A New Side of Cyber Security

Cyber attacks have taken on a new and dangerous dimension. The goal of these attacks is to manipulate people to believe a certain thing, increasingly identify with that belief, and ultimately to take actions based on that belief.

Read More

Walking on Other Worlds

On July 21, 1969 the first human walked on another world. On December 14, 1972 the last human walked on another world. Will we reach a time when no living human has walked on another world?

Read More

The Jungle Book, Again

A second live action version of “The Jungle Book” is coming out just 2 years after the last live action version.

Read More

Streaming Analytics, Geometric Series, and Intrusion Detection

Streaming analytics for analyzing endpoints and users for intrusive behavior has been around for about a quarter century, probably most heavily promoted by SRI with their extensive publications on their NIDES intrusion detection system. These 1998 notes show how I made SRI's statistics more understandable to me.

Read More

Lacked Candor

Friday evening, 16 March 2018, Attorney General Sessions fired Deputy FBI Director Andrew McCabe. McCabe was set to retire on Sunday. Jeff Sessions in a statement explained that he fired McCabe in part for "lack of candor - including under oath - on multiple occasions."

Note that Sessions did not say McCabe "lied" but that he "lacked candor".

That reason makes this video of Session's testimony under oath seem extra special.

Equifax: Professional Hackers and B-team Defenders?

While the Bloomberg title and much of the article focuses on fingerprints of professional hackers, I want to highlight two other aspects of the story - the differences in rewards and experience between the executive staff and the IT and cyber security staff.

Read More

Debugging HDR on Apple TV

Last year I bought a new Sony TV with 4K and HDR anticipating a new 4K HDR Apple TV box. Last week my HDR Apple TV finally arrived, but I was disappointed when I apparently could not use the HDR capability.

After several days of experiments, I finally resolved all my issues

Read More

Before Applying New Technologies

My entire career has been based on developing new cyber security technologies and products, and I would love to sell everyone the latest & greatest tech. But first, any potential user or customer should take care of many of the basic (and often cheap or free) things.

Read More

Monitor What You Can't Fix (or Haven't Fixed Yet)

On September 7 Equifax announced it had suffered a major breach exposing very sensitive information (names, Social Security numbers, birth dates, addresses, and, in some instances, driver's license numbers) on almost all Americans who participate in the economy. Unlike passwords or credit cards, this is information that cannot be changed.

Read More

Kaspersky, EULA Companies, and Influence Operations

The article FBI pushes private sector to cut ties with Kaspersky discusses specific concerns about Kaspersky, but I think the issues are much broader.

In the briefings, FBI officials also raise the issue of Russia’s increasingly expansive surveillance laws and what they charge is a distinct culture wherein powerful Russian intelligence agencies are easily able to reach into private sector firms like Kaspersky with little check on government power.

This is not unique to Russia as governments and organizations all over the world want greater access to network activity, metadata, and contents on servers. The book After On: A Novel of Silicon Valley describes the fictitious social networking company Phluttr as a "EULA company" - a company where users essentially abdicate any 4th Amendment right to privacy when they agree to the End User License Agreement (which no one reads) and then contribute tons of information about themselves and their social connections.

Antivirus companies shipping metadata about all your files and network activity to their cloud servers, cloud-based file services (think about how they do de-duping), cloud-based email & messaging services, social networks, etc. all leak huge amounts of data about you.

The large amount of details users voluntarily give to companies is ripe for use in influence operations. For more details on the potential when analytics is applied to troves of data voluntarily provided, see The Data That Turned the World Upside Down:

The strength of their modeling was illustrated by how well it could predict a subject's answers. Kosinski continued to work on the models incessantly: before long, he was able to evaluate a person better than the average work colleague, merely on the basis of ten Facebook "likes." Seventy "likes" were enough to outdo what a person's friends knew, 150 what their parents knew, and 300 "likes" what their partner knew.
Source: https://www.cyberscoop.com/fbi-kaspersky-p...

Cyber Pearl Harbor: Did you miss it?

Google "cyber Pearl Harbor", and Google identifies tens of thousands of documents with that phrase. I've been hearing the phrase for almost as long as I have been in cyber security. It is almost always used with the sense that the cyber equivalent of the Japanese attack on Pearl Harbor is just around the corner.

But I claim that it has already happened. Or more precisely, the Information Operation Pearl Harbor has already happened, and cyber attacks played a significant role.

17 US intelligence agencies agreed that Russia actively interfered with the US elections [NPR] and, according to Former Director of National Intelligence James Clapper, Russia did so to help Donald Trump get elected [CNN].

To understand Russia's Information Operations, I strongly urge everyone to watch Laura Galante's (@LauraLGalante) excellent TED Talk "How (and why) Russia hacked the US election"

And to gain a greater understanding on how you (and your neighbors) can be targeted by a skillfully executed information operation, read this article about some of the targeted information being collected about you in order to shape how you think and perceive the world.

A Republican contractor’s database of nearly every voter was left exposed on the Internet for 12 days, researcher says

The lapse in security was striking for putting at risk the identities, voting histories and views of voters across the political spectrum, with data drawn from a wide range of sources including social media, public government records and proprietary polling by political groups.
Chris Vickery, a risk analyst at cybersecurity firm UpGuard, said he found a spreadsheet of nearly 200 million Americans on a server run by Amazon's cloud hosting business that was left without a password or any other protection. Anyone with Internet access who found the server could also have downloaded the entire file.
...
In all, the leaked files amount to more than 1,000 gigabytes of data — more than four times the size of any previous breach of this type, according to Vickery. The exposed data also contained records of voters' views on specific issues including gun control, abortion and environmental issues, he said. Overall, Vickery said, there were billions of data points and 170 GB of social media posts scraped from Reddit alone.
...
"They're using this information to create political dossiers on individuals that are now available for anyone," said Jeffrey Chester, executive director of the Center for Digital Democracy. "These political data firms might as well be working for the Russians."

Democracies are very vulnerable to information operations, and Putin has figured this out. Why should an enemy drop bombs like the Japanese did in Pearl Harbor when they can achieve their political goals through information operations?

Strange Certificate Warning

This morning I received the following alert on my iPhone (and yes, I do have 708 unread emails)

While the alert complained about the identity of "prc.apple.com", when I clicked on "Details", it referred to "instant.arubanetworks.com". Was the prc.apple.com certificate signed by arubanetworks?

I clicked on "More Details", and the following Subject Name and Issuer Name information popped up.

Scrolling down, I see the details of the signing algorithm: SHA-1.

Given that SHA-1 has been compromised (Announcing the first SHA1 collision), an untrusted certificate alert from a SHA-1 certificate had me concerned.

In the end, as is too often the case in security, I was left with lots of questions.

  • Was there a verification problem with the "prc.apple.com" certificate or "instant.arubanetworks.com" certificate?
  • Was the prc.apple.com certificate faked and signed with a bad instant.arubanetworks.com certificate?
  • Was there a man-in-the-middle attack?
  • Was Apple's software just buggy and in reality everything was fine?
  • Was there a problem, but Apple's alert identified the wrong certificate that was having problems?
  • What the heck Aruba? You are all about the IoT and you use SHA-1? Don't we already have enough troubles with IoT?

 

xfinity gets stuck, a lot

(Updated with additional videos on 2017-03-27)

I have had a lot of problems with my xfinity television service lately, where the video portion gets stuck on an image even though the audio keeps playing. I can use the controller to select different channels or select a pre-recorded video to watch, and while the audio changes, the video never changes.

I am encountering this about once a day. I find I often have this problem when trying to watch Bloomberg. I almost feel Bloomberg isn't a video signal but an application (with an embedded video), and it is buggy software. Whatever is the case, I hope xfinity fixes this soon.

Rebooting my cable box every day (sometimes multiple times per day) is not an acceptable fix.

The following video shows the problem (watch with audio on).

Comcast freezes 2017-02-25. This is getting tiring.
Comcast cable box frozen again. 2017-03-26

 

 

Smart AI hackers - why is it taking so long?

In 1988 I watched the Morris worm work its way through our University computers and through the computers of most of the people I interacted with on a professional basis. The Morris worm used numerous vectors (see "The Internet Worm Program: An Analysis") and a few evasion techniques to work its way through roughly 10% of the Internet (incidentally, "decimate" refers to the killing of one-tenth of a group, so technically the Morris worm decimated the Internet).

About two years later I started playing with Robert Baldwin's SU-Kuang bundled with Dan Farmer's COPS security checker system. SU-Kuang, named after the Kuang Grade Mark Eleven penetration program in William Gibson's Neuromancer, showed how an attacker with an initial set of capabilities could, through the knowledge of the UNIX security model, acquire more and more capabilities until it could achieve some particular goal such as becoming root or having the right privileges to access or modify a certain file. I learned a lot about the UNIX security model (and how one could hack UNIX systems) from Kuang.

In 1996 a colleague, Dan Zerkle, extended the Kuang approach to an entire network (see "NetKuang - A Multi-Host Configuration Vulnerability Checker"). It was disturbingly effective. And there were a number of other systems designed to automatically find their way through systems (see our 2004 report "A Taxonomy for Comparing Attack-Graph Approaches").

In 2004 I gave a talk at the Naval Postgraduate School where I discussed how (free) computer chess games could beat the pants off most human players. Given that the muti-vector Morris worm and Kuang systems as well the original fuzz tool were developed 16 years earlier (1988 was an amazing year), I suspected "GNU-Chess of MalCode" would become the new adversaries, and they would, like their computer chess game counter parts, be more effective than almost all humans playing the game. 

GNU-Chess of MalCode

Well, it has been another 12 years since I predicted the "GNU-Chess of MalCode" (it is easier to predict the future than predict when the future will arrive), and with DARPA's Cyber Grand Challenge we are starting to see the beginning of such systems. The EFF was very concerned, and  engadget laughed at EFF.

I believe the threat is real.

Interestingly, also in 2004 DARPA held its first self-driving car Grand Challenge. Not a single car finished. The best car only made it about 7 miles. Today cars by Google and Tesla have driven themselves millions of miles on America's roads and highways.

I have to wonder how sophisticated automated malware will be 12 years from now?