donderdag 31 oktober 2013

Hacking Back as a Law Enforcement Role


Panel discussion with:
  • Ronald Prins - CEO & Co-Founder, Fox-IT (Chairman)
  • Bart Jacobs – Professor, Radboud University Nijmegen and chairman of Bits of Freedom
  • Peter Zinn – Dutch National Police
  • Troels Oerting – Head of European Cybercrime Centre (EC3), Europol
Hacking back as a law enforcement role is much debated topic. The Netherlands is the first country to develop specific legislation. The underlying problem is that in cyberspace criminals have more capabilities than law enforcement. Often investigations are hampered by cross-border collaboration and jurisdiction issues. This session explores the issues.


What is hacking back? In the view of Ronald, it is the police using the form of online hacking to take tackle illegal activities.

The discussion is politically charged, because this is going to be a debate in Dutch parliament soon.

Peter, why is it important for the policy to have hacking capabilities?

We don’t call it hacking, we call it legal intrusion, but we do use the same techniques that hacks do. Technically, it is already possible, legally it is forbidden, this is a legal discussion. Laws should be able to keep up with technology. Where did we stretch the law in the past? LeaseWeb was informed that there was a Bredolab C&C server cluster on their network. With permission from the judge, we were able to take over the botnet and find the criminal in question and he is now in custody in Armenia. We also did it with Robert M., one of the worst child molesters in the world. We hacked his computer to find our who his associates were, which has lead to numerous arrests around the world. We got permission to hack child pornography to bring these sites down. The worst site of them all, was so well protected that we could not hack it, but using the admin password we could also bring it down. These cases could not be solved withour legal intrusion.

Bart, what are your issues with hacking back, with regards to privacy?

Not everything that is technically possible, should be done. This is a deliberate choice, like building nuclear weapons. Hacking back is a misnomer, because it draws a picture of the police being with their back against the wall. I propose lawfull intrusion as well. Computer intrusion is clearly forbidden by law, so new law is needed. I’m concerned by the privacy aspect, but I’m more concerned about the difficult distinction between active and passive investigation when a computer has been lawfull intruded. It is e.g. difficult to prove that the police has not planted evidence. We should really reconsider this, because this may harm the integrity of the whole legal process. How can a civilian be sure that the police does not change the content of a computer.

Troels, why isn’t international cooperation sufficient?

There is a difference between normal and “cyber” policing. The first police was local. When borders disappeared this was compensated by things like Europol and the Schengen database. Physical crime has the advantage of being physical and thus allows a normal policemen to do the normal police work on site. There are now billions of people that can go on line, the criminally inclined of them do not have to travel, do not have to cross the borders to commit crimes against their fellow citizens.
In the physical world, you can be detained, physically searched, including their house and the stuff in them and we allow policy to use physical and sometimes even lethal force, all legally. We do not have such powers in the online world and we can sometimes not even reach the police of a country to help police from other countries.

Policy cooperation is excellent within the EU, but when you cross the EU border cooperation goes poorly.

Do we have a choice? Is not allowing legal intrusion an option?

Bart: In my opinion the police should only have the power to do intrusion in order to disrupt, not to collect evidence. I think evidence obtained during such an intrusion it is very hard to prove that evidence is not planted.

Audience question: What is a disruption? Is it just DDoS-ing the server? Aren’t you breaking laws of other countries doing so?

Peter: No country would pass a law a law that would allow policy to intrude a computer that is not in country. It is just too complicated from a legal perspective.

Bart: Lets say, you hack into a computer via TOR, so you don’t know where it is. Should you then stop as soon as you find out where it is located?

Peter: Yes, you should. But, we are always accused of planing evidence. We have processes around this for physical searches that we also need to apply to cyber searches.

Bart: It is not a personal trust issue, I am also worried that the policy might blemish their good reputation in The Netherlands. For physical searches a judge has to be present to avoid planted evidence, this is very hard to do for cyber intrusions.

Audience: Aren’t electronic logs easy to tamper. Isn’t it like the NSA we should just trust.

Troels: Normal police works different then intelligence work. We work transparently. In police work we are allowed to pass borders in hot pursuit in the Schengen treaty. If the police doesn’t provide this service, commercial companies will offer this service to the highest bidder.

Audience: Is it withing in the authorization to change configurations or run programs on it?

Peter: No, we are not allowed

Audience: Do you use commercially available surveillance malware/zero days/etc?

Peter: No, in those two cases we didn't buy anything. If the law is passed we should use tested and accepted methods.

Audience: Bart, the police could get in a strange situation, but they don’t seem to care. What about privacy?

Bart: Yes, I see privacy as big concern I didn't elaborate?

Ronald: What do other countries think about the Dutch police doing lawfull interception? Will the first officer hacking into a computer abroad be arrested?

Troels: The Dutch police will miss out if they will only hack computers in country? If it is a computer in a friendly country, he should work via the normal route, but what if it is not a friendly country, should we  just stop then or should we still go in hot persuit. This requires a big international discussion. We give away privacy and trade if for certain safety. We need to balance the right to be forgotten and a reason to be remembered.

Audience: Isn’t there a difference between being searched at airports and being serach all the time on my laptop?

Troels: The police should work in the open unless a judge allows an undercover operation. I think we will be the last generation that will have a choice to remain private.

Ron: Peter, what type of cases and how often do you foresee the police will be using this? Will it be narrowed to cybercrime cases?

Peter: Police has less power to search then an average citizen when there is no suspect and more power when there is a suspect. Current thinking is that we can only use these powers in severe cases, e.g. when there is a punishment of more then x years. It is our natural inclination to use a method when it is available.

Bart: intruding on personal devices like phones is more intrusive then a phone tap, which can only be used in limited cases. There is a danger of a slippery slope, this may be used quite often quite quickly. When phone tapping was introduced it was said that the power would be hardly ever used. Now The Netherlands is percentage wise the biggest phone tapper in the world. Hacking is nice, comfortable and less boring than e.g. a stake-out, so there will be pressure to use this other cases as well. The current proposal does not restrict this to cybercrime, but allows use to solve any crime.

Ron: How should be discribe the allowed use cases for lawfull intrusion?

Bart: I do not see a good method to restrict this to certain types of cases. E.g. not all cases end up in front of a judges and how wel does the legal process discover these methods. Silent SMS was used six years before it was finally discovered in a trail.

Bron: Cupfighter

vrijdag 5 juli 2013

Strengere straffen op hacken in Nederland en EU

De nieuwe EU-richtlijn tegen cybercrime is definitief aangenomen door het Europarlement, met hogere maximumstraffen voor hacking en cyberaanvallen. Ook Nederland moet zijn wetgeving aanpassen.

Met grote meerderheid heeft het Europees Parlement een nieuwe cyberrichtlijn aangenomen, meldt Reuters. Hackdelicten zullen in de regel strenger bestraft worden, want de maximumstraffen gaan omhoog. Computervredebreuk krijgt een maximumstraf van minimaal twee jaar. In Nederland is dat nu maximaal één jaar.

Bij heftiger cyberaanvallen die zware schade veroorzaken, bijvoorbeeld op kritieke infrastructuur, gaat een maximumstraf gelden van ten minste vijf jaar. Criminelen die botnets gebruiken voor fraude moeten een maximale straf van minstens drie jaar kunnen krijgen. In Nederland is de maximumstraf op zware hackaanvallen nu vier jaar cel.

Twee jaar voor harmonisatie

Begin juni werd de richtlijn al door de commissie van het Europarlement geloodst. Eurocommissaris Cecilia Malmström is blij. "Dit is een belangrijke stap om de verdediging van Europa tegen cyberaanvallen te versterken", aldus de bewindsvrouw.

Lidstaten mogen zelf nog hogere maximumstraffen instellen, maar niet lagere. Binnen twee jaar moeten alle lidstaten hun wetgeving aanpassen aan de nieuwe richtlijn.

Bron: Webwereld

dinsdag 28 mei 2013

Confidential report lists U.S. weapons system designs compromised by Chinese cyberspies

Designs for many of the nation’s most sensitive advanced weapons systems have been compromised by Chinese hackers, according to a report prepared for the Pentagon and to officials from government and the defense industry.

Among more than two dozen major weapons systems whose designs were breached were programs critical to U.S. missile defenses and combat aircraft and ships, according to a previously undisclosed section of a confidential report prepared for Pentagon leaders by the Defense Science Board.

Experts warn that the electronic intrusions gave China access to advanced technology that could accelerate the development of its weapons systems and weaken the U.S. military advantage in a future conflict.

The Defense Science Board, a senior advisory group made up of government and civilian experts, did not accuse the Chinese of stealing the designs. But senior military and industry officials with knowledge of the breaches said the vast majority were part of a widening Chinese campaign of espionage against U.S. defense contractors and government agencies.

The significance and extent of the targets help explain why the Obama administration has escalated its warnings to the Chinese government to stop what Washington sees as rampant cyber­theft.
In January, the advisory panel warned in the public version of its report that the Pentagon is unprepared to counter a full-scale cyber-conflict. The list of compromised weapons designs is contained in a confidential version, and it was provided to The Washington Post.

Some of the weapons form the backbone of the Pentagon’s regional missile defense for Asia, Europe and the Persian Gulf. The designs included those for the advanced Patriot missile system, known as PAC-3; an Army system for shooting down ballistic missiles, known as the Terminal High Altitude Area Defense, or THAAD; and the Navy’s Aegis ballistic-missile defense system.

Also identified in the report are vital combat aircraft and ships, including the F/A-18 fighter jet, the V-22 Osprey, the Black Hawk helicopter and the Navy’s new Littoral Combat Ship, which is designed to patrol waters close to shore.

Also on the list is the most expensive weapons system ever built — the F-35 Joint Strike Fighter, which is on track to cost about $1.4 trillion. The 2007 hack of that project was reported previously.
China, which is pursuing a comprehensive long-term strategy to modernize its military, is investing in ways to overcome the U.S. military advantage — and cyber-espionage is seen as a key tool in that effort, the Pentagon noted this month in a report to Congress on China. For the first time, the Pentagon specifically named the Chinese government and military as the culprit behind intrusions into government and other computer systems.

As the threat from Chinese cyber-espionage has grown, the administration has become more public with its concerns. In a speech in March, Thomas Donilon, the national security adviser to President Obama, urged China to control its cyber-activity. In its public criticism, the administration has avoided identifying the specific targets of hacking.

But U.S. officials said several examples were raised privately with senior Chinese government representatives in a four-hour meeting a year ago. The officials, who spoke on the condition of anonymity to describe a closed meeting, said senior U.S. defense and diplomatic officials presented the Chinese with case studies detailing the evidence of major intrusions into U.S. companies, including defense contractors.

In addition, a recent classified National Intelligence Estimate on economic cyber-espionage concluded that China was by far the most active country in stealing intellectual property from U.S. companies.

The Chinese government insists that it does not conduct ­cyber-espionage on U.S. agencies or companies, and government spokesmen often complain that Beijing is a victim of U.S. cyberattacks.
Obama is expected to raise the issue when he meets with Chinese President Xi Jinping next month in California.

A spokesman for the Pentagon declined to discuss the list from the science board’s report. But the spokesman, who was not authorized to speak on the record, said in an e-mail, “The Department of Defense has growing concerns about the global threat to economic and national security from persistent cyber-intrusions aimed at the theft of intellectual property, trade secrets and commercial data, which threatens the competitive edge of U.S. businesses like those in the Defense Industrial Base.”

The confidential list of compromised weapons system designs and technologies represents the clearest look at what the Chinese are suspected of targeting. When the list was read to independent defense experts, they said they were shocked by the extent of the cyber-espionage and the potential for compromising U.S. defenses.

“That’s staggering,” said Mark Stokes, executive director of the Project 2049 Institute, a think tank that focuses on Asia security issues. “These are all very critical weapons systems, critical to our national security. When I hear this in totality, it’s breathtaking.”
The experts said the cybertheft creates three major problems. First, access to advanced U.S. designs gives China an immediate operational edge that could be exploited in a conflict. Second, it accelerates China’s acquisition of advanced military technology and saves billions in development costs. And third, the U.S. designs can be used to benefit China’s own defense industry. There are long-standing suspicions that China’s theft of designs for the F-35 fighter allowed Beijing to develop its version much faster.

“You’ve seen significant improvements in Chinese military capabilities through their willingness to spend, their acquisitions of advanced Russian weapons, and from their cyber-espionage campaign,” said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies. “Ten years ago, I used to call the PLA [People’s Liberation Army] the world’s largest open-air military museum. I can’t say that now.”

The public version of the science board report noted that such cyber-espionage and cyber-sabotage could impose “severe consequences for U.S. forces engaged in combat.” Those consequences could include severed communication links critical to the operation of U.S. forces. Data corruption could misdirect U.S. operations. Weapons could fail to operate as intended. Planes, satellites or drones could crash, the report said.

 In other words, Stokes said, “if they have a better sense of a THAAD design or PAC-3 design, then that increases the potential of their ballistic missiles being able to penetrate our or our allies’ missile defenses.”

Winslow T. Wheeler, director of the Straus Military Reform Project at the Project on Government Oversight, made a similar point. “If they got into the combat systems, it enables them to understand it to be able to jam it or otherwise disable it,” he said. “If they’ve got into the basic algorithms for the missile and how they behave, somebody better get out a clean piece of paper and start to design all over again.”

The list did not describe the extent or timing of the penetrations. Nor did it say whether the theft occurred through the computer networks of the U.S. government, defense contractors or subcontractors.

Privately, U.S. officials say that senior Pentagon officials are frustrated by the scale of cybertheft from defense contractors, who routinely handle sensitive classified data. The officials said concerns have been expressed by Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, and Adm. James A. Winnefeld Jr., the vice chairman, as well as Gen. Keith Alexander, director of the National Security Agency.

“In many cases, they don’t know they’ve been hacked until the FBI comes knocking on their door,” said a senior military official who was not authorized to speak on the record. “This is billions of dollars of combat advantage for China. They’ve just saved themselves 25 years of research and development. It’s nuts.”

In an attempt to combat the problem, the Pentagon launched a pilot program two years ago to help the defense industry shore up its computer defenses, allowing the companies to use classified threat data from the National Security Agency to screen their networks for malware. The Chinese began to focus on subcontractors, and now the government is in the process of expanding the sharing of threat data to more defense contractors and other industries.

An effort to change defense contracting rules to require companies to secure their networks or risk losing Pentagon business stalled last year. But the 2013 Defense Authorization Act has a provision that requires defense contractors holding classified clearances to report intrusions into their networks and allow access to government investigators to analyze the breach.
The systems on the science board’s list are built by a variety of top defense contractors, including Boeing, Lockheed Martin, Raytheon and Northrop Grumman. None of the companies would comment about whether their systems have been breached.

But Northrop Grumman spokes­man Randy Belote acknowledged the company “is experiencing greater numbers of attempts to penetrate its computer networks” and said the firm is “vigilant” about protecting its networks.

A Lockheed Martin official said the firm is “spending more time helping deal with attacks on the supply chain” of partners, subcontractors and suppliers than dealing with attacks directly against the company. “For now, our defenses are strong enough to counter the threat, and many attackers know that, so they go after suppliers. But of course they are always trying to develop new ways to attack.”
The Defense Science Board report also listed broad technologies that have been compromised, such as drone video systems, nanotechnology, tactical data links and electronic warfare systems — all areas where the Pentagon and Chinese military are investing heavily.

“Put all that together — the design compromises and the technology theft — and it’s pretty significant,” Stokes said.


Bron: Washington Post

donderdag 16 mei 2013

U.S. cyberwar strategy stokes fear of blowback



Even as the U.S. government confronts rival powers over widespread Internet espionage, it has become the biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.

The strategy is spurring concern in the technology industry and intelligence community that Washington is in effect encouraging hacking and failing to disclose to software companies and customers the vulnerabilities exploited by the purchased hacks.

That's because U.S. intelligence and military agencies aren't buying the tools primarily to fend off attacks. Rather, they are using the tools to infiltrate computer networks overseas, leaving behind spy programs and cyber-weapons that can disrupt data or damage systems.

The core problem: Spy tools and cyber-weapons rely on vulnerabilities in existing software programs, and these hacks would be much less useful to the government if the flaws were exposed through public warnings. So the more the government spends on offensive techniques, the greater its interest in making sure that security holes in widely used software remain unrepaired.

Moreover, the money going for offense lures some talented researchers away from work on defense, while tax dollars may end up flowing to skilled hackers simultaneously supplying criminal groups. "The only people paying are on the offensive side," said Charlie Miller, a security researcher at Twitter who previously worked for the National Security Agency.

A spokesman for the NSA agreed that the proliferation of hacking tools was a major concern but declined to comment on the agency's own role in purchasing them, citing the "sensitivity" of the topic.

America's offensive cyber-warfare strategy - including even the broad outlines and the total spending levels - is classified information. Officials have never publicly acknowledged engaging in offensive cyber-warfare, though the one case that has been most widely reported - the use of a virus known as Stuxnet to disrupt Iran's nuclear-research program - was lauded in Washington. Officials confirmed to Reuters previously that the U.S. government drove Stuxnet's development, and the Pentagon is expanding its offensive capability through the nascent Cyber Command.

Stuxnet, while unusually powerful, is hardly an isolated case. Computer researchers in the public and private sectors say the U.S. government, acting mainly through defense contractors, has become the dominant player in fostering the shadowy but large-scale commercial market for tools known as exploits, which burrow into hidden computer vulnerabilities.

In their most common use, exploits are critical but interchangeable components inside bigger programs. Those programs can steal financial account passwords, turn an iPhone into a listening device, or, in the case of Stuxnet, sabotage a nuclear facility.

Think of a big building with a lot of hidden doors, each with a different key. Any door will do to get in, once you find the right key.

The pursuit of those keys has intensified. The Department of Defense and U.S. intelligence agencies, especially the NSA, are spending so heavily for information on holes in commercial computer systems, and on exploits taking advantage of them, that they are turning the world of security research on its head, according to longtime researchers and former top government officials.

Many talented hackers who once alerted companies such as Microsoft Corp to security flaws in their products are now selling the information and the exploits to the highest bidder, sometimes through brokers who never meet the final buyers. Defense contractors and agencies spend at least tens of millions of dollars a year just on exploits, which are the one essential ingredient in a broader cyber-weapons industry generating hundreds of millions annually, industry executives said privately.

Former White House cybersecurity advisors Howard Schmidt and Richard Clarke said in interviews that the government in this way has been putting too much emphasis on offensive capabilities that by their very nature depend on leaving U.S. business and consumers at risk.

"If the U.S. government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell U.S. users," Clarke said. "There is supposed to be some mechanism for deciding how they use the information, for offense or defense. But there isn't."

Acknowledging the strategic trade-offs, former NSA director Michael Hayden said: "There has been a traditional calculus between protecting your offensive capability and strengthening your defense. It might be time now to readdress that at an important policy level, given how much we are suffering."
The issue is sensitive in the wake of new disclosures about the breadth and scale of hacking attacks that U.S. intelligence officials attribute to the Chinese government. Chinese officials deny the allegations and say they too are hacking victims.

Top U.S. officials told Congress this year that poor Internet security has surpassed terrorism to become the single greatest threat to the country and that better information-sharing on risks is crucial. Yet neither of the two major U.S. initiatives under way - sweeping cybersecurity legislation being weighed by Congress and President Barack Obama's February executive order on the subject - asks defense and intelligence agencies to spread what they know about vulnerabilities to help the private sector defend itself.

Most companies, including Microsoft, Apple Inc and Adobe Systems Inc, on principle won't pay researchers who report flaws, saying they don't want to encourage hackers. Those that do offer "bounties", including Google Inc and Facebook Inc, say they are hard-pressed to compete financially with defense-industry spending.

Some national-security officials and security executives say the U.S. strategy is perfectly logical: It's better for the U.S. government to be buying up exploits so that they don't fall into the hands of dictators or organized criminals.

UNINTENDED CONSEQUENCES

When a U.S. agency knows about a vulnerability and does not warn the public, there can be unintended consequences. If malign forces purchase information about or independently discover the same hole, they can use it to cause damage or to launch spying or fraud campaigns before a company like Microsoft has time to develop a patch. Moreover, when the U.S. launches a program containing an exploit, it can be detected and quickly duplicated for use against U.S. interests before any public warning or patch.
Some losses occur even after a patch.

That happened to Microsoft and its customers with a piece of malicious software known as Duqu. Experts say it was designed to steal industrial-facility designs from Iran and that it used an exploit that tricked computers into installing malicious software disguised as a font to render type on the screen.

Those who dissected the program after its discovery in 2011 believe it was created by a U.S. agency. Though Duqu resembled Stuxnet in some respects, they couldn't say for sure how it was assembled, or whether the spying tool had accomplished its mission.

What's certain is that criminal hackers copied Duqu's previously unheard-of method for breaking into computers and rolled it into "exploit kits," including one called Blackhole and another called Cool, that were sold to hackers worldwide.

Microsoft had by then issued a patch for the vulnerability. Nevertheless, hackers used it last year to attack 16 out of every 1,000 U.S. computers and an even greater proportion in some other countries, according to Finland-based security firm F-Secure.

The flaw became the second-most frequently tried among tens of thousands of known vulnerabilities during the second half of 2012, F-Secure said. Hackers installed a variety of malicious software in cases when the exploit worked, including copies of Zeus, a notorious program for stealing financial login information that has been blamed for hundreds of millions of dollars in bank thefts. Microsoft won't say whether it has confronted U.S. officials about Duqu and other programs, but an executive said the company objects "to our products being used for malicious purposes."

THE BUSINESS OF "ZERO-DAYS"

Former NSA Director Hayden and others with high-level experience have boasted that U.S. offensive capabilities in cyberspace are the best in the world. But few outsiders had any idea what was possible before 2010, when a small laboratory discovered the worm called Stuxnet.

It took teams of security experts in several countries months to dissect the program. They discovered that it had been meticulously engineered to launch invisibly from a portable flash drive and spread through connected Windows-based personal computers in search of machines running a specific piece of industrial control software made by Siemens AG of Germany.

If Stuxnet found that software and a certain configuration, it changed some of the instructions in the program and hid its tracks. Eventually, the truth came out: The only place deliberately affected was an Iranian nuclear facility, where the software sped up and slowed down uranium-enriching centrifuges until they broke.

Stuxnet was unique in many ways, one of them being that it took advantage of four previously unknown flaws in Windows. In the industry, exploits of such vulnerabilities are called "zero-days," because the software maker has had zero days' notice to fix the hole before the tool's discovery.
It can take months for security patches to be widely installed after a vulnerability is reported, so even a "two-day" exploit, one released two days after a warning, is valuable.

But exploits can't be counted on to work once the holes they rely on are disclosed. That means contractors are constantly looking for new ones that can be swapped in to a particular program after the original vulnerability is fixed. Some security firms sell subscriptions for exploits, guaranteeing a certain number per year.

"My job was to have 25 zero-days on a USB stick, ready to go," said a former executive at a defense contractor that bought vulnerabilities from independent hackers and turned them into exploits for government use.

HOW THE MARKET WORKS

Zero-day exploits will work even when the targeted software is up to date, and experts say the use of even a single zero-day in a program signals that a perpetrator is serious. A well-publicized hacking campaign against Google and scores of other companies in early 2010, attributed by U.S. officials and private experts to Chinese government hackers, used one zero-day.

Many zero-day exploits appear to have been produced by intelligence agencies. But private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.

It's a global market that operates under the radar, often facilitated by other companies that act as brokers. On the buy side are U.S. government agencies and the defense contractors that fold the exploits into cyber-weapons. With little or no regulation, it is impossible to say who else might be purchasing zero-days and to what end, but the customers are known to include organized crime groups and repressive governments spying on their citizens.

Even one of the four exploits used by Stuxnet may have been purchased. Swedish Defense Research Agency expert David Lindahl said the same trick employed by the exploit in question was used in a piece of Russian crime software called Zlob prior to Stuxnet's discovery. The same person may have sold the exploit to both the United States and to Russian criminals. However, Lindahl and other experts said simultaneous invention can't be ruled out.

The issue of rival countries or gangs using a flaw that U.S. officials have known about but decided to keep secret is a big concern. The National Security Agency declined to say whether or how often that happens, but researchers said simultaneous security discoveries occur often.
"It's pretty naïve to believe that with a newly discovered zero-day, you are the only one in the world that's discovered it," said Schmidt, who retired last year as the White House cybersecurity coordinator. "Whether it's another government, a researcher or someone else who sells exploits, you may have it by yourself for a few hours or for a few days, but you sure are not going to have it alone for long."

China is thought to do a lot of its work on exploits in-house, relying on its own programmers, though Reuters has reviewed email from self-declared Chinese buyers offering large sums. "I really need some 0days,if you have some remote exploit 0days of windows system, I think I can buy it. you know, money is not the problem," one hopeful wrote in 2006.

ON THE FRONT LINE

Cesar Cerrudo, a researcher in Argentina and the recipient of the 2006 email, was among the first to sell zero-days in the open, targeting experts who wanted to test the security of networks for their employers or clients.

Cerrudo said he ignored some requests from China that seemed suspiciously detailed, such as one for an exploit for an out-of-date version of Microsoft Office. Cerrudo said he regrets selling to a research institution in Europe he won't name that he later realized received a great deal of funding from a national government. Now Cerrudo works at IOActive Inc, a Seattle-based consulting firm that advises corporate clients on security.

"Fewer people are publishing details about vulnerabilities and exploits," Cerrudo said, and that hurts overall safety. "People are trying to keep their techniques and exploits private so they can make a lot of money."

A Paris-based security company called Vupen sells tools based on exploits to intelligence, law-enforcement and military authorities in most of the world. It refrains from selling to countries such as Iran or North Korea, and says it voluntarily follows European and U.S. rules limiting arms exports, though others say it isn't clear whether exploits are subject to the most restrictive U.S. rules.
Until 2010, Vupen often notified software vendors for free when it found vulnerabilities, said chief executive Chaouki Bekrar. That has now changed. "As our research costs became higher and higher, we decided to no longer volunteer for multi-billion-dollar companies," Bekrar said. When software makers wouldn't agree to a compensation system, he said, Vupen chose to sell to governments instead. "Software vendors created this market by not decently paying researchers for their hard work."

In Bekrar's estimation, Vupen is doing good. "Exploits are used as part of lawful intercept missions and homeland security operations as legally authorized by law," he said, "to protect lives and democracies against both cyber and real world threats."

The company is one of the most visible players in the business. Vupen sent a dozen researchers to an elite April conference on offensive hacking techniques at the luxury Fontainebleau Hotel in Miami Beach, where attendees eschewed nametags, dined on stone crab and heard such talks as "Advanced Heap Manipulation in Windows 8." The only larger contingents were one from the conference's organizer, zero-day reseller Immunity Inc, and one from the U.S. government.

A newer entrant to the market is ReVuln, based in Malta. ReVuln says it specializes in crafting exploits for industrial control systems that govern everything from factory floors to power generators.
This is a major concern for governments because such systems are considered prime targets for terrorists and enemy nations, with the potential for high loss of life. Additionally, the software that controls them is much harder to patch than something like Windows, which Microsoft frequently fixes with updates over the Internet. Employees at several large makers of control systems say they don't know how to reach all their users, let alone convince them to make changes when holes are discovered.

ReVuln's founders, Italian researcher Luigi Auriemma and former Research in Motion vulnerability hunter Donato Ferrante, declined to say anything about their customers. In an email interview, they said they sold some exploits exclusively and others more widely. Asked if they would be troubled if some of their programs were used in attacks that caused death or destruction, they said: "We don't sell weapons, we sell information. This question would be worth asking to vendors leaving security holes in their products."
 
DEFENSE CONTRACTORS

Much of the work on offensive cyber-warfare is done by publicly traded U.S. defense contractors, now joined by a handful of venture capital-backed start-ups seeking government buyers for a broad array of cyber-weapons that use exploits. Defense contractors both buy exploits and produce them in-house.

Major players in the field include Raytheon Co, Northrop Grumman Corp and Harris Corp, all of which have acquired smaller companies that specialize in finding new vulnerabilities and writing exploits. Those companies declined to discuss their wares. "It's tough for us, when you get into the realm of offensive," said Northrop spokesman Mark Root.

Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren't connected to anything.

There were tools for getting access to computers or phones, tools for grabbing different categories of data, and tools for smuggling the information out again. There were versions of each for Windows, Apple and Linux machines. Most of the programs cost more than $100,000, and a solid operation would need several components that work together. The vast majority of the programs rely on zero-day exploits.

Intelligence agencies have a good reason to leave a lot of the spyware development work to outsiders, said Alex Stamos, chief technology officer at an Internet security unit of NCC Group Plc. "It's just like munitions development," he said. "They don't purchase it until the vendors can demonstrate it works."

Another newcomer with U.S. agencies as clients is Atlanta-based Endgame Inc, which in March raised $23 million in a second round of funding led by the blue-chip Silicon Valley venture capital firm Kleiner Perkins Caufield & Byers. Endgame is chaired by the chief executive of In-Q-Tel, a venture capital firm set up in 1999 at the request of the CIA to fund private companies developing technology that could be useful to the intelligence community.

Some of Endgame's activities came to light in purloined emails published by hackers acting under the banner Anonymous. In what appear to be marketing slides, the company touted zero-day subscriptions as well as lists of exactly which computers overseas belonged to specific criminal "botnets" - networks of compromised machines that can be mobilized for various purposes, including stealing financial passwords and knocking websites offline with traffic attacks.

The point was not to disinfect the botnet's computers or warn the owners. Instead, Endgame's customers in the intelligence agencies wanted to harvest data from those machines directly or maintain the ability to issue new commands to large segments of the networks, three people close to the company told Reuters.
Endgame declined to comment.

Ted Schlein, a Kleiner partner who sits on Endgame's board, said he couldn't comment on the company's classified business. But he defended the idea of captive botnets.
"If you believe that wars are going to be fought in the world of cyber in the future, wouldn't you want to believe you would have a cyber-army at your disposal? Why wouldn't you want to launch a cyber-army if needed?"

Bron: Reuters

woensdag 15 mei 2013

How certificate revocation (doesn’t) work in practice

Certificate revocation is intended to convey a complete withdrawal of trust in an SSL certificate and thereby protect the people using a site against fraud, eavesdropping, and theft. However, some contemporary browsers handle certificate revocation so carelessly that the most frequent users of a site and even its administrators can continue using an revoked certificate for weeks or months without knowing anything is amiss. Recently, this situation was clearly illustrated when a busy e-commerce site was still using an intermediate certificate more than a week after its revocation.

SSL Certificates are used to secure communication between browsers and websites by providing a key with which to encrypt the traffic and by providing third-party verification of the identity of the certificate owner. There are varying levels of verification a third-party Certificate Authority (CA) may carry out, ranging from just confirming control of the domain name (Domain Validation [DV]) to more extensive identity checks (Extended Validation [EV]).

However, an SSL certificate — or any of the certificates which form a chain from the server's certificate to a trusted root installed in the browser or operating system — may need to be revoked. A certificate should be revoked when it has had its private key compromised; the owner of the certificate no longer controls the domain for which it was issued; or the certificate was mistakenly signed. An attacker with access to an un-revoked certificate who also has access to the certificate's private key can perform a man-in-the-middle (MITM) attack by presenting the certificate to unsuspecting users whose browsers will behave as if they were connecting to a legitimate site.
There are two main technologies for browsers to check the revocation status of a particular certificate: using the Online Certificate Status Protocol (OCSP) or looking up the certificate in a Certificate Revocation List (CRL). OCSP provides revocation information about an individual certificate from an issuing CA, whereas CRLs provide a list of revoked certificates and may be received by clients less frequently. Browser support for the two forms of revocation varies from no checking at all to the use of both methods where necessary.

On 30th April 2013 an intermediate certificate issued to Network Associates — which forms part of the chain from an individual certificate back to a trusted root — was revoked by RSA. The intermediate certificate was used to sign multiple McAfee SSL certificates including one for a busy e-commerce website, www.mcafeestore.com. Its revocation should have prevented access to all of the websites using the intermediate including the online store. However, more than a week later nobody had noticed: no tweets or news articles appeared and the certificate was still in place.

The certificate chain for mcafeestore.com, before it was replaced. The highlighted certificate, NAI SSL CA v1, was revoked on 30th April 2013


The intermediate certificate was revoked by RSA by adding its serial number, 54:99:05:bd:ca:2a:ad:e3:82:21:95:d6:aa:ee:b6:5a, to the corresponding CRL. None of the certificates in the chain provide a URL for OCSP, so using the CRL is the only option available. After the CRL was published, browsers should display an error message and prevent access to the website. The reality is somewhat different, however. 

Business as usual in Firefox

Firefox does not download CRLs for websites which use the most popular types of SSL certificate (all types of certificate except EV which is usually displayed with a green bar). Without downloading the CRL, Firefox is happy to carry on as usual; letting people visit the website and transfer sensitive personal information relying on a certificate that is no longer valid. In any case even if OCSP were available, by default Firefox will only check the validity of the server's certificate and not attempt to check the entire chain of certificates (again, except for EV certificates).

No warnings for mobile users either on Android or iOS


Mobile browsing now makes up a significant proportion of internet use. Neither Google Chrome on Android nor Safari on iOS present a warning to the user even after being reset. Safari on iOS does not make revocation checks at all except for Extended Validation certificates and did not make requests for the CRL which would have triggered the revocation error message.

 
Google Chrome, by default, does not make standard revocation checks for non-EV certificates. Google does aggregate a limited number of CRLs and distributes this via its update mechanism but, at least currently, it does not list the certificate in question or indeed any of the other certificates revoked in the same CRL. For the majority of Chrome users with the default settings, as with Firefox, nothing will appear to be amiss.

 For the security conscious, Google Chrome does have the option to enable proper revocation checks, but in this case the end result depends on the platform. On Windows, Google Chrome can make use of Microsoft's CryptoAPI to fetch the CRL and it correctly prevents access to the site. However, RSA's CRL is not delivered in the conventional way: instead of providing the CRL in a binary format, it is encoded into a text-based format which is not the accepted standard. Mozilla's NSS — which is used by Firefox on all platforms and by Google Chrome on Linux — does not support the format. On Linux, Google Chrome does make a request for the CRL but cannot process the response and instead carries on as normal.

Warning to potential customers when visiting the store at https://www.mcafeestore.com

Microsoft's web browser, Internet Explorer is one of the most secure browsers in this context. It fetches revocation information (with a preference for OCSP, but will fallback to CRLs) for the server's certificate and the rest of the certificate chain and, as a consequence of the revocation check, it prevents the user from making their purchase on www.mcafeestore.com. 

Opera preventing access to the website

Along with Internet Explorer, Opera is secure by default: it prevents access to the webpage. Opera checks the entirety of the certificate chain using either OCSP or CRLs where appropriate.

However, even with the most secure browser, the most frequent users of a secure website may be able to continue using a website for weeks or months despite one of the certificates in the chain of trust having been revoked. The CRL used in this case can be cached for up to 6 months, leaving frequent users, who will have a cached copy of the CRL, in the dark about the revocation. Going by previous copies of the CRL, the CRL may have last been generated in January 2013 and valid until July 2013. If that is the case and you have visited any website using the same intermediate certificate your browser will not display any warnings and will behave as if the certificate has not been revoked. However, you need not have visited mcafeestore.com before to have a cached CRL; there were 14 other websites with the same intermediate certificate in Netcraft's latest SSL survey.

As long as six months sounds to miss out on important revocation information, browser vendors in control of the list of trusted CAs allow CRLs to have 12-month validity periods when destined for intermediate certificates. CRLs covering individual, or subscriber, certificates are required to be valid for at most 10 days. By its very nature access to the private key corresponding to an intermediate certificate is more useful to an attacker: he can use the private key to sign a certificate for any website he so chooses rather than having access to just a single site. Browsers do have the ability to distrust certificates if they become aware of the compromise, but they may depend on slow update mechanisms to update the trusted set of certificates.

Whilst it may be expensive for an online store to be using a certificate that should not be valid, the consequences for governmental or banking websites could be more severe. If the certificate, or one of the certificates in the chain, were revoked due to a key compromise and there is an active attacker exploiting the lack of revocation checking in modern browsers, the public could be at risk for an extended period of time. The state of revocation amongst modern browsers is sufficiently fragmented to ensure that the entire concept of revocation is on shaky ground — without consistent behaviour and timely updates, if or when the certificate is finally blocked it is too late.

Bron: Netcraft




maandag 6 mei 2013

Hackers gebruiken nieuw lek in Internet Explorer 8

De details van hoe een nieuw beveiligingslek in Internet Explorer 8 is te misbruiken zijn voor iedereen openbaar geworden, nu de exploit aan een populaire hackertool is toegevoegd. Dit weekend werd bekend dat een onbekende kwetsbaarheid actief in Microsoft's browser was gebruikt bij een 'drinkplaats-aanval'. Aanvallers hadden de website van het Amerikaanse Ministerie van Werkgelegenheid gehackt.

Op de gehackte website werd de exploit geplaatst. Bij een drinkplaats-aanval zijn individuen het doelwit die uit zichzelf de gehackte website bezoeken en zo besmet raken. Microsoft bevestigde de aanwezigheid van het lek in Internet Explorer 8 op Windows XP, Vista, Windows 7, Server 2003 en Server 2008 en werkt aan een beveiligingsupdate.

Oplossing
Om misbruik te voorkomen kunnen gebruikers de instellingen van de browser aanpassen of naar een nieuwere IE-versie te upgraden, aangezien het lek daar niet aanwezig in is. IE9 en IE10 werken niet op Windows XP, waardoor het upgraden naar een alternatieve browser ook een oplossing is.

De kans op grootschalig misbruik van het lek is namelijk toegenomen nu de details openbaar zijn gemaakt. Een exploit is aan de populaire hackertool Metasploit toegevoegd. Metasploit is een 'framework' waarmee security professionals en penetratietesters de veiligheid van systemen en netwerken kunnen testen.

Browser
Daardoor zijn de details nu voor iedereen toegankelijk. Metasploit-ontwikkelaar 'sinn3r' adviseert gebruikers van Vista of een nieuwere Windows-versie naar IE9 of IE10 te upgraden. Windows XP-gebruikers doen er verstandig aan om een andere browser te gebruiken, zoals Google Chrome of Mozilla Firefox.

Sinn3r stelt dat één van de adviezen van Microsoft niet klopt. De softwaregigant adviseerde om de instelling van ActiveX controls te wijzigen, maar dit zou de exploit niet voorkomen, aangezien de aanval geen ActiveX controls gebruikt.

Beveiligingsonderzoeker Eric Romang heeft inmiddels een video gemaakt waarin de Metasploit-exploit wordt gedemonstreerd.

Bron: Security.nl

donderdag 11 april 2013

Hijacking airplanes with an Android phone

An extremely well attended talk by Hugo Teso, a security consultant at n.runs AG in Germany, about the completely realistic scenario of plane hijacking via a simple Android app has galvanized the crowd attending the Hack In The Box Conference in Amsterdam today.


Teso, who has been working in IT for the last eleven years and has been a trained commercial pilot for a year longer than that, has combined his two interests in order to bring to light the sorry state of security of aviation computer systems and communication protocols.

By taking advantage of two new technologies for the discovery, information gathering and exploitation phases of the attack, and by creating an exploit framework (SIMON) and an Android app (PlaneSploit) that delivers attack messages to the airplanes' Flight Management Systems (computer unit + control display unit), he demonstrated the terrifying ability to take complete control of aircrafts by making virtual planes "dance to his tune."

One of the two technologies he abused is the Automatic Dependent Surveillance-Broadcast (ADS-B), which sends information about each aircraft (identification, current position, altitude, and so on) through an on-board transmitter to air traffic controllers, and allows aircrafts equipped with the technology to receive flight, traffic and weather information about other aircrafts currently in the air in their vicinity.

The other one is the Aircraft Communications Addressing and Reporting System (ACARS), which is used to exchange messages between aircrafts and air traffic controllers via radio or satellite, as well as to automatically deliver information about each flight phase to the latter.

Both of these technologies are massively insecure and are susceptible to a number of passive and active attacks. Teso misused the ADS-B to select targets, and the ACARS to gather information about the onboard computer as well as to exploit its vulnerabilities by delivering spoofed malicious messages that affect the "behavior" of the plane.

Based on his own research, Teso developed the SIMON framework that is deliberately made only to work in a virtual environment and cannot be used on real-life aircrafts. His testing laboratory consists of a series of software and hardware products, but the connection and communication methods, as well as ways of exploitation, are absolutely the same as they would be in an actual real-world scenario.

Since it's nearly impossible to detect the framework once deployed on the Flight Management System, there is no need to disguise it like a rootkit. By using SIMON, the attacker can upload a specific payload to the remote FSM, upload flight plans, detailed commands or even custom plugins that could be developed for the framework.

To make things even more interesting - or easier - Teso showcased an Andorid application that uses SIMON's powers to remotely control airplanes on the move. The application, fittingly named PlaneSploit, sports a clean and simple interface, but is packed full with features. This is a remarkable example of technology evolution - ten years ago we barely had phones with a color screen, today we can use them to hack aircrafts.

PlaneSploit uses the Flightradar24 live flight tracker and you can tap on any airplane found in range. When talking about the range, please keep in mind that we are talking about a proof-of-concept application used in a virtual environment. In real life, the range would be limited depending on the antennas used (if going directly for the plane), or global (if misusing one of the two big ACARS players such as SITA or ARINC).

The user interface is divided by its main functions which are self-explanatory: discovery, information gathering, exploitation and post exploitation. The attacker can click on any active airplane and is receives its identification, current location and final destination. In case a nearby airplane system is exploitable (a number of vulnerability vectors mentioned, not much details provided), the application alerts the user via an in-application alert or a push message. The payload can be uploaded with a tap of a button and from that point on, the flight management system is remotely controlled by an attacker. There are a number of other systems connected to FMS, so further exploitation is possible.

Here are some of the functions Teso showed to the HITBSecConf Amsterdam audience:
  • Please go here: A way of interacting with the plane where the user can dynamically tap locations on the map and change the plane's course.
  • Define area: Set detailed filters related to the airplane, for example activate something when a plane is in the area of X kilometers or when it starts flying on a predefined altitude.
  • Visit ground: Crash the airplane.
  • Kiss off: Remove itself from the system.
  • Be punckish: A theatric way of alerting the pilots that something is seriously wrong - lights start flashing and alarms start buzzing.
By showing a sample scenario of a drunk pilot flying over Berlin, Teso mentioned that the Android application also uses the benefits of the accelerometer and therefore a remote attacker can transform the motion of its smartphone into physical changes in the plane's movement.

It's amazing to discover that aviation - an industry where safety is of vital importance and every physical element has one or even two fail-safe mechanisms - is failing to secure the onboard computer, the heart and brain of the plane.

Teso has not shared too many details about the tools he used to effect the attack, as the vulnerabilities have yet to be fixed. He says that he was pleasantly surprised by the reaction of the industry to his research and discoveries, as the companies didn't try to deny the existence of the problems and have vowed to aid him in his research.

He says that older, legacy systems harking back to the 1970s will be difficult, if not impossible, to fix, but that modern ones will easily be updated with patched and modified firmware and software.

The vulnerabilities, of course, differ from system to system and from plane to plane, but it's easy to discover just which ones are present once the attacker identifies the type, model of the plane, and the airline for which it flies.

There is a solution for pilots to regain the control of the plane and land it safely, he says. Attacks of this kind work only when the auto-pilot is on, so the trick is to switch it off, then fly the plane by using analog instruments.

The bad news is that there aren't that many on modern planes, and that the pilots have to detect that the plane's computer is being hacked in order to effect these maneuvers, and that is no easy feat.

Bron: Netsecurity

maandag 8 april 2013

Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines

The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through. With the change in FISMA reporting implemented on June 1, the 20 Critical Controls become the centerpiece of effective security programs across government These controls allow those responsible for compliance and those responsible for security to agree, for the first time, on what needs to be done to make systems safer. No development in security is having a more profound and far reaching impact.

These Top 20 Controls were agreed upon by a powerful consortium brought together by John Gilligan (previously CIO of the US Department of Energy and the US Air Force) under the auspices of the Center for Strategic and International Studies. Members of the Consortium include NSA, US Cert, DoD JTF-GNO, the Department of Energy Nuclear Laboratories, Department of State, DoD Cyber Crime Center plus the top commercial forensics experts and pen testers that serve the banking and critical infrastructure communities.

The automation of these Top 20 Controls will radically lower the cost of security while improving its effectiveness. The US State Department, under CISO John Streufert, has already demonstrated more than 94% reduction in "measured" security risk through the rigorous automation and measurement of the Top 20 Controls.

20 Critical Security Controls - Version 4.1


Bron: Sans

vrijdag 29 maart 2013

How Spamhaus’ attackers turned DNS into a weapon of mass destruction

A little more than a year ago, details emerged about an effort by some members of the hacktivist group Anonymous to build a new weapon to replace their aging denial-of-service arsenal. The new weapon would use the Internet's Domain Name Service as a force-multiplier to bring the servers of those who offended the group to their metaphorical knees. Around the same time, an alleged plan for an Anonymous operation, "Operation Global Blackout" (later dismissed by some security experts and Anonymous members as a "massive troll"), sought to use the DNS service against the very core of the Internet itself in protest against the Stop Online Piracy Act.
This week, an attack using the technique proposed for use in that attack tool and operation—both of which failed to materialize—was at the heart of an ongoing denial-of-service assault on Spamhaus, the anti-spam clearing house organization. And while it hasn't brought the Internet itself down, it has caused major slowdowns in the Internet's core networks.
DNS Amplification (or DNS Reflection) remains possible after years of security expert warnings. Its power is a testament to how hard it is to get organizations to make simple changes that would prevent even recognized threats. Some network providers have made tweaks that prevent botnets or "volunteer" systems within their networks to stage such attacks. But thanks to public cloud services, "bulletproof" hosting services, and other services that allow attackers to spawn and then reap hundreds of attacking systems, DNS amplification attacks can still be launched at the whim of a deep-pocketed attacker—like, for example, the cyber-criminals running the spam networks that Spamhaus tries to shut down.

Hello, operator?

The Domain Name Service is the Internet's directory assistance line. It allows computers to get the numerical Internet Protocol (IP) address for a remote server or other network-attached device based on its human-readable host and domain name. DNS is organized in a hierarchy; each top-level domain name (such as .com, .edu, .gov, .net, and so on) has a "root" DNS server keeping a list of each of the "authoritative" DNS servers for each domain registered with them. If you've ever bought a domain through a domain registrar, you've created (either directly or indirectly) an authoritative DNS address for that domain by selecting the primary and secondary DNS servers that go with it.
When you type "arstechnica.com" into your browser's address bar and hit the return key, your browser checks with a DNS resolver—your personal Internet 411 service— to determine where to send the Web request. For some requests, the resolver may be on your PC. (For example, this happens if you've requested a host name that's in a local "hosts" table for servers within your network, or one that's stored in your computer's local cache of DNS addresses you've already looked up.) But if it's the first time you've tried to connect to a computer by its host and domain name, the resolver for the request is probably running on the DNS server configured for your network—within your corporate network, at an Internet provider, or through a public DNS service such as Google's Public DNS.
There are two ways for a resolver to get the authoritative IP address for a domain name that isn't in its cache: an iterative request and a recursive request. In an iterative request, the resolver pings the top-level domain's DNS servers for the authoritative DNS for the destination domain, then it sends a DNS request for the full hostname to that authoritative server. If the computer that the request is seeking is in a subdomain or "zone" within a larger domain—such as www.subdomain.domain.com—it may tell the resolver to go ask that zone's DNS server. The resolver "iterates" the request down through the hierarchy of DNS servers until it gets an answer.
But on some networks, the DNS resolver closest to the requesting application doesn't handle all that work. Instead, it sends a "recursive" request to the next DNS server up and lets that server handle all of the walking through the DNS hierarchy for it. Once all the data is collected from the root, domain, and subdomain DNS servers for the requested address, the resolver then pumps the answer back to its client.

How DNS queries are supposed to work—when they're not being used as weapons.

To save time, DNS requests don't use the "three-way handshake" of the Transmission Control Protocol (TCP) to make all these queries. Instead, DNS typically uses the User Datagram Protocol (UDP)—a "connectionless" protocol that lets the server fire and forget requests.

Pump up the volume

That makes the sending of requests and responses quicker—but it also opens up a door to abuse of DNS that DNS amplification uses to wreak havoc on a target. All the attacker has to do is find a DNS server open to requests from any client and send it requests forged as being from the target of the attack. And there are millions of them.
The "amplification" in DNS amplification attacks comes from the size of those responses. While a DNS lookup request itself is fairly small, the resulting response of a recursive DNS lookup can be much larger. A relatively small number of attacking systems sending a trickle of forged UDP packets to open DNS servers can result in a firehose of data being blasted at the attackers' victim.
DNS amplification attacks wouldn't be nearly as amplified if it weren't for the "open" DNS servers they use to fuel the attacks. These servers have been configured (or misconfigured) to answer queries from addresses outside of their network. The volume of traffic that can be generated by such open DNS servers is huge. Last year, Ars reported on a paper presented by Randal Vaughan of Baylor University and Israeli security consultant Gadi Evron at the 2006 DefCon security conference. The authors documented a series of DNS amplification attacks in late 2005 and early 2006 that generated massive traffic loads for the routers of their victims. In one case, the traffic was "as high as 10Gbps and used as many as 140,000 exploited name servers," Vaughan and Evron reported. "A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 60."
But even if you can't find an open DNS server to blast recursive responses from, you can still depend on the heart of the Internet for a respectable hail of packet projectiles. A "root hint" request—sending a request for name servers for the "." domain—results in a response 20 times larger than the packet the request came in. That's in part thanks to DNS-SEC, the standard adopted to make it harder to spoof DNS responses, since now the response includes certificate data from the responding server.

A comparison of a "root hint" query and the response delivered by the DNS server. Not all data shown.   

In the case of the attack on Spamhaus, the organization was able to turn to the content delivery network CloudFlare for help. CloudFlare hid Spamhaus behind its CDN, which uses the Anycast feature of the Border Gateway Protocol to cause packets destined for the antispam provider's site to be routed to the closest CloudFlare point of presence. This spread out the volume of the attack. And CloudFlare was able to then shut off amplified attacks aimed at Spamhaus with routing filters that blocked aggregated DNS responses matching the pattern of the attack.
But that traffic still had to get to Cloudflare before it could be blocked. And that resulted in a traffic jam in the core of the Internet, slowing connections for the Internet as a whole.

No fix on the horizon

The simplest way to prevent DNS amplification and reflection attacks would be to prevent forged DNS requests from being sent along in the first place. But that "simple" fix isn't exactly easy—or at least easy to get everyone who needs to participate to do.
There's been a proposal on the books to fix the problem for nearly 13 years—the Internet Engineering Task Force's BCP 38, an approach to "ingress filtering" of packets. First pitched in 2000  1998 as part of RFC 2267 , the proposal has gone nowhere. And while the problem would be greatly reduced if zone and domain DNS servers simply were configured not to return recursive or even "root hint" responses received from outside their own networks, that would require action by the owners of the network. It's an action that doesn't have a direct monetary or security benefit to them associated with it.
ISPs generally do "egress filtering"—they check outbound traffic to make sure it's coming from IP addresses within their network.  This prevents them from filling up their peering connections with bad traffic.  But "ingress" filtering would check to make sure that requests coming in through a router were coming from the proper direction based on their advertised IP source.
Another possible solution that would eliminate the problem entirely is to make DNS use TCP for everything—reducing the risk of forged packets.  DNS already uses TCP for tasks like zone transfers. But that would require a change to DNS itself, so it's unlikely that would ever happen, considering that you can't even convince people to properly configure their DNS servers to begin with.
Maybe the attack on Spamhaus will change that, and core network providers will move to do more to filter DNS traffic that doesn't seem to match up with known DNS servers. Maybe just maybe, BCP 38 will get some traction. And maybe pigs will fly.

Bron: Arstechnica

dinsdag 19 maart 2013

Details on the denial of service attack that targeted Ars Technica


Last week, Security Editor Dan Goodin posted a story about the "swatting" of security reporter Brian Krebs and the denial of service attack on Krebs' site. Soon after, Ars was targeted by at least one of the individuals behind the Krebs attack. On Friday, at about noon Eastern Daylight Time, a denial of service attack struck our site, making connectivity to Ars problematic for a little less than two hours.
The attack continued to run throughout Friday. At 9pm EDT, when our hosting provider brought down one of the filters that had been put in place to thwart it, it quickly became apparent that the attack was still underway, and the filter was restored. The most aggressive filters were finally removed on Saturday.
At least in part, the offensive used the same attack tool and user credentials that were involved in the denial-of-service (DoS) attack on Krebs On Security, as Krebs himself revealed in a blog post. The attackers used multiple accounts on TwBooter, a "booter" site that provides denial of service attacks as a paid service (ostensibly for security testing purposes), to launch an automated, denial of service attack on Ars. And at least one of those logins was also used to attack Krebs' site.
TwBooter masks all of the complexity of launching attacks against sites. Users of the site can, depending on how much they pay, launch up to three simultaneous automated attacks against sites through a simple Web interface. TwBooter users can even set up multiple accounts and fill up the queue of the service's "attack server."



Individual accounts using TwBooter's server can be "licensed" for up to three simultaneous attacks lasting up to two hours, if you can come up with the cash. Free plans can be set up in exchange for filling out a few surveys.


It doesn't cost much to get in on the ground floor with TwBooter—an account with rights to a single automated attack of up to 60 seconds in length is $10 for a month. This means you can launch as many 60 second attacks as you want, one at a time, all month long. The "license" to launch up to three attacks at a time of up to two hours duration is $169 a month—but there's a 20 percent discount if you pay through Liberty Reserve instead of PayPal. There's also a free plan that allows for attacks up to 300 seconds long. That service requires users to pick an attack type from a pull-down menu in a Web form.

The Web form for launching attacks from TwBooter's free attack service.


PayPal payments for the site are routed to Sebastien Lariviere, a former IT technician for the county government (MRC) of Pierre-De Saurel in Quebec (now operating as Lariviere Security). Lariviere did not respond to e-mails from Ars for comment.
Obviously, sites like TwBooter generate a lot of ill will and are ironically the target of DoS attacks themselves. Like many legitimate and "black hat" sites—such as the site exposed.su, a website that recently posted the personal information of many public figures—TwBooter runs behind the CloudFlare content delivery network as a way of shielding itself from attacks.
TwBooter may not have been the only service used to launch the attacks on Ars and Krebs. "There are dozens of these booter services out there, most of them based on the same source code," Krebs told Ars. But Krebs received a tip pointing to a dump of TwBooter's customer database—openly accessible on the services' website. It's clear the TwBooter site was part of the attack. A snippet from the SQL dumps Krebs provided to Ars show that multiple attacks (including Slowloris, TCP amplification, and SYN flood attacks) were queued up by multiple accounts on the site.

Pick your poison

Some of the attacks served up by TwBooter are targeted at Web servers themselves. For example, HTTP Get and Post attacks attempt to overwhelm the ability of the targeted server to respond by filling up buffer memory with requests. But there were a few attacks thrown at Ars that don't require the massive traffic of a million-PC botnet.
Slowloris, for example, takes a less brute-force approach—it's a slow HTTP attack that exploits a misconfiguration of the Apache Web server. It sends partial HTTP requests to its intended victim, which forces the server to keep the connection open while waiting for the rest. Because it relies on very little traffic to do the job, it doesn't have to be distributed to work. But since it's dependent on the target being an Apache server that hasn't been tweaked against the slow HTTP style attack, it's not very effective against high-volume Web servers (especially sites using NGINX Web servers, like Ars).
Another attack used against Ars was the RUDY, or R-U-Dead-Yet attack, which also uses relatively few packets. Instead of sending partial requests, it sends what seems like an unending HTTP POST, sending a very large value for content-length in the POST request header. That keeps the server waiting for the rest of the POST to come until the length is reached... which never happens.
Other attacks in the "booter" arsenal go after the network connections of the targets themselves. SYN Flood attacks, for example, attempt to overwhelm the target's network connection by creating a huge volume of "half-open" network connections, using the nature of the TCP protocol's "three-way handshake" to use up server resources. The attacker sends SYN, or "synchronize," requests to the target; the target responds with a synchronization acknowledgement (SYN-ACK), which would normally prompt a return acknowledgement (ACK) message from a legitimate user connection. Instead, the attacker never sends ACK packets back, and the target is left with unfinished connections filling up its network buffers until it can't handle any more connections. These packets are usually sent with forged headers (since the attacker never has to actually get the SYN-ACK from the server), so they're difficult to trace and can appear to be more distributed than they actually are.
Another attack type flung at Ars was a UDP-LAG attack. It just uses a large stream of UDP packets in an attempt to overwhelm a target's network connection and knock them offline. UDP-LAG attacks on "booter" services are often used by online gamers who want to slow down the network connections of a competitor. This way, they can camp on their location and kill them while they lag, respawn, and lag some more. Because they use UDP packets, UDP-LAG attacks in large volume can look like DNS amplification attacks—attacks that use responses from DNS servers to spoofed requests that give the address of the target.

Shrugging it off

Fortunately, Ars' hosting provider was able to quickly identify the attacks that were causing the most damage to site availability. Our IT team alerted our provider to the problem at 12:09pm EDT on Friday; the problem was mostly in hand by 1:30pm through the application of traffic filters at the provider's router.
But the fact remains that anyone with some spare change, spare time, and an axe to grind can turn to sites like TwBooter and stage DOS attacks at will—with little fear of retribution. The sites come and go, hiding behind the thin veil of a "terms of service" agreement that asks users, pretty please, to not misuse their attack servers. These booters profess that they are for "security professionals only"—yet they do little to track the actual identities of those who use the servers.

Bron: Ars technica