Is it time for an industry wide MAPP program?

As you might suspect, the bad guys have much better exploit notification than the good guys. While there is no central repository of vulnerability information that is only released to the good guys, Microsoft does an excellent job with early notification of its vulnerability information via its MAPP (Microsoft Active Protections Program). Should there be something similar setup for all security bugs on an industry wide basis?

On the surface it sounds like a great idea. Information about critical bugs like HeartBleed could be shared with trusted and vetted members early before the information was made publicly available and the bad guys could take advantage of it. This gives those trusted members time to fix the problem before the bad guys could develop new attacks and take advantage of the flaws.

This is how MAPP works. Microsoft has very strict guidelines on who can and cannot be included in the program and if you are found to be leaking information before the specified release date you are ejected from the program. Microsoft historically only granted a few days notice to its trusted MAPP partners of the upcoming Patch Tuesday bugs but have recently expanded this length of time to give vendors more time to develop protections for their products before the bad guys can reverse engineer the patches and develop exploits for those bugs.

This all works for Microsoft because they are in control of their information, the number of members in MAPP is kept small and each much conform to strict guidelines to protect the information Microsoft provides. But on an industry-wide scale this model falls apart. A prime example of the chaos that can surround a critical bug disclosure is the mess surrounding the disclosure of the HeartBleed bug. If you look at the timeline composed by the Sidney Morning Herald it is evident that attempting to keep the disclosure process simple and organized on an industry wide level is anything but simple. The process is fraught with non-disclosure agreements, employee leaks and covert secrecy, definitely not a process that should be trusted with critical software vulnerabilities.

The first issue of an industry wide MAPP style program would be who would run it? Is this a task for the US government? What about bugs found outside the United States? How would you keep the NSA or other agencies from attempting to horde a critical flaw and add it to their weapons stockpile? While an independent international third party could run such a program how would it be funded? You could charge a fee to trusted members but then you introduce the possibility of someone buying their way in even though they shouldn’t be trusted. Not to mention the ethical debate that would arise from ‘selling’ vulnerability information.

Then there is the matter of deciding who can be trusted with handling such information early. As with any secret the more people you tell the harder it is to keep secret and as a the heartbleed timeline shows some people may leak information to their friends and employers or bad guys before a public announcement. Membership should be limited to prevent the circle from getting to large but who decides who is in and who isn’t?

Of course all this completely ignores the actions of the rogue researcher who is free to do whatever they want with their research. There is nothing stopping them from publishing such information publicly, telling a small group of people, selling it to the highest bidder or hording it for their own uses and telling no one.

An industry wide MAPP program sounds good at first but due to governance issues, international politics, and of course money, it would be difficult to keep together, keep the information out of the hands of the bad guys, and probably just create way to much drama and infighting inside the industry. Even if you were able to solve all those problems there will still be the one person who decides they don’t want to play by the rules and will do what they want.

Another BIG hack that wasn’t

No time to do a full analysis but the basics are a story out of Israel of a tunnel that was hit by a sophisticated cyber attack that caused a… traffic jam. The story went out on the Associated Press newswire on a Sunday afternoon so by Monday morning it was pretty much everywhere you looked.

The “attack” was supposedly a “classified matter” involving “a Trojan horse attack” that targeted the security camera system in the Carmel Tunnels toll road on Sept. 8. The attack caused an immediate 20-minute lockdown of the roadway and then an eight hour shutdown the next day causing a pretty big traffic jam. Supposedly the attack was the work of “unknown, sophisticated hackers” which were then compared to Anonymous but not sophisticated enough to be nation state funded attackers from Iran.

Even just by reading this it sounds like a run of the mill malware infestation and not some targeted sophisticated state sponsored cyber attack. I mean why would anyone specifically target a tunnel? There is no money there, no intellectual property to be stolen, so unless your goal is to create an isolated traffic jam, whats the point? But there is more. The tunnel operators, CarmelTun, issued a statement saying Nope, no cyber attack here. And blamed the traffic jam on a “an internal component malfunction” and went on to say “this was not a hacker attack.”

@snd_wagenseil @4Dgifts @WeldPond more than one source confirmed.

— Daniel Estrin (@DanielEstrin) October 28, 2013

According to @DanielEstrin whose name is on the byline of the story, more than one source confirmed this Trojan Horse attack story and yet he did not bother to confirm with the people most likely to know, the actual operators of the tunnel.

So we can either believe the unnamed “cybersecurity experts” who warned of a sophisticated “Trojan horse attack” that was compared to Anonymous and was conducted for no monetary gain or intelectual property theft or we can believe the operators of the actual tunnel system itself. Who has more to gain here?

Late Update:
Looks like I am not the only one to think this might not have been a cyber attack.
“Cyberattack Against Israeli Highway System? Maybe Not”

A Psycho Analysis of Jericho

The epic box-o-shit. I don’t know where the tradition started but it has been perfected by Jericho of Attrition.org. Beginning at least five years ago Jericho has boxed up the chotskies, leftover guinea pig fur, random bits of useless tech and whatever else he happened to have laying around and shipped them off to whoever he felt was most deserving, or whoever he felt would make the best victim. I had been waiting in anticipation (actually it was down right fear) until I received what I almost knew was coming, but it never did.

About a year ago I was at a local flea market when I spied at the bottom of a box of random crap a glass squirrel approximately eight inches high. It was depression era pressed glass, speckled with random paint drops, a few chips in the glass and a rather nasty piece of sticky green felt glued to the bottom. Somehow this disgusting piece of glass made me think of Jericho. I figured the squirrel needed a better home than the bottom of some random box full of shit. It needed to become the centerpiece of highly selected box-o-shit. I figured it was time to put my box-o-shit destiny into my own hands, time to tempt fate, time to poke the angry guinea pig with a carrot.

Glass Squirrel

The guy at the flea market wanted $20 for the squirrel with the paint spots, chipped glass and nasty sticky felt on the bottom. Not really sure what he was thinking but I managed to talk him down to $8. I took the squirrel home, scrubbed off the paint drops and the nasty felt. There wasn’t much I could do for the chips in the tail though. By now it didn’t look to bad and I was wondering if maybe I should keep it for myself, that jerk Jericho definitely did not deserve anything half as nice as this.

Instead of using shipping peanuts or those bags of air or even crushed newspapers, I instead grabbed every chotsky, random bits of useless tech and whatever else I happened to have laying around and used that for packing material. Unfortunately I was fresh out of leftover guinea pig fur.

It took Jericho three months before he even acknowledged receiving the box but he eventually wrote it up. And then I waited. I waited for the inevitable retaliation that was sure to come my way. I knew Jericho wouldn’t just let an eight-inch tall glass squirrel arrive unsolicited in the mail and do nothing about it. But I waited, Spring turned to Summer and every trip to the mailbox filled me with more and more dread, when would he strike? When would he put and end to this torture? Why oh why did I ever decide to send that jerk anything at all? I should have kept that squirrel for myself or better yet let it sit and rot in the bottom of that box of random shit at the flea market.

Finally after nearly a year of self imposed torture, of opening the mailbox each day in anticipatory fear, it arrived, a small unassuming brown box. I immediately knew right away what it was and where it was from. On the one hand I was relieved that my torment was over, but I knew I still had to open the box, I still had to pour through the contents of whatever wretched debauchery Jericho’s twisted mind decided to send me. It has taken me a while; months actually, to get up the courage to finally pull back the packing tape to reveal the contents of Jericho’s box-o-shit.

box

What I realized as I went through the contents of the box was that it wasn’t about me, it wasn’t about revenge for a glass squirrel. This box-o-shit and maybe all boxes-o-shit are glimpses into the deranged mind that is Jericho. Perhaps even a desperate cry for help that echoes from the basement he must live in deep inside the Rocky Mountains.

As you can see on the top of the box was a plastic baggy full of multi colored paper with two stick-on eye balls and labeled with the word ‘puzzle’. Obviously this is a symbol of a cracked and fractured psyche symbolized by the many pieces of different color paper cut up into small sizes. Obviously Jericho is crying out for someone to put his poor soul back together again.

open box

Beneath the puzzle was a collection of magazine subscription cards, which at first glance might seem like nothing more than filler for the box. However, after sorting the cards and conducting a frequency analysis on the represented publications it is clear that these cards are yet another look into at the enigma that is Jericho. While it is well known that Jericho is at or below average intelligence he considers himself to be of above average intelligence. This is indicated by the large number of subscription cards to Discover and Science Today magazine. The subscription cards to Men’s Health and Psychology Today indicate that he knows that he has a problem and is looking for some sort of solution, which he hopes to find by reading these magazines. While he considers himself to technologically knowledgeable and therefore reads Wired magazine the fact that he is still subscribing to dead tree publications shows that he is in fact a Luddite. Of course anyone as mentally instable as Jericho will have deep-seated sexual frustrations as indicated by the subscriptions to Penthouse and Maxim, as well as the included Durex condom found elsewhere in the box.

cards

And while we already have enough information to determine that Jericho needs major professional help there is yet more supporting evidence within the box. A collection of Pimm’s Cup and several tequila bottle caps shows his attempts at self-medication through alcohol. The collection of self-promoting stickers shows a predilection to narcissism and the random keys, rocks, candy and fur balls shows just how schizophrenic he actually is. The collection of dinosaurs is obviously a link to his still present infantilism.

tequila

stickers

dino

Unfortunately I only do psycho analysis and perpetrator profiling as a hobby, as such there are still a few items in this box-o-shit that I have been unable to apply towards the subject Jericho. A Honda emblem? A Slinky Jr? An Elevation of privilege card game? And who inside the United States under the age of sixty has a copy of a Susan Boyle CD? (I guess I do now.) I am sure with proper analysis these items will also provide valuable insight into the deranged and demented mind of Jericho.

Susan Boyle

demented yellow squirrel

Beyond Hype

Sometime an article comes along that is just beyond the traditional sort of hype I usually rant about. In other words its just plain wrong. “How They Popped The Penguin: The Bash Attack And What It Means For Linux Data Security” by Michael Venables, which somehow got posted to Forbes, of all places, is one of those rare pieces of…well, I’m even going to call it journalism. There is absolutely no fact checking whatsoever and according to the person interviewed for the article some of the facts are just entirely made up. Instead of me ripping this article apart line by line like I usually do I will instead share with you a list of a few of many many tweets that were posted in response.

“this is the most ridiculous, breathtakingly stupid article I read this year.”

“not even trying to do basic research or reach out to verify facts is failing at doing your one job.”

“I’m afraid I am putting @mpvenables on my bad list of journalists to never talk to. This also affects Forbes rank.”

“how did you guys read that? I got bored around paragraph 2”

“the new journalism: get the twitterverse to fact check, issue a correction later. #clownshoes”

“holy shit, I think I know what we’re submitting to hackin9 next time!”

“L M F A O”

“I’ve not seen a more clueless piece of journalism ever. Pwnie nomination”

“You are kidding right? This is not news.”

“Most retarded security article ever. When you don’t know, stfu ! WTF Forbes ??”

“that article made me want to open a vein. Thanks, @mpvenables.”

“PR person sends me a Bash Attack story on Forbes. I read it. I’m sorry I did. The hacker in me will sit and rage in silence.”

“I feel dumber for having read (half of) that”

“This is a great example of really really bad security journalism. Look upon it and weep.”

“”Dot so Good Anymore: The ‘ls -a’ Tactic and What It Means For Linux Hidden Files” #UpcomingForbesArticles”

“OMG that Forbes article. Facepalm city.”

“BRB OWNING SOME LINUX BOXES WITH A SOPHISTICATED BASH ATTACK”

“Good that Plaestinian hackers did not use the bash attack!”

 

 

UPDATE:
Perhaps a little late but the glorious Tumblr blog @sec_reactions has several posts on this article here, here, here, and here.

Some twitter quotes collected by @quine.

Anatomy of Hype, Take 2

I almost wasn’t going to write about the supposed cyber attack at the New York Times last week as reported by Fox Business because I just haven’t had the time but after the NASDAQ went down today and everyone and their brother started to speculate as to the nature of the ‘technical glitch’ I figured I should throw something together.

In my talk ‘Hackers and Media Hype or Big Hacks That Never Really Happened’ I mention that I see this sort of thing every day. That it is rampant throughout the tech press and often leaches over into traditional media outlets as well. I’ve detailed this sort of thing before as in this blog post ‘Anatomy of Hype’ however this time reporters Matt Egan and Jennifer Booton published their unconfirmed ‘cyber attack’ on the FOX Business website and while FOX takes a lot of shit for their style of nearly tabloid journalism they have a much greater reach than tech news outlets like ZDNet.

So lets see if we can piece together what happened here. At approximately 11:30 on August 14th 2013 the New York Times website went down. And by down I mean down hard, nytimes.com and nytco.com were both throwing up 503 site unavailable errors. Hey, shit happens, sites go down, they get fixed they come back up. As anyone who has ever worked on-call for an IT department will tell you despite backups, failovers and triple redundancies this happens ALL THE TIME.

tweet

By 11:53am, about half hour into the outage the official verified New York Times twitter account cited technical difficulties as the reason for the outage.

At 11:55am Matt Egan Matt Egan (@MattEgan5) and Jennifer Booton (@jbooton) pushed the first version (screenshot) of their story “Source: New York Times Website Hit by Cyber Attack”. Their entire basis for the story was ‘a source close to the matter’. A source they fail to identify. A source as it turns out wasn’t all that close to the matter after all.

By 12:31am, internal New York Times employees start referencing an internal email that cites a malfunctioning system patch as the cause for the outage. While Microsoft’s Patch Tuesday was the day before, which may or may not have been the cause of the outage, it made much more sense than a cyber attack.

At 12:47pm, a little over an hour into the outage the New York Times Official twitter account finally offers up an explanation citing a ‘server issue’.

In the face of all this new evidence did FOX Business pull the erroneous story about a cyber attack? Did Matt Egan and Jennifer Booton update their story to reflect the new information?

Well, they did update their story (screenshot), put they updated it with quotes that make it sound like there was still some sort of cyber attack, quotes that are obviously of a hypothetical nature. Quotes that appear to be taken completely out of context but which support the original erroneous hypothesis of a cyber attack.

One of the people who was quoted in the article said afterwards that the reporters came to him saying that they had already confirmed the cyber attack which was the only reason he agreed to speak with them. I have to ask, where was the confirmation? I have never been to journalism school but I suspect that Matt Egan and Jennifer Booton must have slept through the class on confirmation. I always thought you needed two independent sources to confirm a story. A lone ‘source close to the matter’ does not count as confirmation. Where were the FOX Business editors that reviewed this tripe before it was posted to the FOX Business website?

As I did with ZDNet I call on FOX Business to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether. Leaving a story such as this to fester on their website reflects poorly not just on FOX Business Matt Egan and Jennifer Booton but on the InfoSec industry as a whole, not to mention the damage that it is doing to the New York Times.

The excuse that it fast breaking new story does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. FOX Business has updated this story, several times, but the information is entirely skewed to support the original erroneous hypothesis.

So how about FOX, Matt, and Jennifer, can you take the high road and report the facts or do you prefer to wallow in the muck of fear, uncertainty, and doubt?

Update: Dave Lewis at CSO Magazine has also blogged about this story.

Fitness and Discipline for Cyber Warriors

“More PT Drill Sergeant, more PT! We like it, We love it, We want more of it!”

There is a basic tenant in most of the worlds military forces that regardless of what your actual job or rank is, whether you are a private or a General, whether you are a cook, clerk, or mechanic, below everything, at the very core of your existence you are nothing but a gravel crunching, ground pounding infantry soldier (11B). Or as an old Colonel once told me, the poor slob in the kill zone. (Thank you, Sir!)

As part of the basic core existence in your nations military all soldiers, airmen, and sailors are required to be able to perform a basic set of tasks. Things like knowledge of how to wear your countries uniform, the ability to maintain and operate a firearm, how to use protective equipment such as a gas mask, and above all the ability to give and follow orders. But these items are more than just basic knowledge and rout tasks, it comes down to discipline, self-discipline mostly, that quality of doing what needs to be done without needing to be told or even wanting to do it.

This is what basic training is for, an intense six or maybe ten week training regimen that not only teaches all soldiers basic tasks like how to operate their firearm or shine their boots but also self discipline, the ability to continue doing your job under stressful and adverse conditions. This being the military, lives literally depend on that basic skill. It is discipline alone that is more important than any other trait or skill taught during that introductory basic training course of the worlds militaries.

The only way to teach discipline is to place an individual under stress and at the same time ensure that they can complete required tasks. The easiest way to place an individual under stress without placing them in a potentially hazardous situation is through physical activity. This is one of the reasons why most of the world’s militaries have minimum requirements of physical fitness. Things like a set time and distance for running, a minimum number of pushups or sit-ups. This ensures a minimum level of fitness for all soldiers and helps to ensure basic levels of self-discipline. These basic requirements apply to all soldiers, private or General, cook or mechanic.

There are a few military job specialties that are harder to recruit for than others. Explosive Ordnance Disposal (89D) comes to mind, and there often incentives offered for new recruits to choose one job over another, often these incentives are monetary in the form of signing bonuses or hazardous duty pay. By and large however serving in the military is its own reward for most people for whatever personal reason they have, whether it is monetary compensation, future educational opportunities, patriotism, or in some cases they just like guns.

Recently a new military occupation has evidently become exceeding difficult to recruit for, that of the mythical ‘cyber warrior’ (25B, 35N, 35Q). Militaries around the world are complaining that they just can’t get enough people to fill the jobs they have available for any ‘cyber’ type position. As a way to incentivize new recruits there has been consistent talk that reoccurs every few months of dropping the physical fitness requirements for soldiers, airmen and sailors involved in ‘cyber’ activities. This is a colossally bad idea. Such an action would greatly impact morale of the entire military, will do nothing to increase recruitment numbers for these specialties and draws on an unfounded stereotype of those people who have traditionally been called ‘hackers’.

To create a special class of soldiers that are exempt from minimum fitness requirements will create resentment among other non-exempt units. It will also cause those who are exempt to suffer from issues of elitism and they will feel that they are no longer part of the basic military or required to abide by its rules. With the lack of discipline that will come with the removal of a physical fitness requirement this increase in elitism and individuality in a military setting could prove deadly.

The physical requirements and training aspects of military service are seldom a reason why someone who is interested in joining the military finally decides not to join. On the contrary, there are many examples of people who join the military specifically for the physical aspect that service requires. In fact in my own experience there were two people in my basic training unit who said the primary reason they joined the service was to lose weight, they said that nothing else worked for them and that they hoped the discipline they would learn and the physical exercise would finally accomplish what they could not do on their own.

Claiming that the only people who are qualified or want to do ‘cyber’ jobs in the military are only people who are not interested in physical activity plays on the age-old stereotype of ‘hackers’ who live in their parents basement eating nothing but pizza. Obviously the politicians and Generals who are advocating this no physical fitness requirement for ‘cyber’ operatives have no idea who it is they are trying to recruit anyway. Take a look around at any security industry or hacker conference, sure there are some obviously overweight and out of shape people in attendance but I would be willing to wager that the percentage of people who are somewhat physically fit would be far greater than the regular population.

If the militaries of the world are having problems in recruiting for ‘cyber’ specialties finding the proper incentives to increase recruitment in those areas is critical. As the world ramps up its electronic warfare capabilities being short handed at a precarious time would obviously be ill advised. However, dropping the physical fitness requirement for these soldiers, airmen and sailors is not going to increase their recruitment and retention levels and could potentially damage the effectiveness of the entire military through resentment and lowered morale. The politicians, military analysts and officers who advocate such a major change in military policies are obviously ignorant of not only who it is they are trying to recruit but the basic core of how todays modern military actually works.

MarineTimes_cover2013.03

Say Cyber Again.

I don’t think this will stay on YouTube very long I got an instant DMCA take down notice as soon as it was uploaded. I filed a dispute but we all know how those go so watch it now while you can.

Then They Came For Me…

First they came for Jackson,
and I didn’t speak out because I didn’t play D&D.

Then they came for Neidorf,
and I didn’t speak out because I trusted the phone company.

Then they came for Mitnick,
and I didn’t speak out because I thought the government was telling the truth.

Then they came for Watt,
and I didn’t speak up because I believed the prosecution.

Then they came for Swartz,
and I didn’t speak out because I never used JSTOR.

Then they came for me,
and there was no one left to speak for me.

Anatomy of Hype

Lets see if I can break this down chronologically.

On July 12, 2012 a third party marketing firm hired by Verizon had a large database of Verizon user information ‘copied’. Verizon claims the incident was reported to authorities but no breach actually happened.

This statement from Verizon raises several questions. 1. Why did a 3rd party marketing firm have possession of this data which contained much more than just names and addresses. 2. How exactly was the data copied and 3. If there was no breach why were the authorities involved?

On Friday December 21st a twitter user with the handle @TibitXimer (since removed) posts to Twitter and Pastebin that he was in possession of 3 million leaked accounts including plaintext passwords of Verizon Wireless customers. ZDNet publishes an ‘exclusive’ Exclusive: Hacker nabs 3m Verizon customer records (title has since been changed) covering the supposed breach. Of course the original story had no comment from Verizon or any verification of the data.

With a little digging around I find the link to the original Pastebin post by @TibitXimer and his link to the data. A link that goes to a pay for download site. I thought that was a little odd and wasn’t about to pay to download a breach database. After making a few posts to Twitter I got a sample of the data.

I could tell right away that it was not Verizon Wireless data and it looked to me like possibly Verizon FiOS data. I also did not see any passwords, plaintext or otherwise. After sharing the data with some other security people we decided pretty quickly amongst ourselves that the data was very similar to some other data that had been floating around the net for a few months.

After attempting to get a response from @TibitXimer via twitter to confirm this new information his twitter account, pastebin link and download link all quickly disappeared.

By Saturday December 22nd Forbes writes an article Verizon Denies Hacker Leaked 300,000 Customers’ Data-UPDATE with an actual update from Verizon. ZDNet does not bother to update their article until 8:00PM EST that evening with nothing but a one-sentence denial from Verizon.

On Sunday December 23rd The Next Web seems to put all the pieces together After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm and examines the
Verizon statement, the now disappeared @TibitXimer twitter feed and the statements from security professionals on the veracity of the data.

It is pretty obvious at this point that ZDNet has been trolled; while the results were spectacular (from a troll point of view) the troll itself was not very complicated or sophisticated. Now on Wednesday December 26th the original ZDNet story still stands with a one-sentence disclaimer from Verizon and a brief mention that the pastebin link no longer works. However, the still posted story makes no mention of the incorrectness of the data, its original source, its apparent age, the disappearance of the original poster and still alludes that this is a new Verizon breech.

I reached out to Charlie Osborne @ZDNetCharlie, the first name on the byline of the story, and asked if the story would be updated. She said that despite being listed first on the story she was not the lead contributor and therefore had no way to make edits. I’m not really sure I understand this, if my name was on the story I would want to make sure it was correct and would be calling my editor immediately even if it meant waking him up. I guess some people don’t care what their name gets attached to.

I shouldn’t be surprised at this as ZDnet has gotten rid of or lost all of their seasoned reporters. Charlie Osborne seems to have only recently begun writing technology after graduating with a medical anthropology degree. Zack Whittaker, who I presume is the lead contributor to the story hasn’t responded to my tweets asking for an update. He to has only recently started his writing career and it would appear that most of his stories lately have been centered on smartphones.

While I understand that new reporters need to start somewhere I would hope that ZDNet would have seasoned editors in place that would force fact checking, verification and confirmation of a story before publishing. Leaving a story such as this to fester on their website reflects poorly not just on ZDNet but on the InfoSec industry as a whole, not to mention the damage that it is doing to Verizon.

The excuse that it is Christmas does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. ZDNet did update this story, twice, but the information they provided was inadequate and is now outdated.

I ask ZDNet to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether.

For those of you who have seen my talk ‘Media Hype in the Information Security Industry’ you should recognize that this is just another example of a big hack that never really happened. Unfortunately it will not be the last.

LATE UPDATE: It looks like I wasn’t the only one to notice the sloppy reporting at ZDNet on this story. Dissent at the Dataloss DB has published Fool us once, shame on you. Fool us twice, we implement policies!