Wednesday, September 19, 2018

Let's Talk Blockchain!

You walk into a conference room. Co-workers pop open cans of LaCroix water. You brought your laptop, ready for the hard questions. An executive takes a seat at the head of the table. The topic of discussion gets under way. And then it happens. Someone uses the word "blockchain" in a way that makes zero sense and sounds like magic.


Blockchain isn't magic. It's math.

The current implementations of blockchain relate to cryptocurrency, like Bitcoin or Ethereum. So let's go with that as an easy way to describe the magic - er, math - of blockchain.

Generating cryptocurrency is like a gold mine. There's a mountain (the public ledger aka blockchain), and a bunch of gold nuggets (mathematical challenges) are buried in that mountain. Finding each nugget (solving the challenge) leads to finding more nuggets (moving on to the next challenge). But only up to a point. Because, like mines, cryptocurrencies are finite. Why? Blockchain.

Each step of the process of digging up the nuggets gets validated by a cryptographic algorithm, like an assessor who measures the size and weight of the gold nuggets you bring in after a long day of mining. No single assessor is given the power to validate all of the gold nuggets in the world. They group together and all have to agree, which is where the public ledger comes in. Each assessor shares their information by adding their "yup, it's gold and here's how much this nugget is worth" message on to one another's assessments that get logged in the ledger. The latest validation is added to the previous ones, forming a daisy chain of "yups." That chain links together all the available validations to prove you did, indeed, uncover a bunch of gold nuggets that the group of assessors agreed to validate.

Maybe "chainlink" didn't sound sexy enough. Instead, it's called "blockchain." Rather than simply issue a certificate of authenticity/value, which could be stolen or forged, the blockchain is made up of chunks of cryptographic algorithms that act as the authoritative "yup" to prove your mining efforts paid off. The act of mining cryptocurrency is known as...wait for it...cryptomining.

Cryptomining is like digging up all the gold nuggets from all the mountains. The value of cryptocurrencies is like any commodity. It's determined by how much people are willing to pay for it. Generating each "coin" is computationally expensive (translation: it takes a lot of horsepower) because the chain of algorithms is long and the math puzzles are intentionally hard to make sure the results are rare. The rarer the commodity, the higher its value. Blockchain accomplishes this by enforcing the difficulty by length and distribution of its structure. Thus, mining cryptocurrency is slow and methodical.

This is why bad guys have taken to hiding cryptomining scripts and programs on compromised systems. The more horsepower they can throw at mining operations by hijacking your computer, cell phone, TV, or other Internet-connected devices, the faster and more coins they can yield. The blockchains don't care who finds their associated coins (e.g. Bitcoin, Ethereum, Monero, etc.) or how, it only matters that they're found.

So, simply put, blockchains are distributed chunks of data that, when pieced together, validate information of value. Really, that's all. No magic required.


Thursday, May 17, 2018

Confessions of a Star Wars Fan

I have a confession to make. I'm not really a fan of science fiction. There are exceptions, of course. Star Wars: A New Hope jumps to the top of my list. I'm a HUGE fan. So are most of my peers in the cyber crime fighting world. Including those who, like me, may not be the biggest sci-fi fans. It occurs to me the exceptions – the sci-fi books and movies I enjoy – often have a hacker theme. Even Star Wars.

What? I hear you ask. Star Wars is a hacker movie?

Yes, yes it is.

Some parts are obvious. Like Princess Leia saying, in reference to the stolen Death Star plans, "I only hope that when the data's analyzed, a weakness can be found." That's classic reverse engineering.

There are other hacker-y scenes, too.

Luke triggering the hologram, for instance. It was meant for Obi Wan's eyes only but Luke accidentally made R2D2 play a snippet. In other words, he inadvertently exploited a vulnerability in the droid.

When Luke and Han pose as storm troopers with Chewbacca in handcuffs to trick their way into the detention area, that's an example of social engineering.

R2D2 plugging into the port to find Leia in the first, place, that's penetration testing. Once R2 has that digital foothold, the droid turns off the trash compactor. This is an example of lateral movement within a now-compromised network.

Obi Wan gets in on the vuln exploitation by finding and shutting down the tractor beam holding the Millennium Falcon. Sure, he does it manually, but, hey, it worked.

And when our heroes get away, Leia says, "They're tracking us." There are several ways that could be cross-referenced to cybersecurity. For years, content providers have used tracking pixels on web pages as a way to combat lookalike phishing pages. Honeypots have been around for ages, too, which are computers or virtual computers intended to be hacked so the good guys could watch and see what the bad guys do. More recently, canary tokens/files have gained popularity, named for "canary in a coal mine." Like honeypots, these are lures to attract miscreants to see who might be stealing data and where the stolen data ends up.

Maybe it's a perspective thing. Or maybe it was intentional on George Lucas' part. Either way, to me, the first Star Wars movie, A New Hope, isn't what I think of as typical science fiction. It's one of my favorite hacker flicks.

May the Force be with you.

Friday, February 9, 2018

What's a Security Freeze and Why Should I Care?

In light of the billions (with a "B") of personally identifiable information records now leaked, dumped and being sold in the criminal underground, identity fraud is at an all time high. These records contain information as innocuous as your email address and password used on a website that got breached, or highly detailed information about you exposed by the accidental leak of the database containing all registered US voters.

I've talked about 2-factor authentication in a past blog post. This time, we'll take a deep dive into protecting the information criminals use to monetize leaked and stolen data, your credit reports.

What's a credit report? It's basically your financial life as recorded by debt and linked to your Social Security Number. A credit report contains your bill pay history (also know as credit history), your credit card issuers (past and present), your debt history (car loans, rent/mortgage holders past and present thus your past and current addresses), all the information that goes into the makeup of your credit score. Credit reporting agencies sell this information to insurers, employers (for background checks) and loan application evaluators (mortgage lenders, landlords, banks/personal loan issuers, etc.).

How do bad guys leverage credit reports? The most obvious way is identity theft - opening lines of credit, credit cards or other types of loans in your name. They get the credit card or money, you get the bills. Other forms of fraud are cobbled together identities - one person's name, another's address, a third person's SSN, and so on. This makes it harder to both catch and repair the damage to all victims' financial well being.

In order to accomplish these forms of fraud the credit issuers first run a credit check of the requestor (real or criminal). Thus, access to this information is critical. That's where a security freeze comes in. Also known as a credit freeze, it's a service that "locks" your credit report against credit/loan application access requests until you explicitly allow an agency to respond. This differs from fraud alerts, which are reactive and most often temporary. That is, you get alerted that someone accessed your credit report after the fact. A security freeze is prevention against fraudsters and thieves impersonating you, regardless of the how much information they have to verify your identity. What they won't have is the secret to temporarily unlock the credit report. That secret is either a PIN or a password the credit agencies mail to you and that you need to supply to the credit agency when you apply for new credit cards, loans, or submit to a background check. A handy tip I've learned is you can specify the agency to be queried when a credit check is needed. You don't have to unlock them all.

Security freezes are relatively easy to set up. The caveat is that you need to set a freeze at each of the credit reporting agencies: Experian, TransUnion and Equifax. Two smaller reporting outlets have emerged and those should be included: Innovis and ChexSystems. These two aren't as comprehensive in the overall services they provide but they can be inroads for criminals who can't get past freezes at the Big 3. All told, it takes roughly an hour out of your life to lock out the bad guys.

We're at the mercy of data brokers to protect our information. Security freezes offer peace of mind when they fall down on the job.

Friday, May 19, 2017

Shadow Brokers/NSA Malware Update - Haven't Patched? Do It Now.



The Shadow Brokers data dump is the gift that keeps on giving.

It wasn't just the victims and good guys who took notice of the unbridled spread of the WannaCry ransomware worm. The bad guys paid attention, too. And now more SMBv1-based attacks have been unleashed or are in active development.

If you have an older Windows machine and think you're out of luck there's good news. Microsoft recently released updates for their outdated/unsupported operating systems going back to Windows XP. The updates are unusual because Microsoft makes it a practice to never update end-of-life operating systems and software. They prefer to spend development cycles on new products and those under their support contracts. This is a special case, though, as many of the devices infected by WannaCry and being targeted by the new malware include embedded operating systems (things like ATMs and point-of-sale systems) that *can't* be easily updated.

It's also worth noting that, according to NetMarketShare.com, Windows 10 is lagging behind its older predecessors in terms of adoption. Windows 7 makes up nearly half (48.5%) of the current operating systems in use today while XP, Vista, 8 and 8.1 combine to make up over 16%. That's a whole lot of unpatched exposure.

For those with XP, Vista, 8, 8.1, Server 2003 or Server 2008, you can find standalone updates to protect against the SMBv1 exploits here:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

For some reason Microsoft made the Windows 7 and Server 2008 R2 standalone updates separate from the above batch. You can find them here:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4012215

What are you still doing here? Go patch now!

Saturday, May 13, 2017

Basic Hygiene aka Security 101

What the heck happened on May 12? Super-evil technical genius releases ransomware worm that invaded systems around the world and he made a gazillion dollars?

Nope.

A ransomware worm was, in fact, released in the wild. It did, in fact, cause mass chaos. This depicts the last 24 hours of infections worldwide (see MalwareTech for real-time stats):



The "evil genius" created this attack by using information released by Shadow Brokers a few weeks ago. As of this writing the miscreant has made a whopping $26K in Bitcoin. Meanwhile, the good guys are continuing to eradicate this mess through various truly genius means.

The real culprit in the exponential spread of this attack? You.

The worm (self-propagating code) leveraged a weakness in an outdated version of a Microsoft Windows feature known as Server Message Block, or SMB, to plant the ransomware and spread itself to the next machine. To grossly oversimplify, SMB is how Microsoft systems "talk" to each other. Microsoft released a patch for this vulnerability on its current products back in March.

The 2 important points in that last sentence: "current products," "patched in March."

Microsoft is well known for its upgrade path. Some people like it, some people hate it. Microsoft wants their customers to update to their latest operating systems to make money, sure. But it's also to keep their customers safer. Their engineers and threat researchers constantly work to improve the security of their products. This is why they release monthly security updates. This is also why they offered a free upgrade to Windows 10 for so long.

One of the key factors in the rampant spread of this ransomworm (as some of my peers have dubbed it) is versions of Windows that are so old (XP, for instance), they stopped being supported by Microsoft years ago. This means no security updates have been released for these systems. And that means they are vulnerable to multiple attacks, including this one.

Which brings me to the second point. As stated above, the vulnerabilities that made this worm possible were patched in March. For those who do have current systems, and left Windows Update enabled (the default), you probably just read about the hoopla and went on with your life. According to latest statistics, at least 90,000 people didn't get the memo and have spent the last 24 hours really wishing they had.

This entire event highlights failures in basic computer hygiene. I thought it an opportune time to remind folks of the simple steps to reduce the likelihood of becoming a victim to this and other types of online attacks. This applies to ALL computer and mobile systems, not just Microsoft, by the way:
  • Keep your operating system and installed software current
  • Turn on automatic updates for your operating system (at a minimum) and software popular with bad guys (Adobe, Java, iTunes, etc.)
  • Back up regularly
  • Install antimalware and keep it updated
The last point may or may not have helped with the ransomworm but it's still a good practice. And yes, Mac users, this means you, too. Last week also saw OS X take a direct hit by the Proton malware.

Prevention is so much easier than recovering lost time and, worse, lost data.


Sunday, April 2, 2017

Privacy Is Dead. Long Live Privacy.


There seems to be a lot of confusion about what happened on March 28, 2017 when the United States Congress affirmed the Senate vote the previous week to block the Obama-era adoption of safeguarding privacy of online activity. I want to try to clear that up.

First, let's get the legal mumbo jumbo out of the way. In October 2016, the FCC amended its interpretation of the Communications Act of 1934, Section 222. Prior to this amendment, Internet Service Providers ("ISPs") were required to protect their customers' online habits and personal information, although the method of protection isn't defined. What is defined are exceptions:
- in order to bill their customers for data usage
- in response to subpoena/warrant
- suspicion of harm to the ISP's own or partnering infrastructures
- to provide location data in the interest of public safety
- and if customers gave their permission to being served ads based on their personal information and/or usage.

These exceptions meant that ISPs were able to examine all customer data and traffic in order to satisfy the criteria.

Let me repeat that - ISPs have had the legal right and means to collect, analyze and sell customer data all along.

Popular wisdom is that, although they legally *could,* few ISPs actually *did* sell customer data because Section 222 didn't forbid it, it simply stated selling your information must be on an opt-in basis. People are under the impression that unless they gave consent, it didn't happen. However, the language for opting in may be buried in the terms of service in your contract as a condition of usage. You may have agreed to opt in unless you explicitly opt out. For example, Comcast/XFINITY contracts contain this perfectly legal twist of language.

The October 2016 amendment enforced a higher standard of care in protecting personal information and banned the sale of customer data without explicit permission by the user him/herself by removing the "not opting out is opting in" loophole. The law was scheduled to go into full force and effect in December 2017. What the current Congress and Senate voted on was halting this amendment, effectively preserving the status quo of selling user data and removing the stronger privacy/protection standards for personal information and online activity.

In the aftermath of the March 28 vote pundits are saying that nothing changed and until POTUS signs the new bill, it's not "law."

True? Not exactly.

Let's take the second point first because that's easier to explain. Yes, it's true that bills don't become laws until the sitting president signs them. In this case, though, the bill is a negative, that is, it takes prioritizing privacy in ISPs' data handling standards with penalties for non-compliance off the table. More simply stated, the ISP practice of collecting, analyzing and selling user data remains legal.



Now let's get into the trickier part and where there are even more misunderstandings. I drew the above gross oversimplification to explain this to someone and I'm finding it handy so I thought it worth sharing here.

In the "Before March 28, 2017" drawing you see the typical Internet traffic flow. We access Internet-based resources from our homes, offices, coffee shops, hotels, schools, mobile devices, etc. by way of routers and broadband lines leased to us by our ISPs. When accessing sites considered sensitive, like banks, shopping sites, and email, the session takes place using SSL or TLS hosted on those websites. SSL/TLS creates encrypted wrappers for the flow of data back and forth between your device and the destination, making it difficult for ISPs (or anyone else) to eavesdrop. They can't see or collect the information, they just see gobbledygook. The "Profit" box in the drawing means ISPs make their money directly from their consumers who pay for Internet and carrier services. They also make money by serving us ads based on the use they see that's not protected by SSL/TLS. When we see the ad, people get paid. These are called "ad impressions." If we click on the ad, people get paid more because ISPs, websites and advertisers make commissions on the number of clicks. Some ads are random and some are based on our online activity. Websites learn about us by incorporating user tracking like cookies or hidden pixels in images on the sites we visit. While not strictly illegal, nor technically infeasible, before March 28 it was considered unethical for ISPs to decrypt SSL/TLS sessions in transit for the purpose of serving ads or to sell to third parties.

That's the crux of ISP complaint against the October 2016 amendment. Google, Facebook, banks, shopping sites, etc. all get our decrypted data because they're sending your machine a certificate that acts like a key to unlock the SSL/TLS tunnel on their end of the conversation. This is how they're able to provide you the service you expect. It's also how they show you ads you're more likely to click on ("targeted ads"), because they get to see what you do while you're on their sites. ISPs want to be able to use the data they collect from you to do the same.

Wait a minute, I hear you saying. ISPs decrypting SSL? Is that possible?

It's not only possible, the capability been commercially available for a decade. Bad guys use SSL/TLS, too, in order to slip past defenses. The good guys needed a way to fight back. Corporate gateway inspection, intrusion detection/protection, firewalls and proxies sold by companies like Bluecoat, Palo Alto Networks and Microsoft all rely on SSL interception to decrypt and analyze SSL/TLS-encrypted traffic to identify and respond to encrypted malicious activity. Of course, government spies have been doing it much longer. And ISPs had the right to decrypt traffic in order to meet the exceptions noted above.

Why is this important? Because, contrary to popular belief, the Communications Act, Section 222 doesn't prevent ISPs from employing this same tactic in order to compete for advertising dollars. Public opinion has been the only deterrent. The October 2016 amendment aimed to rectify that. Which brings us to the "After March 28, 2017" picture.

In the lower drawing, we see the Internet as it exists today with a couple of hypotheticals in the current climate. Remember when I said the justification for killing off the October 2016 amendment was to allow ISPs to compete with website owners for higher ad revenue? They don't have to wait for something to *not* happen (increased restriction and oversight). Thus you see the data siphon flow, representing the ISPs' desire to create a database of their customers and their online behaviors. In some states it's illegal to store this data in plain text (unencrypted) but the point is that ISPs are free to use data they already collect on customers by searching through their data stores with tailored queries suited to advertisers' whims. They are free to serve highly targeted ads and redirect us from where we wanted to go to sites that pay them in order to maximize the ISPs' commissions. Theoretically, this data is also available to anyone willing to pay for it, including local, state and federal agencies, without notifying users should ISPs continue and even expand their definition of "not opting out is opting in." Remember, ISPs are only restricted by the broad language of Section 222 as it existed before March 28. That's why I used "warrantless searches" as one theoretical example.

So what can we do about this? Not a heck of a lot.

Deleting your browsing history on your own device has no effect whatsoever. Zero. Nada. The data collection we're talking about is your activity as it traverses your ISP's network, not your own computer or mobile device. Deleting cookies & history is a good practice against certain types of malware but it's no help here.

Privacy fans who are willing to put up with a slower Internet experience can run i2P and Tor to make a best effort at protecting their anonymity. If you go this route, use both. i2p acts as an underlying layer that complements Tor to increase the effectiveness of the privacy Tor provides. Just be aware that eventually your Internet traffic pops out of the private channel to reach its destination and those exit points can be monitored. Sometimes it's good guys, sometimes it's bad guys, sometimes it's both sitting and watching on the same exit node. Another downside is that Tor is blocked by many popular websites like banks, shopping, and streaming entertainment sites because anonymity is popular with bad guys, too. The same goes for other forms of free virtual private networks ("VPNs").

Speaking of VPNs, if your employer allows you to work remotely, chances are pretty good that you log into your office on a corporate VPN. Using your company's VPN may be an option to keep your ISP's eyes off your activity. The downside is your employer is probably watching and you will definitely be restricted by the employer's acceptable use policies.

Another alternative is to simply accept and assume that everything you do online is public.

The best thing we can all do is to keep the pressure on and support the folks on the front lines fighting for our privacy. The Electronic Frontier Foundation and the ACLU are leaders in this pack. Keep calling, writing, emailing, faxing, and showing up to let your elected officials know how you feel about your privacy and either volunteer and/or donate to EFF and ACLU.

Update: POTUS signed the bill on April 3. The bill rolling back privacy protections is now law.

Sunday, March 26, 2017

What the Phrack

Every wonder about all those "PH's" used in hacking terms like phreak, phrack and phishing? I watched a CBS Sunday Morning story about phone booths and it occurred to me that there are at least two generations who have no idea what "phreak" or "phrack" mean, or why phishing is spelled the way it is. It all goes back to phones.

Back when answering machines started to catch on, we could call our own landline from a pay phone to punch in a code on the keypad or, if calling from a rotary dial phone, hold a device up to the telephone handset that played a simulated tone sequence to tell the answering machines to play messages. Hackers of the 1970's and '80's figured out that those tones could be used in creative and unexpected ways to manipulate phone lines. Free long distance calls were a popular choice (and illegal, it must be noted, as it constituted fraud against telephone companies). Hackers also discovered that universities and governments sent data back and forth over phone lines, too. Remember the 1983 movie, "WarGames"? The act of these types of phone line shenanigans became known as "phreaking." I confess, I have no idea why hackers (also known as "crackers" back in the day) were called "freaks," but I can guess as early reverse engineers were considered social outsiders. Anyway, the spelling quickly evolved to marry the words "phone" with "freak."

Thus, a cultural pattern was born.

So, what's "phrack"? Well, it's actually capitalized. Phrack was the first and remains the longest-running hacker 'zine. Its founders named it by combining "phreak" with "hack." Understandably, early issues focused on the ways, means and underground culture of phone hacking, as it predated technologies like broadband and the Internet as we know it today. In its 7th issue in 1986, Phrack published, "The Conscience of a Hacker,"(sometimes referred to as "The Hacker Manifesto") which formed the basis for the archetype of a hacker as an outcast teenager in his mom's basement. In the 1990's data carriers moved from phone lines to Ethernet and Phrack branched out, too. They published arguably THE seminal article on uncovering and exploiting code bugs in 1996, "Smashing The Stack For Fun And Profit," by Aleph One (aka Elias Levy, the moderator of a popular network and host vulnerability disclosure forum at the time).

"Phishing" has similar roots in telephony. Phishing is a form of social engineering, more simply stated as a con job. It relies on the con artist, or phisher, tricking unsuspecting victims into supplying their user names and passwords to online properties in any number of ways. The term "fisher" was first used in 1995 in a multi-featured hacking tool targeting the then-king of the World Wide Web, AOL. The tool is long gone but AOHell's documentation is still online here (warning: strong language). "Fishing" transitioned to "phishing" in 1996 by members of the popular hacking forum (then known as "newsgroups") alt.2600 who adapted it in a nod to hacking's roots in phreaking.

As an aside, if you haven't seen "WarGames," you really should. Not only is it the phirst - er, first true hacking movie, it still holds up as one of the best IMHO.