2021 To See More Successful Security Attacks

In the period of 2021 more successful security attacks and compromise will be encountered, with many high profile organisations, in multiple sectors falling on their own sword of insecurity, and will thus pay the price of the reactive style of a supposed security posture. Sadly, 2021 will not be the year we see real steps taken toward Cyber Resilience – but it will be the year in which we finally see a more serious mindset toward addressing cyber insecurity with a proactive security posture.”

Developed back in the 1830/1840’s by Samuel Morse and other collaborating inventors, the telegraph revolutionized long-distance communication. It worked by transmitting electrical signals over a wire laid between stations, and changed the nature of communications forever – in fact it was commented by one authority:

The new technologies will bring every individual into immediate and effortless communication with every other, and will practically obliterate political geography, and make free trade universal. Thanks to technological advance, there are no longer any foreigners, and we can look forward to the gradual adoption of a common language.”

Powerful words, linked to positive aspiration. However, stepping forward to the invention of the Internet by Sir Timothy John Berners-Lee, not only may we track our all encompassing technological progress, but equally may note that the outcomes have not always been so positive, with the advent of cyber insecurity.

From the Genesis period of the Internet Revolution there was always a very real concern that such a multi-faceted world on interconnectivity should dictate a very firm need for security in the uncontrolled space of the World Wide Web (WWW) – it did not. In fact such early concerns were around the area of the Internet naming and numbering authority – or, to put it bluntly the root authority. In that era, John Postel was, like many are today, fighting to prove the dangers of lacklustre controls, and on 28 January 1998 decided to take action, and took control, sidestepped Network Solutions and demonstrated that he could transfer root authority whenever he chose to – this made those in control sit up and take note.

So just what has the histrionics of the Internet got to do with the WWW today – answer, the simplicity of John Postels early concerns are now maximised to an unprecedented level with complex interwoven connectivity, with potentially millions of domains across the world being maintained in a vulnerable and exposed profile.

Along the path to exploiting what is referred to as the Super Highway, multiples of global organisations, and governments have embraced this easy to empower technology to their own singular advantage. However, as this eager embracement grew, it would seem in the majority of cases, those who were chasing the benefits of the Internet were unaware of the Genie of Insecurity which was gradually creeping from the lamp and entering their domains.

As of 2020 there are around 2 billion websites running on the net, so just imagine if 10% are insecure – that amounts to 200,000,000. However based on what has been discovered from a number of sample surveys conducted with WHITETHORN SHIELD that number would seem to be very much on the low side – with 25% being a more realistic percentage, the end number of insecurity is now scarcely significant.

What really changed the world of cyber was the appreciation and practice of OSINT (Open Source Intelligence) which goes well beyond the element of the IP address to discover titbits of unknown unknowns which can expose even the most secure of sites – titbits gathered from multiple sources may then be leverage to paint a aggregated big picture, Cuckoo Egg style off-line acquisition of dark intelligence metrics which may be used to further expose and exploit further insecurities.

In 2020, much work has been done by Cybersec Innovation Partner with their cutting edge WHITETHORN SHIELD engine, and findings gathered from both commercial and government sites are to be observed with the question – how can this be? The findings not only suggest there is a potential for cyber insecurity to exists on multiple site, but goes well beyond and prove that these discoveries are fact. The problem seems to be, nobody is willing to listen – that is until such time they are compromised!



Protect Your Business From State-Sponsored Attacks

It has taken some time but we finally have succumbed to the delights of a certain kitchen utensil. Years of resisting George, John, and the seductive talents of Penelope, had left me more determined than ever to resist at all costs. The result; a plethora of appliances – eight at last count – to produce the perfect cup of coffee at the right moment, cluttering kitchen surfaces and cupboards, and never quite getting it right. After all, each appliance needs and produces its own unique type of coffee.  And it’s difficult, when you’re the only serious coffee drinker, to convince ‘management’ at home that such a thing as a CCM (Centralized Coffee Management) system is essential.

And the story is similar with encryption keys and certificates. Look around any mid to large size organisation and you will find SSL, SSH and Symmetric keys and digital certificates scattered around – and each type will also have several variants. Then there are all the different “utensils” which use the keys, from applications to a myriad of appliances, as well as a host of built-in ‘tools’ to manage each variety.  The result is more management systems than the average household’s coffee machines.

Today SSL and SSH keys and certificates are found littered across virtually all systems, applications and end-user computing devices. In most cases no one knows who caused the ever-proliferating and expanding landscape of encryption “litter,” and since these keys and certificates are used to protect critical systems and sensitive data, ineffective and siloed management means that organisations are increasingly susceptible to failed audits, security risks, unexpected systems outages, compromises to systems applications and most importantly, critical data. Of course, each of these comes with its own costly financial and reputational consequences.

The Dark Side

And just as I’m told that there’s a dark side to my caffeine addiction, there is a definite dark side to the unmanaged and unquantified encryption keys and certificates that we’ve become so dependent on—which now act as the infrastructure backbone of all online trust and security. Today as never before, everyone from governments to private individuals is under attack. The use of malware for criminal, ideological and political aims is growing at an alarming rate. Stuxnet opened Pandora’s Box when the use of valid, stolen SSL certificates as a means to authenticate the malware and allow it to remain hidden and undetected became common knowledge. Since then there has been an explosion of malware using digitally signed certificates.

Can we defend ourselves against state-sponsored attacks?

Today we are faced with cyber-attacks on a scale never imagined, and the question that has to be asked is whether or not there is anything we can do to protect our infrastructure, enterprises and ourselves.

But I believe the reality is that we are responsible in large part for the ease with which cyber-terrorists, regardless of their ideology or motivation, are attacking us. In effect, we are supplying the weapons that are being used against us. The collective failure of enterprises to protect keys and certificates is resulting in these very keys and certificates being used against us.

The Flame attack for example, which masqueraded as a Windows update, was successful because of Microsoft’s continued use of MD5 algorithms, years after they themselves had identified that they were compromised. A surprisingly small amount of money needed to be spent to create a duplicate certificate. Shaboom, which attacked Aramco and RasGas, leveraged a certificate stolen from a company called Eldos, and issued by Globalsign. The fact that it was issued by Globalsign is not the problem; the problem is that the key and certificate were reportedly stolen from Eldos. And it goes on and on. Cyber-Terrorists are literally helping themselves to keys and certificates from global business because they know that no one manages them. When organisations don’t ensure proper controls over trust, business stops. End of story.

So the first step in defending ourselves is to protect our key and certificate arsenal. Having effective management so that access to any key or certificate is controlled is a first step in ensuring that you don’t become the next unsuspecting collaborator. And that management has to be unbiased, universal and independent if it’s going to work—not caring who issues the encryption or in what departmental silos it resides (one cannot be both the issuer and manager of encryption simultaneously—too many inerrant conflicts of interest).  No one wants to have their name associated with a cyber-attack that at the very least results in significant financial loss for the victim, but even more seriously results in the loss of life.

Secondly, enterprises are not responding to the attacks. There is massive investment in perimeter security but when we are told repeatedly that the threat is as much from within as outside, we need to act.

Can we still protect critical infrastructure from attack in the digital age?

If malware is the Cyber-terrorist weapon of the 21st century, then organisations need to reduce the risk as much as possible. At last count there are in excess of 1500 Trusted Third Parties who issue certificates globally. Many of these are in every system in the infrastructure, and the result is that if a system trusts the issuer, it will by default trust the “messenger”, in this case malware.

So like your firewall in the 20th Century, which you used to reduce the access points through your perimeter, effective management of trusted issuers and instruments similarly reduces your risk of malware infection. If a system doesn’t know the issuer, it’s not going to trust the messenger. So although you can never completely remove the risk because you have to trust some people, you will significantly reduce the number of possible attacks. But this requires the determination of an organisation to take steps to protect itself. The management of trust stores in every system becomes an absolute necessity in the fight against cyber-terrorism, regardless of what group, enterprise, or nation state is behind it

According to US Defence Secretary Leon Panetta, the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could have devastating consequences if they aren’t stopped. “A cyber-attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyse the nation.”

The question is: when will start to see individuals and organisations being held culpable for these attacks? In the Cyber-Terrorism war, it is a big business selling valid SSL certificates, whether stolen, lost or sold, to “terrorists” – and it is likely to play a significant be a part of a major incident, and ignorance will not be a defence!

So my advice is, as George Orwell wrote in “1984” –  “If you want to keep a secret, you must also hide it from yourself.”

Calum Macleod Calum MacLeod has over 30 years of expertise in secure networking technologies, and is responsible for developing Venafi’s business across Europe as well as lecturing and writing on IT security.




IT Audit & Digital Forensics: How to use an IT audit to prepare for a computer forensics investigation.

Muema Lombe explores the area of IT audit and the questions that should be asked in an incident response scenario.

The problem: your organization has been subject to intellectual property theft, or stolen data, or inappropriate web surfing and/or emails.  These problems pose potential risks including economic espionage, unauthorized access, unauthorized use and possibly civil liabilities, among other risks.  IT audit procedures can help facilitate an understanding of both the computing environment and corresponding controls, which can help with a  forensics investigation.  What follows are six IT audit areas of inquiry.

1.      IT Standards, Policies and Procedures – In the event of inappropriate activity by employees, one area to audit are IT standards, policies and procedures with a specific focus on the acceptable use or end user policy.  Questions to address in the review include:

  • Is an acceptable use policy in place?
  • Is it formally documented?
  • Has the policy been formally communicated to all employees?
  • Are employees required to formally sign an acknowledgement of receipt and review of said policy?
  • Does the policy explicitly denote what behavior is acceptable and unacceptable?
  • Does the policy address the various methods of computing use, e.g. email, web surfing, social media use, etc.

2.      User Access Monitoring – The IT auditor should also gain an understanding of the user access monitoring.  Consider the following:

  • Is both traditional user and privileged user access subject to monitoring?
  • At what layer is access monitored (e.g. database, application, network layers)?
  • What type of activity is monitored (e.g. direct data access, etc.)?
  • Does monitoring include a review of unsuccessful login attempts?
  • Does monitoring include a review of unusual access attempts (e.g. weekends, off-hours, etc.)?
  • Are inactive accounts disabled?

3.      Web Access Monitoring

  • Is user activity on web surfing tracked by computer? By user?
  • Is web access filtered (blocked) by keyword and/or URL?

4.      Password Controls

  • Are password required for system access?
  • Is a password policy in place and enforced?
  • Are passwords required to be complex?
  • Are password periodically changed?

5.      Backup Procedures

  • Are backups being performed?
  • What is being backed up? Application? Database? Configuration settings?
  • Has a restore been performed to ensure backups operate as intended?

6.      Audit Trails

  • Determine if automatic logging of activity takes place?
  • Gain an understanding of what activity is logged?
  • Determine if audit trails are in place at the OS, application or database layer.
  • Determine if audit trails are periodically reviewed.

These six areas of inquiry are meant to begin a conversation and provide a framework of understanding to a computer forensics team conducting an investigation.




New Windows zero-day flaw bypasses UAC

A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.

The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.

Read on at Naked Security (01/12/10).



Scientists ‘hack’ quantum cryptography

Computer Scientists from Norway have perfected a method of attacking quantum cryptography systems using lasers allowing them to listen to communications while being completely undetected.

Quantum cryptography is most commonly used to securely transfer keys and was considered to be un-hackable, as any attempt to attack the system and measure quantum data will disturb it. The system then detects this, ensuring the communications remain secure.

The team of scientists from three academic institutions in Norway developed a technique that remotely controls the photon detector. In effect, the use of the laser blinds the photon detector. Using a stronger pulse of lasers, data can then be transmitted without detection as the pulse is not a quantum process.

A report, published by the scientists, explains how, theoretically, anyone could implement the attack by using ‘off-the-shelf’ components.

Various quantum cryptography developers have been made aware of the vulnerability and ID Quantique have corroborated with the researchers to make an undisclosed countermeasure.



Digital Watermarking—A Specialized Form of Digital Steganography

In classifying digital watermarking programs as digital steganography applications, it is important to distinguish between watermarking programs that embed a visible watermark and those that embed an invisible watermark. Because the objective of steganography is to conceal the existence of information, a watermarking program that embeds a visible watermark in the carrier file could hardly be considered a steganography application. However, a watermarking program that leaves an invisible watermark in the carrier file should be properly classified as an application of digital steganography because the embedded watermark is imperceptible to the human senses.

Another characteristic of digital watermarking programs is robustness.

A watermark is considered to be fragile if the mark is not detectable after even the slightest transformation of the carrier file. For example, resizing an image file could destroy a fragile watermark. On the other hand, a watermark is considered to be robust if the mark is detectable after certain transformations are performed on the carrier file. Thus, digital watermarking programs that embed robust imperceptible watermarks must be properly classified as digital steganography applications. Another aspect of digital watermarking programs is the size of the payload that can be embedded in the carrier file. The payload size of a digital watermarking program will be much more restricted than the payload size of other digital steganography applications.Many steganography applications can accommodate multi-megabyte payloads. However, a digital watermarking program may only embed a few bytes or a few hundred bytes. The quantity of information that can be embedded in a carrier file is not a good criterion for determining whether or not an application should be considered a steganography application. It is not difficult to imagine scenarios where a single word or number could have a much larger meaning. Therefore, even though digital watermarking programs have restricted payload capability, the programs that employ techniques to embed robust and imperceptible watermarks must be classified as digital steganography applications It is important to note that some steganography investigation datasets do not include any digital watermarking programs because the dataset creators do not consider any digital watermarking programs to be steganography applications even if the program embeds a robust imperceptible watermark. Therefore, digital forensics examiners must be careful when determining which steganography data set to use because selecting the wrong one could result in failure to detect certain digital watermarking programs that may have been used to hide information of evidentiary value in a criminal investigation.

At Backbone Security, we include digital watermarking programs that embed a robust and imperceptible watermark in our Steganography Application Fingerprint Database (SAFDB). Because the watermark embedded by these programs is not detectable by the Human Visual System, it meets our criterion for classification as a digital steganography application.

SAFDB is maintained in our Steganography Analysis and Research Center (SARC) and is the world’s largest hash set exclusive to digital steganography applications.

Jim Wingate is Director of the Steganography Analysis and Research Center and Vice President of Backbone Security and welcomes your views on the proper classification of digital steganography applications.