Cyber War

As I write this we are seeing daily reports of hacking and break-ins to commercial and defense enterprises world wide:

• Sony network down for over three weeks with customer passwords, emails and credit card information information stolen.
• Anti-bank Trojans stealing millions of dollars from customers’ bank accounts in Brazil.
• Oakridge National Laboratory was the target of a spear-phishing attack that only compromised a few megabytes of data before it was stopped.
• Millions of dollars being stolen from cell phone users in China by viruses infecting smart cell phones.
• The Stuxnet worm infects Iran’s nuclear program.

But it seems we are not doing a set of straight forward things that we can do to prepare for and mitigate the impact that cyber war is having on this country. We can start with some simple and comparatively inexpensive steps.

A Process

First of all, what is the process that we should follow?

1. Identify the threats.
2. Settle on a policy and do “minimal” legislation to allow us to act.
3. Identify funding sources.
4. Build a small team to act on the policy.
5. Use benign attacks to test without warning.
6. Harden US defense and commercial targets against attack.
7. Share the policy with our allies.

Here are each of these steps in more detail.

Identify the Threats

This will be a short process. There is no problem coming up with a large pile of documentation about the threats to National Security and Commercial interests in this country. This should take the White House Cyber Czar about 10 minutes because there is no doubt that he already has this document prepared.

Settle on a policy and do “minimal” legislation to allow us to act.

I suggest that the policy should be that:

The a new team for Cyber War Defense is given new powers to attack – in a non-destructive way – the commercial and defense interests of the US to assess the threats and to cause the parties to close the holes that are found.

Legislation Required

This process probably requires legislation so that the process is not illegal.

They are not authorized to steal anything to destroy data, only to demonstrate that this could have happened by actually doing a break-in.

The legislation should not and need not give law enforcement any broad powers of search, seizure or traffic sniffing beyond what they already have.

The legislation should require that companies promptly fix problems found in key software. Currently some bugs remain in the wild for many weeks or months before they are fixed.

Legislation should also require that best practices be followed by all commercial and national defense agencies. The best practices themselves are not in the legislation but are developed by a small non-political and fast moving panel of experts.

Best Practices

The legislation identifies a small panel of technical experts that built a standard of best practices. This is not a political document, but a technical standards document. It is free to reference other works rather than incorporate them since there are many sources of best practices available.

These practices need to include standards for the modernization of computer hardware and software as well as the operating procedures of employees and IT departments. It is unreasonable for many large companies to still be using Windows XP and Microsoft Internet Explorer 6 in this day of high threat attacks.

I have recently heard pundits expounding on the spear-phishing attack at Oakridge with the suggestion that training should be employed, with drills, to train people to avoid clicking on emails. Apparently the attack at Oakridge was mounted by sending emails to employees that appeared to have come from Human Resources and that stated that all employees must update their health insurance information. It seems clear that a national laboratory should have a firewall that prevents outgoing links from bringing back any software that will be installed on computers. Training might be well and good, but something more robust is possible and called for in this case, and maybe for all organizations that have anything to lose from a cyber attack. Don’t depend on people when a machine can perform the function. More later about best practices.

Identify funding sources.

Just as the FDA certain powers over commercial interests that sell contaminated food, or drugs, this legislation should give the Cyber War Defense team the power to access consulting fees that will fund this organization. The fees are set based the commercial rate for such consulting, and on the hours to mount the attack plus the hours for the Outreach Team to work with the company to close the breach found and bring the company up to the best practices standard. Only companies where the attack succeeds are charged.

Government organizations pay the going rate for inta-government consulting.

Build a small team to act on the policy.

A small team of 20-50 people is enough to built attacking tools and test the commercial and defense organizations in the country.

The team is organized as follows:

1. A subgroup to identify existing tools and build new tools to aid in mounting attacks.Tools like Metaspoit and other hacking tools form a basis of attacking and threat management tools.
2. Exploit identification team uses state of the art techniques to identify exploits to be incorporated into the tools and used by the other groups. This process includes active testing of popular browsers, flash, pdf and web server software on all platforms to identify bad file formats and other attacks that cause crashes or other behavior that can be exploited for attacks. This is what the cyber attackers do constantly, we need to be better than they are, at what they are doing.
3. Commercial sub-team with expertise in attacking banks, game companies and other commercial interests.
4. Defense sub-team with expertise in attacking defense installations and national laboratories.
5. Utilities sub-team with expertise in attacking water, power, nuclear installations and other infra-structure targets.
6. Outreach team whose job it is to liaison with the exploited enterprise to harden their installation based on the threats exposed, and the best practices identified.

Use benign attacks to test without warning.

The teams above attack the high value targets without warning and when they succeed, the Outreach team notifies the enterprise to quickly fix the problem. No prior notification is required for a company to be tested. DDoS [Distributed Denial of Service] attacks are not typically used for these attacks unless it is shown that a brief DDoS attack will open another vulnerability that cannot be opened in other ways.

The attacks and their results are held in confidence by the Cyber War team. No mention is made of success or failure of any tested organization.

Best practices are used in notifying companies of problems in commercial or open source software. Typically this means that the authors / sellers of the software are notified in private and given ample time to provide a patch before any public mention is made of the vulnerability.

Harden US defense and commercial targets against attack.

Wash, Rinse, Repeat.

By executing the above process continually, and prioritizing the organizations targeted with the benign attacks, the entire country can be quickly brought up to a state of Cyber-War-Readiness.

Share the policy with our allies.

It seems clear that we should share our policy, our tools and our best practices with our allies.

Except for exploits found that others do not yet know about, and the results of attack testing on US targets, it is not clear that any of the tools or methods or information need be secret.

Some Best Practices

Attack surfaces are the places where attacks can occur. The number of instances in an organization, the rate of usage and complexity of a surface, such as Flash, or Windows XP gives a measure of the Area of the surface. The number of exploits reported / fixed per month or per year gives also gives a measure of the Area of the surface.

• Unified Threat Management Software [UTM] at the perimeter of an organization should be employed to filter the outside world from attacking an organization. The UTM should be running on an embedded or Linux OS rather than Windows to eliminate a Windows attack surface from the UTM.
• Eliminate Flash / PDF – Flash and PDF form a large and frequent attack surface. While the browser and email programs used to be the preferred attack point, it is now Flash and PDF files. Every week or month more bugs are found and updates are required. While updating is advised, a “hardened” organization should simply eliminate Flash and PDF files from unknown sources. The UTM can filter out all Flash/UTM from the outside world and replace it with blank images of the appropriate size, or a PDF file that states the policy.
• No downloading via links. With centrally managed IT resources, no company should allow users to install anything themselves on their computers. Again UTM can assure that no programs from outside can be installed, and this includes Browser plugins.
• Eliminate use of Java. Java via the browser can form an attack surface. This surface is probably not far behind Flash and PDF in frequency of use.
• Reduce the number of file formats. Willingness to receive various levels of DOC, Power Point, and other file formats from others is an invitation to break-in. Reduce the number of formats and secure their transmission. Eliminate email as a transmission method wherever possible.
• Smarter Image Scanning can eliminate JPG/ PNG / GIF etc as an attack surface. Modern browsers can process a large number of image types, and the more types, the more vulnerable the browser is to attack. A smart proxy server in the UTM can eliminate many of those types by translating the images and in doing so can process the image so that it is assured there is no hidden payload. If an image is converted from GIF > PNG, then it is clear that no payload will survive. Only JPG / PNG should be supported and UTM should translate everything else and fix up the web page references to reference the correct translated image. This will eliminate images as an attack surface.
• Cross Site Scripting and other Cross Site attacks can be eliminated by the UTM proxy disallowing certain references that might compromise the site or the browser.

Longer Term

Currently, virus detection is performed by looking for signatures of known virus variant. Some viruses can modify themselves, much as HIV-AIDS virus does, to avoid detection. It seems clear that a new non-signature method of detection is required.

As mentioned in the above point on image scanning, it is possible to detect virus payloads in images by processing the image in some way that only a valid image would survive. This type of processing is also possible for PDF files, where a file could be scanned looking for embedded features such as form-scripts and embedded media – images or flash- that form the attack.

By using the UTM to remove advanced features from some files – Flash, PDF and others – the organization is protected from attacks on the surfaces provided by those advanced features.

What’s Happening?

Maybe these things are quietly happening behind the scenes while we are annoyed by noise from the likes of the “Protect IP” legislation which is an effort of big companies like Sony to protect a questionable amount of revenue from lost sales. It seems they have lost more money recently due to to their own cost cutting in their IT departments by not having appropriate security measures than they can hope to gain by any “Protect IP”, and meanwhile we are all less Cyber-Secure.

-ww

1. Vista is the currently shipping OS and x64 is the “Ultimate” expression of that OS.
2. Vista x64 is the second generation of x64 OSs, so it is hardly brand-new and the requirements for supporting the system are well known
3. Most medium to high end systems are x64 capable.
4. Most high end system support as much as 4GB of memory.
5. One can only make use of 4GB of memory with an x64 edition OS. With an x86 edition one only can address 2.7 or 3.5GB of memory depending on the hardware available. See this Alienware Support post.

Disclaimer: I do not have any financial interest in any of these products or Microsoft. I have an Vista x64 system, so I do have an interest in products supporting that platform. All trademarks are the property of their respective owners.

Note: I find the Vista x64 system to be very reliable and usable. While I agree that it is not a large upgrade from Win-XP, I have no interest in going back, and I’m not annoyed by “Account Control” popups, but prefer running with Account Control Enabled.

No support for the Fingerprint Reader on Vista x64

How hard could this be? Recompile the code. Vista is touted as the end all and be all for modern security in operating systems but they don’t support their own biometric security device on Vista x64? How lame is that??

OEM Licenses Don’t Include Media or X64 Editions.
When you purchase Windows Vista Ultimate with a system:

1. You don’t get certified media from Microsoft. But instead you get a lame backup disk, or the ability to backup your own system disk to your own media. How lame is that?
2. You don’t get the x64 edition. If you want x64 you have to pay an additional $300 for a brand new license. Are they really trying to make more money with x64 for bleeding edge desktops?

Why isn’t Microsoft trying to encourage adoption of x64 edition for high end systems?. After all, isn’t Max OSX running in x64 on every system that supports it? Linux does automatically doesn’t it? Hey, I’d run Linux if most of the dozens of applications that I use would run on it. Why is Microsoft holding back with x64? Don’t they have it working yet? Seems perfectly stable to me… Time to pony up and support it, Microsoft.

Alienware appears because they are suppliers of the bleeding edge of computing. Where do they get off not supporting the bleeding edge of Windows OSs. There are several problems with their attitude:

1. They silently let you buy a 4GB system with no warning that not all the memory will be supported by the OS they ship. You order 4GB and you get to use 2.7GB because they only support Vista x86 edition.
2. They refuse to support the x64 edition on their systems even though the vast majority of the systems are x64 capable. And by the way they act in all other ways like a bleeding edge system provider.
3. They provide the lame OEM licensed version of the software so you don’t get x64 media or indeed any media for the OS from Microsoft.
4. Their hardware editions, like AlienFX lighting, does not have Vista x64 drivers. Glad I set up my lighting before I installed x64…

The trial for Corel Photo Album 6 installs a driver which is not signed. It’s a codec from Sonic I think. So there is a warning about the driver not being signed. But the install continues anyway and you are lead to believe that the system has taken care of the problem. Only the driver is in fact installed anyway.
Now you are hosed…. The system refused to boot because Vista refuses to boot with any unsigned drivers.

How lame is that?? What I mean is that both Vista was willing to install an unsigned driver, causing a boot failure, and that Corel didn’t test on x64 and so didn’t find the problem.

BTW, to recover, you have to boot your original CD media and then “Recover the system”. At least when you have done that, you don’t lose anything.

Adobe Reader 8.1 Breaks

Adobe reader 8.1.x cannot resize the window. Actually the window resizes, but the window content does not resize either. Not sure whether this is Vista – how could it be?? – or Vista x64? Releases since I first ran this on x64 back in May 2007 have had this problem.

Several Adobe products that I wanted to upgrade, like Adobe Premier, do not run on x64.

These are the notable products that do not run on Vista x64. I will do another post with a compact list of all the products that I’m using on Vista x64.

- windy

To security their specifications, Widgets Inc needs to create a private key, a self signed certificate, and then sign their WidgetsSpecs.xml files with the private key. Only the self signed certificate is passed to the application in the field and it is provided in a secure way so that it cannot be compromised. Once this is done then the software application can verify that the WidgetsSpecs.xml files are authentic.

1. Widgets Inc creates a Certificate Authority, using OpenSSL, and a private key of say, 2048 bits so that it is highly secure. 2048 bits of RSA key are the normal suggested strength for computing today. This process of creating a Private Key and Self Signed Certificate is outlined here and will not be covered in detail in this tutorial. The result is this is a private file called WidgetsInc.key which is the private key and will be protected in a very secure manner by Widgets Inc. and the WidgetsCert.crt which is the self-signed certificate which is public and need not be secured.
2. Once these are created, then the WIdgetsSpecs.xml file is created with some extra wrappers to contain the signature. There is an example below.
3. At the Widgets Inc company, in a secure place, the WidgetsSpecs.xml file is signed using the WidgetsInc.key file. This adds a digest or hash value to the xml file which can only be verified with the correct public key from the certificate.
4. When the WidgetsFactory application was built, the WidgetsCert.crt certificate was included with the application in a way so that it could not be compromised. If this crt file can be replaced by a hacker, then any signed XML file can be substituted. There are several ways to secure the crt file: (1) embed the file in the program itself rather than just placing the file on the disk where it can be changed. (2) In addition, embed a hash function of the crt file in the program so that the program can find out if the file has been tampered with.
5. Each time the WidgetsFactory application starts up, it reads the WidgetsSpec.xml file and verifies the signature using the valid crt file. If the CRT file does not pass the hash checks, or the signature does not pass, the WidgetFactory application refuses to make widgets.

Cautions and Caveats
Widgets Inc could decide to spend the money on a trusted certificate from a company like Verisign for this purpose. But these certificates cost money and they expire. When creating a Self-Signed certificate there are no costs and the expiration date can be set to 5 years, if desired.

The private key is protected at Widgets Inc and is not embedded or distributed with the Widget Factory application.

Example Files

These examples were taken in part from the XML Security Library site.

Template File including the Settings to be signed.

Signed XML File

Using xmlsec1 to Sign and Verify the XML files.

darrell@squall-ubuntu:~/code/xmlsigntest$ xmlsec1 --sign --privkey-pem ca.key --output WidgetsSpecs-signed.xml WidgetsSpecs-Template.xml
darrell@squall-ubuntu:~/code/xmlsigntest$ xmlsec1 --verify --pubkey-cert-pem wwcdd.crt WidgetsSpecs-signed.xml
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
darrell@squall-ubuntu:~/code/xmlsigntest$


To examine all the files in the example, download widgetsexample.zip.

Some observations:

• This example was performed using Ubuntu 7.10, where xmlsec1 and the other software required is easily installed.
• The software is easily ported to Windows and the libraries have been ported to Windows by Zlatkovic.

  Enjoy,
  ww

  ]]> http://www.windyweather.net/wp/2008/02/06/xml-signatures-to-protect-settings-files/feed/ 0 http://www.windyweather.net/wp/2008/02/04/xmlsec-libs-with-vs-2005/ http://www.windyweather.net/wp/2008/02/04/xmlsec-libs-with-vs-2005/#comments Mon, 04 Feb 2008 21:52:55 +0000 Darrell http://www.windyweather.net/wp/2008/02/04/xmlsec-libs-with-vs-2005/ Trying to build an XML Signing application using the XMLSecurity Library.
  Using Visual Studio 2005, and Windows Forms.
  And also eventually Ubuntu 7.10 with KDEV. [not started yet]
  
  Got the libraries for Windows from Zlatkovic who has done an excellent job assembling all the libraries for Windows using VS 2003.

  I have laid out the folders like this:
  

  As a test, I started with a CLR [.Net] based console application and included all the libraries as statically linked. Then I tried to run the sample code and got the following error. Since Zlatkovic did not provide the sources, I cannot debug this directly.

  C:\Code\XML_SignTest\release>XML_Signtest sign1-tmpl.xml ca.key > sign1-res.xml
Arguments Dummyargument
Arguments sign1-tmpl.xml
Arguments ca.key
XML_Sign - found start node
XML_Sign - Created Signature Context
XML_Sign - Loaded Key
XML_Sign - key name is set
func=xmlSecDSigCtxProcessSignatureNode:file=..\src\xmldsig.c:line=465:obj=unknow
n:subj=dsigCtx->c14nMethod == NULL:error=100:assertion:
func=xmlSecDSigCtxSign:file=..\src\xmldsig.c:line=303:obj=unknown:subj=xmlSecDSi
gCtxSigantureProcessNode:error=1:xmlsec library function failed:
Error: signature failed


  1. Perhaps this is a problem with incompatibilities with VS 2005, VS 2003, or
  2. Perhaps this is another problem with how I have included the libraries.

  I see a couple of ways that I can proceed:

  1. Get the sources from Zlatkovic and build them again debug after converting the projects to VS2005. Also provide him with the VS2005 projects after I have them working.
  2. Start again with the sources of the projects, and build the VS2005 projects for them.

  Here you can find a ZIP of the complete VS2005 test project including the key, certificate and test samples I used. This is a 3.5MB download and some large files have been removed [ncb, pch], but these can be recreated with a rebuild.

  Please contact me by email if you have any thoughts.

  Thanks very much,
  Windy

  ]]> http://www.windyweather.net/wp/2008/02/04/xmlsec-libs-with-vs-2005/feed/ 0 http://www.windyweather.net/wp/2006/12/25/secure-email-setup/ http://www.windyweather.net/wp/2006/12/25/secure-email-setup/#comments Tue, 26 Dec 2006 02:11:06 +0000 Darrell http://www.windyweather.net/wp/2006/12/25/secure-email-setup/ This tutorial shows you how to set up Secure Email using Outlook Express and a free Digital ID or certificate.
  

  I’m going to assume you are using Outlook Express but other programs probably have similar steps.

  I have not investigated using web email clients [web pages directly on Yahoo or Gmail] to accomplish this. I am not aware that they support secure email.

  Setup Your Email Accounts
  First of all, make sure that you have outlook express set up for your one or more email addresses that you want to use and that you have tested them. You can send email from one account to another to test them. During this process you will need to receive multiple email messages from the certificate authority, so your email will need to be working.

  Also you will need to be using MSIE, not Firefox or another browser for this process. This is because Outlook Express and MSIE are in cahoots and share knowledge about how to manage certificates. Those built for Firefox will work only for the Netscape or Mozilla Email program. So run MSIE and go to the following Thawte link.

  Sign up at Thawte
  You can get Free Email Certificates for personal use from Thawte.com. There are other authorities, but I’m using Thawte as an example. No endorsement is intended.

  Click JOIN and then fill out the form, select a password and enter your personal information for the certificates. You will need to receive an email for the email address you entered and transfer some data from that email to a web page to authenticate yourself. Once that is done you are “official” joined up at Thawte. Now you can go to the account page and add more email addresses if you want to. You can also do this at any time in the future.

  Request a Certificate
  After you sign up, choose the certificates page, and then click on Request Certificate.
  

  This will take you to a small window where you will go through the process. If you set up more than one Email address in your account, you will get to choose which email address the certificate applies to. You will need a separate certificate for each email address you have or want to use securely.

  The process is straight forward until you get to the following page. Do not click on the Configure Button unless you know what you are doing. ACCEPT is the right choice here. The certificate will work for all email activities.

  

  After a few more pages you will come to this screen. This is the actual step where a certificate is created.
  

  When you click here you will then go through a screen and a dialog box will popup asking if you want to install the certificate. Click OK. But this is not the end of the process. The certificate has been handed to MSIE / Outlook Express, but it cannot yet be used.

  Check Your Email
  You should have received an email message talking about the certificate. You will need to read that email and this will automatically enable the certificate for you at Thawte. If a box pops up talking about a read request then click OK.

  Install your Certificate
  The certificate is created, but not yet actually installed in MSIE, in spite of what MSIE has said. Go to the certificate status page that looks like this:

  

  Now you need to click on the MSIE link to go to the page to fetch the certificate:
  
  The fetch button is the red button at the bottom of the page. Click on the fetch button and click ok on any dialog that appears and your certificate is installed in MSIE.

  Now Set up your Digital ID in Outlook Express
  In Outlook Express, choose Tools >> Accounts… then Properties… for the account that you have a certificate for. Now choose the Security Tab and you will see something like this:
  

  Choose the same certificate you just created by choosing Select… for both the signing and encryption certificate. 3DES is the correct default to use for the encryption.

  Sending Encrypted Email
  To send encrypted email, first you need to send a Signed Message.

  

  The Sign and Encrypt email buttons are under the cursor arrow on the image above. To begin sending encrypted email, you should each exchange digitally signed messages. Once you have received these digitally signed messages you can each send encrypted email.

  Things should work now to send encrypted email.

  ]]> http://www.windyweather.net/wp/2006/12/25/secure-email-setup/feed/ 0