Dave Naffziger's Blog

From this fascinating CNET article on a few of the techniques that the Russian spies used to exchange data:

…the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password, which the FBI found written down on a piece of paper during one of its searches.

While online passwords never need to be this complex - centralized management can prevent brute-force attack. Arguably, longer passwords are more important for local software (that can be stolen, then brute-forced). In fact, the leading theories on the ‘cracking’ of the wikileaks video suggest that they brute-forced the password that unlocked the encrypted contents.

A 27 character password certainly makes brute-forcing the password impossible. But human nature, even to extremely well-trained spies is to write things like this down.

I’m both stunned and impressed by Google’s announcement that it will either end censorship in China or close google.cn following a “highly sophisticated and targeted attack on [Google’s] corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”

Wow.

If Google follows through with its intentions, it will be one of the most public actions taken by any organization (corporate or government) in protest of China’s restrictions on free speech in the last few years. Even a Google-cynic such as myself can’t help but cheer their actions. The other search engines should follow Google’s lead.

Almost incredibly, Google is may actually be able to impact Chinese policy. We will see how the next few weeks unfold, but Google may well do more for free speech in China at this moment than any international organization has been able to do in the last decade. The constructivist view of international relations is becoming an increasingly stronger model.

Google was hacked!?

And possibly equally significantly, Google has had its intellectual property stolen by hackers. And we’re left to presume they were state-sponsored hackers. Sure, most organizations are a nudie video away from getting pwned, but if Google can be targeted successfully, what does that say about the rest of corporate America?

Some of the details surrounding the rescue of the FARC Hostages are beginning to come out. News outlets convey slightly different stories, but the general theme is consistent: Colombian intelligence agents tricked the FARC into giving them the hostages (and two leadership personnel).

These two articles are great reads: How the Colombian military tricked Farc and rescued Ingrid Betancourt without a shot(TimesOnline) How Operation Check Mate Worked (WSJ).

A snippet from the Journal article:

Colombia’s army, having infiltrated the FARC’s highest ranks over the past few years, sent coded messages to various guerrilla commanders in recent months that the commanders believed were from the FARC’s highest ruling body, the secretariat.

The messages told them that the hostages were to be transferred to an area where Alfonso Cano, the new FARC leader after the death in March of the FARC’s founder Manuel Marulanda, would be in charge of them. The commanders were told the hostages would be used by Mr. Cano in on-again, off-again negotiations with the government.

Since the guerrilla group doesn’t have helicopters of their own, the hostages were to be transferred to Mr. Cano on helicopters used by a sympathetic non-governmental organization. The organization, in fact, didn’t exist and was really the Colombian military. To avoid arousing suspicion of the local FARC commanders that held the hostages, the military told them that two FARC commanders would accompany the hostages during the transfer.

I continue to be amused by the misplaced notion that users can somehow be trained to avoid phishing scams. Over the last few months I’ve come across several studies that continue to reinforce this belief:

Users click on an ad Promising a Virus

I’m not sure if I could write a spammier ad. Didier Stevens ran this ad on Google. 409 people at a CTR of 0.16% clicked on the ad. I shudder to think what would have happened if he ad sent an email or spent time optimizing his ad text.

I wonder if Google considers these clicks click fraud?

SiteKey Useless Against Phishing - Users give up Password without Image
I have always been a vocal critic of the image-based authentication systems. The idea is that every user sees a custom image once they enter their username. If they don’t see the image, they are not supposed to enter their password.

Well, a recent MIT/Harvard study showed that 97% of users gave up their password if the image was missing. Read the full article at the NYTimes (reg required). Great, nothing like false security.

See ING Direct’s login screen below for an example of the SiteKey system in action.

Man in the Middle attack against SiteKey
OK, so we’ve already seen the RSA’s SiteKey is mostly useless if an image is missing. However, researchers have also demonstrated that it is possible for a phishing attack to show you the image, therefore completely mimicking the website.

It is kind of brain-dead obvious, but the basic principle is that all logins require a user to enter information. So, a phisher is able to replicate the entire experience:

1. User enters username on phishing site
2. Phisher enters username on banking site
3. Phisher sees image/phrase/whatever
4. Phisher presents image to user on phishing site
5. User enters password on phishing site
6. Phisher logs in to banking site
7. Phase 3: Profit

The geeks of the world often associate The Onion Router (Tor) with dissidents in oppressive regimes (read this slashdot thread for a few choice examples). Tor provides plenty of anonymity benefits, however hiding from Internet monitors in an oppressive regime is not one of them.

The Tor network consists of a network of anonymizing servers. A user install some software on their machine that establishes an encrypted connection with one of these servers (the entry server). The entry server then connects with a second server, which then connects with a third server. This third server (exit server), then makes an unencrypted connection with the target website. This path changes every 10 minutes or so, making it difficult for someone to figure out which websites you were looking at. A diagram from EFF’s website is below.

A Chinese dissident might use Tor to:

• Host a website (saying all sorts of bad things about the government)
• Visit a Chinese website (probably of another dissident)
• Visit a foreign website (like a search engine that doesn’t filter)

To understand why a dissident would be vulnerable let’s add Chinese monitors to our diagram:

Tor is exploitable because needs to publish the Tor nodes users can contact Tor. That means every Tor server is public, and therefore a monitor can determine if a user is connected to Tor. Let’s reexamine the three use cases again and describe how they can be exploited.

• Host a website. A monitor can see the traffic going back and forth between a user and Tor. If the user is hosting a website, the majority of the traffic would come out from the user into Tor. The monitor can measure this and determine that a website is being hosted (or other content is being distributed). The IP address is visible and before long, the Chinese authorities are knocking on your door.
• Visit a Chinese website. This time, monitors can see traffic coming from the user to Tor AND traffic coming from Tor to the website. Various attacks based on the timing of packets have been proven to allow association of the user with the website he’s watching - essentially the anonymity of Tor has been completely removed.
• Visit a foreign website. This is the ‘safest’ of the three activities. The Chinese authorities only know that you’re using Tor to browse the web - they can’t figure out what you’re looking at. However, the number of people using Tor is quite small (I’ve seen estimates around 10,000). In a country of 100 million Internet users and where surveillance dragnetting isn’t illegal, you’ve just made the shortlist to be studied further.

The only thing worse than “no security” is “perceived but flawed security”. If you believe someone is watching you, you’ll dress nicely. If you think you’re invisible, well, why bother with clothes?

To their credit, the EFF does not claim that Tor would help dissidents and has a great discussion on changes that it might make to support them. Even the wikipedia article (moderated by EFF contributors) is careful to draw the line short of helping dissidents. I just hope the dissidents reading slashdot are able to draw the same distinctions.

A summary is at Security Pro News and the source paper can be found here(pdf), but the exploit is a simple one:

• User visits website with malicious javascript
• Javascript changes DNS settings on routers with default passwords
• Hacker now owns the user’s Internet experience

Obviously, this is an easy hack to prevent, but how many users change their default password on their router? I occasionally check this when I see a ‘linksys’ or ‘netgear’ network. Unfortunately, if the network name is still the same so is the password 90% of the time.

The fascinating thing is that this change could be undetectable to the user. They could see a normal browsing experience, all while the hacker is attaching affiliate codes to links, or sending the user to the occasional spoofed phishing site.

Slashdot picked up an FCW article on coordinated Chinese hacking.

The full article is worth a read, but here are a few standout quotes:

Attacks coming from China, probably with government support, far outstrip other attackers in terms of volume, proficiency and sophistication, said a senior Netwarcom official, who spoke to reporters on background Feb 12. The conflict has reached the level of a campaign-style, force-on-force engagement, he said.

and

Current U.S. cyber warfare strategy is dysfunctional, said Gen. James Cartwright, commander of the Strategic Command (Stratcom), in a speech at the Air Warfare Symposium in Orlando, Fla., last week.

Although the level of discourse at Slashdot is not always the highest, I was disappointed that this audience did not appreciate fully appreciate the problem. Many indicated that they didn’t believe there was a problem.

So, if Slashdot readers can’t grasp the threat how can we expect politicians to get it?

The weaknesses of our cybersecurity systems are well established - just about every red vs blue penetration test the US runs finds countless flaws. Military leaders are beginning to understand the risks (as evidenced in the article above). However, law, policy and systems continue to lag well behind the capabilities and risks of technology.

Sumit and I contributed to a ‘National Cybersecurity Strategy’ Paper about a year ago that was meant for the White House. We worked on developing the business case for why cybersecurity matters and what the risks look like. The reality is that we haven’t seen a large-scale coordinated attack intended to cripple. The types of threats we’ve seen to date have been much more akin to ‘tests’, ‘training activities’ and intelligence gathering (and all very successful).

There are several problems that the cybersecurity practioners suffer from:

• All of the practioners hide behind email addresses only accessbile on secure netorks and phones with no answering machines. They also aren’t known for being the most social people.
• All “events” are classified and even those leaked to the public end up are said to be bastardized versions of real events: The Invasion of the Chinese Cyberspies (time.com). You can’t convince someone of a problem if you can’t tell them about it.
• We’ve never had a truly crippling attack. The capabilities exist and the vulnerabilities are there. Government policies are notoriously reactive…
• Bastardized priorities. Deep down the chain of command, DOD system admins came to believe it was their mission to filter websites and otherwise hinder the use of the ‘Internets’. This deeply misguided prioritization has alienated most of the rest of the government (who aren’t able to get to their yahoo mail accounts or check their sports scores).

I don’t know what it will take to bring about serious change. It will have to happen at some point - I just hope it is proactive change.

The Air Force runs a portal that all its members can access. It actually aggregates a bunch of really useful information such as pay history (limited to 2-3 months), white pages of personnel, and various personal personnel data and functions. I access it once every 2 months or so.

They make you change your password once every 90 days. Here is their current password policy:

Passwords Must:

• Be a minimum of nine characters in length
• Contain each of the following in the first nine characters:
  • Two Uppercase Letters
  • Two Lowercase Letters
  • Two Special Characters (except ? which is reserved)
  • Two Numeric Characters

Seriously. I’m all in favor of strong passwords, but this is absurd. It would seem like passwords like this are more secure. There are two flaws to this logic:

• Users write them down. No one is going to commit this obscene password combination to memory. They’ll write it down, email to themselves or save it on a file. I’d be willing to bet that you can find stickies with this password on the monitor of a substantial number of personnel. My login procedure now includes all of the reset password steps because I can’t ever remember my password.
• Users will use patterns to remember the password. Once a password gets this complex, users resort to finding patterns on their keyboard. I’m sure 12#$QWert is commonly used. The password just became incredibly easier to solve via brute force.

If your security needs demand this complex of a password, don’t let users choose them. Assign them a password that is randomly generated. You’ll at least reduce the second vulnerability (the more dangerous one).