time.

When malware was first identified in 1982, initial malware was designed by those who discovered the vulnerabilities exploited. People began trading information on vulnerabilities for prestige (warning: PDF) and knowledge they desired. A divergence began, however, when the search for vulnerabilities was not longer just academic.

It was bug bounty programs that offered rewards for those who disclosed vulnerabilities. The first was in 2004 and offered by Mozilla for discovered flaws in the Firefox web browser. Vulnerability research began to be big business around 2007. One of the major drivers in bounties from companies was that they were now competing against black market trading.

This influx of cash has driven many more people into the research arena, and feeds those looking for new tools to exploit. Both organized crime and governmental agents had deep pockets, and were willing to spend hundreds of thousands of dollars for zero-day vulnerabilities. Zero-days are vulnerabilities not known to either the developer of the vulnerable software in question nor anti-malware actors.

Part two of this three part series will cover how the organized crime drivers of the vulnerability marketplace use them.

Silk Road Shutdown and OPSEC

The infosec, legal, and drug worlds were shocked today with the Department of Justice’s indictment of Ross William Ulbricht as the accused Dread Pirate Roberts, the administrator of the Silk Road. The Silk Road was a tor-based black market making available drugs, forgeries, hacking tools, and more its clients worldwide. Since its opening, it has been the site for approximately a billion dollars in sales via bitcoin.

Given its importance, and the money involved, one would think that Ulbricht would have a strong set of OPSEC. Reading the indictment itself, however, indicates how wrong this assumption is, especially at the beginning of the Silk Road. It reads like a how-not-to, including crossing identities, having incriminating evidence sent to an address under his name, and more.

At this point, it is worth a digression to talk about Operational Security, or OPSEC. OPSEC is the process by which one determines how information can be assembled to be used against them. In the case of someone running a site such as the Silk Road, the threats the face are monumental. This includes nation-states, with extensive surveillance capability as well as pressure to use such tools in targeting such a black-market administrator. Given this, extensive preparation and discipline is necessary to avoid exposing any information about false identities created for protection (for more in-depth information on hacker OPSEC, see the grugq’s presentation).

During the first days of the Silk Road, someone under the username “altoid” began spreading information about it. The same apparent user, with the same username, appears on bitcointalk a few days later and later looks for development help, posting his email address. This email address is used by Ulbricht for his LinkedIn profile contact. His full name is used in March 2012 asking for assistance with implementing certain php code over tor. This username and gmail connection is changed later, but the original tie-ins had been recorded. Even worse, the replacement email he used (frosty@frosty.com) is later seen in the ssh key needed to log in as the Silk Road administrator.

You can also see some spillover on his YouTube profile, where he links to videos about “How to Get Away with Stealing” and “The Market for Security”. It also contains videos from the Mises Institute, which is also cited in the Dread Pirate Robert’s Silk Road signature. While not directly incriminating, these add philosophical correlation with an interview that the Dread Pirate Roberts gave to Forbes. This interview adds an additional wrinkle to the story, where he claims that he was not the first to use the name Dread Pirate Roberts, just as the character did in the Princess Bride. No other evidence supports this claim, however, and it appears to be misdirection.

Canadian mail has broad authority (warning: PDF) to search packages crossing their border. This information was most likely enough to ask Canadian law enforcement to search for packages being sent to Ulbricht, or alternately he was just very unlucky. Regardless, a search of a package being sent to Ulbricht’s residence in San Francisco from Canada revealed several fake documents, apparently intended to purchase additional server access for the Silk Road’s growing resource needs.

Combined, this information gave investigators enough information to locate the physical address of the Silk Road server. They made a forensic copy of it on July 23 2013, and were then able to access its code base. Within it they found evidence of the only IP address by which administrative access was available, and showed access from the VPN located there granted to an internet cafe approximately 500ft from where Ulbricht lived. This address was also recorded in Google logs to be where Ulbricht had logged into his gmail from.

On July 26 2013, agents from Homeland Security Investigations confronted Ulbricht at the mailing address for the false identification. He not only admitted they were his, but that such documentation could be purchased from the Silk Road. This further implicated him and showed direct knowledge of the site.

By that point his trail is so well known by the investigators that I’m not sure how much it hurt. Regardless, he should have known to not say anything and demand a lawyer. Without the foundational work setting up and perfecting a process to protect himself, however, this appears to have been the likely outcome. This became more true with the growth of his success.

The iPhone 5s Biometric Unlock

The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates – again – that fingerprint biometrics is unsuitable as access control method and should be avoided.

Apple had released the new iPhone with a fingerprint sensor that was supposedly much more secure than previous fingerprint technology. A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days.

"In reality, Apple's sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake", said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking. "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."[1]

[1] via CCC | Chaos Computer Club breaks Apple TouchID.

The new iPhone has a biometric unlock option. It took all of three days for a break to show up for it, as was generally expected as well. While this is obviously an indictment of its security, I do somewhat agree with Apple and several other commentators regarding it retaining value.

Apple technology security is strictly weaker in many ways than similar Android options. Apple, for instance, can decrypt iPhones, whereas Google appears to have no such capability. They have also historically shown how their infrastructure allows for attackers to destroy data, although Google is not impervious to this either. I personally use Android (cyanogenmod on a Galaxy S3), with full device encryption and a screen password far longer than is healthy. Unlocking my phone can take up to ten seconds, which most people simply will not put up with.

That is the value in the biometric unlock for the iPhone. A dedicated opponent will be able to get you to unlock it, easier with physical intimidation than an information-based key perhaps. Screen pins should be seen as opposition from casual data theft. Someone who steals your phone, or takes it from a table to try to get some information quickly, often faces absolutely no barrier. Apple’s talking points point out a majority of users have no security pin utilized currently (although I have not found the specific number, if it is available). Tools exist to remotely wipe a phone if custody is lost, and a small barrier may be enough to give time to use that capability.

The one potentially huge concern to this method of unlock however is in allowing Apple aggregation of biometric information. As of now, Apple stores the information locally on the iPhone in question. Any government would love that information and, as demonstrated above, they have those ties with Apple. There is also the question as to if that information can be transferred off the phone if someone has physical access to the device. These are issues that should be addressed, and until they are my support is tentative. Regardless, something that encourages adaptation of a security mindset is helpful.

A First Look at International Anger at the Snowden Revelations.

Internet security and policy experts say the Brazilian government’s reaction to information leaked by former NSA contractor Edward Snowden is understandable, but warn it could set the Internet on a course of Balkanization.

“The global backlash is only beginning and will get far more severe in coming months,” said Sascha Meinrath, director of the Open Technology Institute at the Washington-based New America Foundation think tank. “This notion of national privacy sovereignty is going to be an increasingly salient issue around the globe.”

While Brazil isn’t proposing to bar its citizens from U.S.-based Web services, it wants their data to be stored locally as the nation assumes greater control over Brazilians’ Internet use to protect them from NSA snooping.

The danger of mandating that kind of geographic isolation, Meinrath said, is that it could render inoperable popular software applications and services and endanger the Internet’s open, interconnected structure.

via Brazil Looks to Break from U.S.-Centric Internet | TIME.com.

This article in Time this week shows one of the most likely impacts from the Snowden leaks on U.S. spying. Justifiably, other countries are upset. Some will use this anger to do what they wanted to already, which is to bring some of their national data in-house. This will allow them to put an additional roadblock against the NSA (far from insurmountable) while allowing their own intelligence agencies to potentially mine that data.

While Time talks in fear of the Balkanization of the Internet, they ignore that this has already widely happened in the entertainment industry. The industry itself put up countless barriers from enjoying their goods in certain regions, and despite that people go around them. VPNs, proxies, and pirating allows people to access music and videos not “sold” in their country. Nothing indicates that this would change if new services went up elsewhere in the world to challenge titans from the USA.

The biggest threat, or opportunity, arising from this anger is true competition over security. Tools like email cannot be done securely, simply because of the information they leak in headers. You can encrypt the data within the email, but a dedicated adversary will still get what they want from it. If some usable replacements for this, that included whole-chain encryption, there could be a sizable uptick in usage from this. The same goes for basic network traffic, while options like Tor exist they can’t be trusted due to the limited number of exit nodes an adversary has to control in order to monitor the network. Unless vast numbers of users move to Tor, and move a lot of applications to hidden services, this option doesn’t seem to have a lot of future to it either. It does offer a framework for future technologies to be developed.

Realistically, the only way any of these turn detrimental to the future of the Internet is if new protocols or software are developed that intentionally block other regions. Even in that circumstance, however, as I said before there should be ways around those barriers. Even better, if those protocols are built with privacy and security as core philosophies, they could help provide something to replace those that are used now.