Below Gotham Labs, Home of the Rootkit Arsenal

The Best Defense isn't a Good Offense

The decision makers at the Pentagon are at it again. According to an article published by the Washington Post, officials are considering preemptive strikes as a way to protect us. The difference is that it's being dressed up with new jargon; in this case it's being referred to as an "active defense." Oh, that's rich.

This suffers from the same basic problem as the doctrine of massive retaliation: attribution. If you can't identify the actual origin of an attack, it's an exercise in futility to build up a huge stockpile of offensive capabilities (unless of course you're in the business of building offensive weaponry). Furthermore, are we prepared to live with the consequences when we attack the wrong country? Correct me if I'm wrong but did we just spend close to a trillion dollars to protect ourselves from imaginary weapons of mass destruction? Think of what that money could have done here in the US if we had directed it towards health and human services.

In what military officials are calling the fifth domain, the best defense is not a good offense. We'd be much better off focusing on, well, defense. -BB (2010-09-02)

More Cyberwar Fear Mongering

In this Foreign Affairs article, Deputy Secretary of Defense William Lynn hypes an incident with a thumb drive that occured back in 2008:

"The flash drive's malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control"

Reports from Wired appear to counter his assertions.

"Agent.btz is a variant of the SillyFDC worm... Agent.btz’s ability to compromise classified information is fairly limited. SIPRNet, the military’s secret network, and JWICS, its top secret network, have only the thinnest of connections to the public internet. Without those connections, intruders would have no way of exploiting the backdoor, or, indeed, of even knowing that agent.btz had founds its way into the CENTCOM network... What spy service would launch such a lame attack?"

Another thing to keep in mind, dear reader, is that Foreign Affairs is a publication of the Council on Foreign Relations. -BB (2010-08-26)

UPDATE: The New York Times has printed an article on this. According to the Times, Lynn composed his Foreign Affairs essay to "to raise awareness of the threat to United States cybersecurity ...and partly to make the case for a larger Pentagon role in cyberdefense."

I'd pay close attention to the second half of that previous sentence. -BB(2010-08-26)

WikiLeaks Releases Another Red Cell Memo

"This CIA 'Red Cell' report from February 2, 2010, looks at what will happen if it is internationally understood that the United States is an exporter of terrorism..."

"The report looks at a number cases of US exported terrorism, including attacks by US based or ﬁnanced Jewish, Muslim and Irish-nationalism terrorists."

RELATED: A WSJ article that looks at how WikiLeaks conceals funding information. The empire strikes back, so to speak. -BB (2010-08-26)

Cryptome's John Young: The Single Greatest Threat to Democracy

"Secrecy hides privilege, incompetence and deception of those who depend on it and who would be disempowered without it...

A vast global enterprise of governments, institutions, organizations, businesses and individuals dependent upon the secrecy of abuse of secrecy has evolved into an immensely valuable practice whose cost to the public and benefits to its practitioners are concealed by secrecy...

Secrecy poses the greatest threat to the United States because it divides the poplulation into two groups, those with access to secret information and those without. This asymmetrial access to information vital to the United States as a democracy will eventually turn it into an autocracy run by those with access to secret informaton, protected by laws written to legitimate this privileged access and to punish those who violate these laws."

This may sound a bit overblown. But consider this: according to the Top Secret America project, some 854,000 people (more than the entire city of San Francisco) hold top-secret security clearances. In the greater DC area, 33 buildings for top-secret intelligence work are under construction or have been built in the aftermath of September 2001. These structures consume the same amount of space as three Pentagons - roughly 17 million square feet.

Does John Young really sound so far off of the mark? -BB (2010-08-23)

International Bankers Deem Themselves Above The Law

"Barclays Bank PLC, a United Kingdom corporation headquartered in London, has agreed to forfeit $298 million to the United States and to the New York County District Attorney’s Office in connection with violations of the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA)"

"According to court documents, from as early as the mid-1990s until September 2006, Barclays knowingly and willfully moved or permitted to be moved hundreds of millions of dollars through the U.S. financial system on behalf of banks from Cuba, Iran, Libya, Sudan and Burma, and persons listed as parties or jurisdictions sanctioned by OFAC in violation of U.S. economic sanctions."

Though this may seem like a lot of money at first blush. It's just a slap on the wrist, which Barclays will probably accept as the cost of doing business. At best, this is a symbolic victory. -BB (2010-08-18)

FRONTLINE to Explore the Subversive Effects of Secrecy

"The top-secret world the government created in response to the terrorist attacks of Sept. 11, 2001, has become so large, so unwieldy and so secretive that no one knows how much money it costs, how many people it employs, how many programs exist within it or exactly how many agencies duplicate the same work."

"The major function of secrecy in Washington is to keep the U.S. people and U.S. Congress from knowing what the nation's leaders are doing. Secrecy is power. Secrecy is license. Secrecy covers up mistakes. Secrecy covers up corruption." - Major John Stockwell

Apologies for Big Brother

In this New York Times op-ed, Richard Falkenrath applauds the United Arab Emirates for its recent decision to suspend BlackBerry service within its borders. The Canadian company that developed the technology, Research In Motion, has resisted modifying its infrastructure to enable authorities to easily intercept the data streams of selected users.

Falkenrath concludes: "In the end, it is governments, not private industry, that rule the airwaves and the Internet. The Emirates acted understandably and appropriately: governments should not be timid about using their full powers to ensure that their law enforcement and intelligence agencies are able to keep their citizens safe."

It's interesting to note that Falkenrath, who was a deputy homeland security adviser to President George W. Bush, now works for the Chertoff Group. The Chertoff Group is a consulting firm that derives its name from one of its principals, Michael Chertoff, the Secretary of the U.S. Department of Homeland Security from 2005 to 2009.

Co-CEO of Research in Motion responded that "Everything on the Internet is encrypted. This is not a BlackBerry-only issue. If they can't deal with the Internet, they should shut it off."

RELATED: Nicholas Merrill (aka John Doe) of Calyx Internet Access finally speaks out.

"I kind of felt at the beginning, so few people challenge this thing, I couldn’t just stand by and see, in my opinion, the basic underpinnings of our government undermined ... I was taught about how sophisticated our system of checks and balances is . . . and if you really believe in that, then the idea of one branch of government just demanding records without being checked and balanced by the judicial just is so obviously wrong on the surface."

The "Insurance" File

"At the center of the drama was the posting last week of a massive 1.4 gigabyte mystery file named 'Insurance' on the WikiLeaks website. The 'Insurance' file is encrypted, nearly impossible to open until WikiLeaks provides the passwords. But experts suggest that if anyone can crack it - it would be the National Security Agency."

"'Do we believe that WikiLeaks has additional cables? We do,' said State Department spokesman P.J. Crowley. 'Do we believe that those cables are classified? We do. And are they State Department cables? Yes.'"

Cryptome: Doubts about the invulnerability of AES have persisted since NSA selected an algorithm from an AES competition that was considered by cryptographers not to be the strongest. And that it is likely for strongest protection NSA uses a top secret cryptosystem while promoting AES for public and official use. It is argued that NSA, like all official comsec agencies, would never endorse a system it could not secretly access. And these agencies never reveal that capability -- NSA's backdoor access to Crypto AG was revealed by an employee of the company.

Too Many Secrets

The following excerpts are from an op-ed in The New Yorker

"Shutting WikiLeaks down—assuming that this is even possible—would only lead to copycat sites devised by innovators who would make their services even more difficult to curtail. A better approach for the Defense Department might be to consider WikiLeaks a competitor rather than a threat, and to recognize that the spirit of transparency that motivates Assange and his volunteers is shared by a far wider community of people who use the Internet."

"There is a simple lesson here: whatever the imperfections of WikiLeaks as a startup, its emergence points to a real shortcoming within our intelligence community. Secrets can be kept by deterrence—that is, by hunting down the people who leak them, as Thiessen proposes, and demonstrating that such behavior comes with real costs, such as prison time. But there are other methods: keep far fewer secrets, manage them better."

Wikileaks and Our Foreign Policy

"No amount of rhetorical tap dancing will allow the White House to escape the fundamental contradictions that underlie U.S. policy toward Af-Pak."

Contradiction #1: We're in Afghanistan to prevent future attacks by Al Queda

"Now that al Qaeda can attack the United States, its friends and allies from Yemen or Somalia or Pakistan or London or New Jersey, it’s hard to claim any uniqueness for Afghanistan. So, why does the United States have to fight the war there with 100,000 troops?"

Contradiction #2: We're in Afghanistan to prevent an extremist coup in Pakistan

"Here’s where the new trough of secret WikiLeaks comes in—Pakistani military intelligence... is indeed helping the Taliban against Americans in Afghanistan. To boot, the Pakistani government is providing safe haven to the Taliban in Northwest Pakistan, thus making it militarily impossible for U.S. forces to smash them."

Cryptome's John Young Responds to Mike Mullen

"The principal thing that WikiLeaks is doing and as I'm -- and I'm doing, also on another side, is we're trying to give a more fuller picture of the -- of the terrible situation in these countries, that the -- the U.S. military is killing thousands of people over there and that that is not being reported very well.

We regularly publish photographs put out by the Department of Defense about Afghanistan and Iraq. And there's never any carnage shown. You seldom see any of the carnage caused by the military in these wars. And war is carnage. But what you see are a kind of scenes you've just shown. And that's a -- that's an unbalanced view of what's happening there.

There is far more killing being done by the military in Afghanistan than there is by the Taliban, including innocent people. And we just don't get to see that. That is heavily censored. It's classified. It's not put out. What we get is the sanitized version that makes it look like the young soldiers are at risk or innocent civilians are at risk of being killed by the Taliban. But that is a completely inaccurate picture.

...the two talking points that are now being used to change the -- the dialogue about this leak. One is the risk of these informants. The other is that there's nothing new here. Those are talking points that are used by people who are trying to change the topic away from the carnage caused by the military into a polite kind of talking head version, as though there's nothing new here.

Notice that Admiral Mullen talked about blood on the soldiers' hands. WikiLeaks has answered that very effectively. He's changing the topic. He does not want to talk about what the military is doing in Afghanistan.

It is uncontrolled carnage going on over there as American policy. Otherwise, they'd be showing more of the truth."

This is it, dear readers. John Young is pointing out the propaganda machine in action. Pick up a copy of Noam Chomksy's Manufacturing Consent for a more detailed description of how the media works. -BB (2010-07-31)

I Walk The Line

Chairman, Joint Chiefs of Staff Adm. Mike Mullen

"Mr. Assange can say whatever he likes about the greater good he thinks he and his source are doing, but the truth is they might already have on their hands the blood of some young soldier or that of an Afghan family. Disagree with the war all you want, take issue with the policy, challenge me or our ground commanders on the decisions we make to accomplish the mission we've been given, but don't put those who willingly go into harm's way even further in harm's way just to satisfy your need to make a point."

Julian Assange

"Foresight requires trustworthy information about the current state of the world, cognitive ability to draw predictive inferences and economic stability to give them a meaningful home. It's not only in Vietnam where secrecy, malfeasance and unequal access have eaten into the first requirement of foresight ('truth and lots of it'). Foresight can produce outcomes that leave all major interests groups better off. Likewise the lack of it, or doing the dumb thing, can harm almost everyone."

Wikileaks Releases Over 75,000 Secret US Military Reports

In a bold move that probably constitutes this generation's version of the Pentagon Papers, Wikileaks has published thousands of classified documents that describe U.S. military operations in Afghanistan from 2004 to 2010.

Three media outlets received copies of these documents in advance: The New York Times, The Guardian, and Der Spiegel. These outlets have confirmed the authenticity of the reports.

The documents imply, among other things, that Pakistan's intelligence service may be assisting the Taliban despite the billions of dollars in support that Pakistan receives from the United States. In addition, as with Vietnam, things may be less encouraging than our leaders are willing to admit.

The White House has responded. Julian Assange dismissed accusations by Obama administration officials, stating that "We are familiar with groups whose abuse we expose attempting to criticise the messenger to distract from the power of the message."

"Mission Accomplished" proclaims the former President, with a big grin on his face. After spending hundreds of billions of dollars to no avail, one has to wonder who the winners are. My guess is that the answer to this question can be gleaned by scanning through annual reports of companies in the defense industry. Pay no attention to the man behind the curtain. -BB (2010-07-26)

The Top Secret America Project: The New Praetorian Class

The first time I heard the term Praetorian used, it was in a book written by former CIA agent John Stockwell. By the time you're done reading these three Washington Post articles you should have a pretty good idea what's driving all of the recent Cyberwar fear-mongering ...

Overview of Project : "'Top Secret America' is a project nearly two years in the making that describes the huge national security buildup in the United States after the Sept. 11, 2001, attacks."

Project Articles - PART 1

Part 1 - A hidden world, growing beyond control

Part 1 - Q&A

Quotes and Comments

"The U.S. intelligence budget is vast, publicly announced last year as $75 billion, 21/2 times the size it was on Sept. 10, 2001."

"Because it lacks a synchronizing process, it inevitably results in message dissonance, reduced effectiveness and waste ...We consequently can't effectively assess whether it is making us more safe."-Retired Army Lt. Gen. John R. Vines

comment: So, in other words, we have no idea if all of this money is simply a gift to the private corporate interests that help build this system.

"Secrecy can undermine the normal chain of command when senior officials use it to cut out rivals or when subordinates are ordered to keep secrets from their commanders."

"In the Department of Defense, where more than two-thirds of the intelligence programs reside, only a handful of senior officials - called Super Users - have the ability to even know about all the department's activities. But as two of the Super Users indicated in interviews, there is simply no way they can keep up with the nation's most sensitive work."

"'I'm not going to live long enough to be briefed on everything' was how one Super User put it. The other recounted that for his initial briefing, he was escorted into a tiny, dark room, seated at a small table and told he couldn't take notes."

comment: This makes me wonder if the people who are supposed to be in control are actually in control? Has the system been subverted by a cabal of mid-level people who know how to firewall the boss?

Project Articles - PART 2

Part 2 - National Security Inc.

Part 2 - Q&A

Quotes and Comments

"Out of 854,000 people with top-secret clearances, 265,000 are contractors"

"Contractors can offer more money - often twice as much - to experienced federal employees than the government is allowed to pay them. And because competition among firms for people with security clearances is so great, corporations offer such perks as BMWs and $15,000 signing bonuses, as Raytheon did in June for software developers with top-level clearances."

"A 2008 study published by the Office of the Director of National Intelligence found that contractors made up 29 percent of the workforce in the intelligence agencies but cost the equivalent of 49 percent of their personnel budgets."

"The evolution of General Dynamics was based on one simple strategy: Follow the money... Revenue from General Dynamics' intelligence- and information-related divisions, where the majority of its top-secret work is done, climbed to $10 billion in the second quarter of 2009, up from $2.4 billion in 2000, accounting for 34 percent of its overall revenue last year"

comment: As I noted earlier, if all of this funding isn't necessarily making us more secure, then who is truly benefiting from the massive intel build up?

"In September 2009, General Dynamics won a $10 million contract from the U.S. Special Operations Command's psychological operations unit to create Web sites to influence foreigners' views of U.S. policy. To do that, the company hired writers, editors and designers to produce a set of daily news sites tailored to five regions of the world. They appear as regular news Web sites, with names such as 'SETimes.com: The News and Views of Southeast Europe.' The first indication that they are run on behalf of the military comes at the bottom of the home page with the word 'Disclaimer.' Only by clicking on that do you learn that 'the Southeast European Times (SET) is a Web site sponsored by the United States European Command.'

comment: Widespread manipulation of public opinion is alive and well. Don't think for a minute that it's only limited to other countries.

Project Articles - PART 3

Part 3 - The Secrets Next Door

Part 3 - Q&A

Quotes and Comments

"From the road, it's impossible to tell how large the NSA has become, even though its buildings occupy 6.3 million square feet - about the size of the Pentagon - and are surrounded by 112 acres of parking spaces. As massive as that might seem, documents indicate that the NSA is only going to get bigger: 10,000 more workers over the next 15 years; $2 billion to pay for just the first phase of expansion; an overall increase in size that will bring its building space throughout the Fort Meade cluster to nearly 14 million square feet."

"Six of the 10 richest counties in the United States, according to Census Bureau data, are in these [Fort Meade] clusters."

"Loudoun County, ranked as the wealthiest county in the country, helps supply the workforce of the nearby National Reconnaissance Office headquarters, which manages spy satellites. Fairfax County, the second-wealthiest, is home to the NRO, the CIA and the Office of the Director of National Intelligence. Arlington County, ranked ninth, hosts the Pentagon and major intelligence agencies. Montgomery County, ranked 10th, is home to the National Geospatial-Intelligence Agency. And Howard County, ranked third, is home to 8,000 NSA employees."

comment: All animals are equal. It's just that some animals are more equal than others. This is your federal tax money at work.

Responses

David C. Gompert : Acting Director of National Intelligence

Wired : "This piece is about much more than dollars. It’s about what used to be called the Garrison State — the impact on society of a praetorian class of war-focused elites. Priest and Arkin call it 'Top Secret America,' and it’s so big and grown so fast, that it’s replicated the problem of disconnection within the intelligence agencies that facilitated America’s vulnerability to a terrorist attack."

The Office of the DNI : Attempts to apologize for redundancy, mission overlap, and poor information sharing.

The Atlantic: "The culture of secrecy has fascinated observers and participants for decades. It is always deplored as a fundamental rejection of American values: citizens need reliable information in order to exercise their rights, and lawmakers cannot use the cloak of secrecy to hide their own sins. But somehow, the secrecy apparatus resists all efforts to shrink it. Presidents come and go, but secret-keepers burrow deep into the government."

Salon: "Secrecy is the religion of the political class, and the prime enabler of its corruption. That's why whistle blowers are among the most hated heretics. They're one of the very few classes of people able to shed a small amount of light on what actually takes place."

Closing Remarks

"Over the past two years, one of the most thought-provoking observations I have heard from both military and intelligence folks is this: There are probably 500 al-Qaeda members left in the Afghanistan-Pakistan region. At most, the organization may have a couple thousand people worldwide. Why do we need such a large intelligence effort ---the 1,300 agencies we identified that are a part of this effort--- to defeat a couple thousand people?" -Question posed by Dana Priest

Hardware-Level Malware on Dell R410s

MORE DETAILS:

1. This issue does not affect any Dell PowerEdge servers shipped from our factories and is limited to a small number of the replacement motherboards only which were sent via Dell’s service and replacement process for four servers: PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410. The maximum potential exposure is less than 1% of these server models.

2. Dell has removed all impacted motherboards from the service supply. New shipping replacement stock does not contain the malware.

3. The W32.Spybot worm was discovered in flash storage on the motherboard during Dell testing. The malware does not reside in the firmware.

4. All industry-standard antivirus programs on the market today have the ability to identify and prevent the code from infecting the customer’s operating system.

5. Systems running non-Microsoft Windows operating systems cannot be affected.

6. Systems with the iDRAC Express or iDRAC Enterprise card installed cannot be affected.

7. Remaining systems can only be exposed if the customer chooses to run an update to either Unified Server Configurator (USC) or 32-bit Diagnostics.

RELATED: Richard Bejtlich calls out Dell to step up their game with regard to how they handled the incident.

I have to admit, this story really caught my attention.

"We have identified a potential issue with our service mother board stock, like the one you received for your PowerEdge R410, and are taking preventative action with our customers accordingly. The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware. This malware code has been detected on the embedded server management firmware as you indicated."

It will be interesting to see how this story unfolds. How did the malware find its way into the firmware? Who was responsible? Will we ever know? How can you protect yourself from this sort of subversion, especially on a tricked out machine that only the OEM truly understands. -BB (2010-07-21)

NPR Reports on Cyberwarrior Shortage

Years ago, when the debate over offshore outsourcing took center stage, we were told that high-tech corporations were simply following their financial prerogatives by finding new ways to stay competitive in the free market economy. Never mind the long-term strategic costs that would come back to haunt us years later when the countries we shipped our jobs off to started to catch up with us. Naturally, many students saw the writing on the wall and pursued work in other fields. Why take out all of those student loans and devote years of your life preparing for a job that’s headed overseas?

This "shortage" of computer security talent: we did it to ourselves. It’s a symptom of a much larger problem. The unpleasant truth is that our leaders have willfully allowed this state of affairs to develop. This is because they’re beholden to a powerful group of business interests that have no real sense of obligation to the U.S. as a country. Strictly speaking, the multinationals exist to generate value on behalf of their shareholders, whoever they may be.

Furthermore, I would contend that the free market argument is nothing more than an ideological ploy that’s brought into discourse whenever it happens to be convenient. What exists in our society is a thinly veiled double standard. Unemployed workers can be sternly lectured by drug-addled radio commentators on the advantages of self-reliance. But for large corporations that need to be bailed-out or benefit from wars based on imaginary weapons of mass destruction, the welfare state must thrive to the tune of hundreds of billions of dollars.

To see where this trend is going to take us, I would start by reading a book published by the Cornell University Press (a notably conservative institution) entitled The State of Working America. If you want to extrapolate even further, research the origins of the term "Plutonomy."

Though free market advocates ridicule protectionist measures as decidedly un-American, Intel’s former CEO Andy Grove has a few words of his own to offer:

"I fled Hungary as a young man in 1956 to come to the U.S. Growing up in the Soviet bloc, I witnessed first-hand the perils of both government overreach and a stratified population. Most Americans probably aren’t aware that there was a time in this country when tanks and cavalry were massed on Pennsylvania Avenue to chase away the unemployed. It was 1932; thousands of jobless veterans were demonstrating outside the White House. Soldiers with fixed bayonets and live ammunition moved in on them, and herded them away from the White House. In America! Unemployment is corrosive. If what I’m suggesting sounds protectionist, so be it."

-BB (2010-07-21)

WSJ: Raytheon Wins $100 Million Classified Contract

According to an article written by Siobhan Gorman in the Wall Street Journal, Raytheon Co. has been awarded a $100 million dollar classified contract to perform initial work on a program called "Perfect Citizen." Note that Gorman is relying on information received from "a person familiar with the project." This report claims that Perfect Citizen is a surveillance program intended to detect cyber attacks on organizations that maintain our critical infrastructure. Both the NSA and Raytheon declined to comment.

Reuters has also looked into this development. They quote an NSA spokesman who claims that "This is a research and engineering effort... there is no monitoring activity involved, and no sensors are employed in this endeavor." Other than that, both the NSA and Raytheon are very tight-lipped about the contract itself.

The Reuters article points to a speech given by Secretary of Defense William Lynn, where Lynn states that "more than 100 foreign intelligence organizations are trying to break into U.S. systems."

What this seems to confirm is that the actual threats we face are related to espionage and cybercrime. It think it's pretty safe to assume that nation-states spy on each other, and that espionage has been going on for centuries. Furthermore, I bet we're neck deep in our own efforts when it comes to compromising systems in other countries and so it strikes me as odd that people are so shocked when we happen to be on the receiving end.

The gilded hyperbole of cyberwar exists partially because certain contracting companies, consulting firms, and federal agencies know that they stand to benefit from the spotlight that's been put on the Internet. They know that with the right amount of fear-mongering they can steer some of the resulting federal funding their way. -BB (2010-07-10)

RELATED:

Is Espionage an act of War?

While government officials, and former government officials, stoke the flames of hysteria, it’s reassuring to occasionally hear a measured voice of dissent. I’m speaking of Bruce Schneier’s recent op-ed piece on CNN. Schneier states:

"Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored…But we're not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion."

Based on the relative frequency of cybercrime and espionage, I would agree with him. These are the clear and present dangers. As Schneier points out, what cyberwar advocates tend to do is to lump everything together such that occurrences of espionage suddenly become acts of war. If that’s the case, then it’s safe to say that we’re currently at war with half of the developed world, including our allies (and we have been for decades). For example, Schneier observes:

"Recent news articles have claimed that China declared cyberwar on Google, that Germany attacked China, and that a group of young hackers declared cyberwar on Australia. (Yes, cyberwar is so easy that even kids can do it.) Clearly we're not talking about real war here, but a rhetorical war: like the war on terror."

Though, I would add that, because attribution is such a basic issue, we may never know who was behind the attacks on Google. It could very well have been another nation-state using anti-forensic technology. For the time being, we only know that the attacks originated from China. I think that this is an important point.

So why all of the hyperbole? Why all of the semantic acrobatics? Why all of the doomsday Cassandra’s? According to Schneier:

"It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top."

Let’s not forget all of those defense contractors and consulting firms that stand to make a tidy profit if the government decides to steer tax dollars in their direction. It’s been well documented that these organizations have been bolstering their cyber divisions in anticipation of a windfall.

Instead of giving control of the Internet over to the military, Schneier advocates leveraging existing peacetime institutions that can be moderated by the judicial system and legal protections. I would also recommend that we focus on the core vectors that facilitate these attacks to begin with: like insecure software. –BB (2010-07-07)

UPDATE: Richard Bejtlich does us the service of referencing a formal defintion.

Comments on The Economist, July 3rd - 9th, 2010 Issue

The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. Note the dramatic mushroom cloud and the intimations of mass destruction. The first article concludes that "countries should agree on more modest accords, or even just informal 'rules of the road' that would raise the political cost of cyber-attacks." It also makes vague references to "greater co-operation between governments and the private sector."

When attribution is a lost cause (and it is), international treaties are a meaningless because there’s no way to determine if a participant has broken them. The second recommendation is even more alarming because it’s using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions.

The following article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Perhaps this is because the author is grasping for examples to impress the reader with. Then there’s also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author shows his true colors in closing when he concludes with the ominous warning that terrorists "prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage—for now."

What disturbs me the most is that The Economist never goes beyond a superficial analysis of the topic to examine what’s driving all of the fear, uncertainty, and doubt. Perhaps that would be dysfunctional, as it might lead the press to investigate itself. To help shed light on what’s taking place in the body politic, I’ve decided to release my Lockdown 2010 white paper and slide deck. Read through this material and then go back and re-visit the articles in The Economist. -BB (2010-07-03)

White Paper: Manufacturing Consent & Cyberwar

Slide Deck: Manufacturing Consent & Cyberwar

RELATED: A NYTimes article detailing proposed "solutions." Including Howard Schmidt's "voluntary trusted identity" system and Vinton Cerf's internet driver's license.

Dueling Banjos

Charlie Miller:"It would take two years and cost less than 50 million dollars a year to prepare a cyberattack that could paralyse the United States."

Bruce Schneier:"It's very easy to invent scare scenarios but this does not mean we should actually be scared by them."

Comments:These statements were made at a conference in Estonia that was organized by the NATO-accredited Cooperative Cyber Defence Centre of Excellence. This should tell you a few things right away.

The threat of cybercrime is real, just read the articles in Below Gotham's News section. Cyberwar, however, is more likely a pretext. The ultimate question is what can we do to protect ourselves from the former and insulate ourselves from the fear-mongering agenda of the latter?

As Estonian President, Mr. Toomas Hendrik Ilves noted on the opening day of the conference: "we lack clear attribution to any political entity; we lack a response doctrine to apply were we to know who committed the aggression." This is a central issue that will define the debate that follows. I think that Richard Clarke may have touched a nerve when he started talking about regulating the software industry. -BB (2010-06-19)

Clarke Points a Finger at Microsoft

Microsoft: "Don't regulate security in the software industry, don't let the Pentagon stop using our software no matter how many security flaws it has, and don't say anything about software production overseas or deals with China."

This isn't anything new to us folks who slog away in I.T. oblivion. What's interesting is that someone high up finally got the nerve to acknowledge the truth. Until we hold software vendors liable, we can expect the same lip-service that self-regulation has generated in the past. There are some public goods that the free market simply cannot generate. -BB (2010-06-10)

Fear and Loathing at Lockdown 2010

In mid-July our frontman, Bill, will be headed to the midwest to talk about manufacturing consent and the gilded hyperbole of cyberwar. He's been invited by the folks who run Lockdown 2010 at UW. -Rick James (June 3, 2010)

Intel Myths

David Cornwell, also known by the pen name John le Carré, worked for both MI5 and MI6 before he retired in 1964 to focus on writing. His literary depiction of intelligence work is in stark contrast to the romantic stereotype promulgated by actors like Sean Connery and Pierce Brosnan. In what may be his best novel to date, The Spy Who Came in from the Cold, he uses the main character as a means to comment on the nature of his earlier profession:

"What do you think spies are: priests, saints and martyrs? They’re a squalid procession of vain fools, traitors, too, yes; pansies, sadists and drunkards, people who play Cowboys and Indians to brighten their rotten lives. Do you think they sit like monks in London, balancing the rights and wrongs?"

When spies come in from the cold they often have trench-level insights that differ sharply with popular conceptions. Take Philip Agee’s 1978 book entitled Dirty Work: The CIA in Western Europe, where he dispels several myths about the Central Intelligence Agency. For example:

Myth: The major problem is lack of control; that is, the CIA is a "rogue elephant."

"As former Secretary of State Kissinger told Representative Otis Pike's Intelligence Investigating Committee, 'Every operation is personally approved by the President.' … Successive administrations - together with American-based multinational corporations - have continually demanded the freest possible access to foreign markets, labor, agricultural products, and raw materials. To give muscle to this demand for the 'open door', recent presidents have taken increasingly to using the CIA to strengthen those foreign groups who cooperate - and to destroy those who do not."

On Recruiting Spies

On the surface, this is just another glossy article put out by a University’s PR department. But there are actually a couple of interesting nuggets embedded in this alumnus biography. For example, while most of the books that I’ve read seem to indicate that intelligence agencies draw primarily on the military to fill positions, my own experience is that agencies like the CIA also tend to attract people who possess what might be seen as unconventional backgrounds. Sometimes these are the best hires (Fidelity’s Peter Lynch was a philosophy major as an undergraduate). Sulick has both components in his background; he served in the Marines and spent years in academia studying Russian literature.

Note Sulick’s recruitment tactic: "Foreigners, certainly Russians who were my main target, are proud of their literature and are proud when a foreigner knows something about it. When you discuss literature with somebody, they reveal much about themselves."

If Sulick’s career trajectory is any indication, it’s my guess that twenty years from now the director of the CIA’s Clandestine Service will be someone who’s completely fluent in Farsi and Mandarin. Perhaps they will have analyzed the Persian translation of Shuǐhǔ Zhuàn. –BB (2010-05-28)

Joe Riggins: Don’t be a Know-It-All

Wednesday at CEIC 2010 I sat in on Joe Riggins “Spy vs. Spy” presentation, which focused on the vagaries of the insider threat. Joe did a commendable job of maintaining our attention with a series of war stories. My personal favorite involved an engagement where a team from Guidance was inspecting a machine that processed credit card transactions. It had five (count them: five) different remote desktop applications installed on it. As it turned out, the server was managed by a number of administrators who couldn’t agree on a standard package; definitely a case of too many cooks in the kitchen.

Joes also reported that organized crime elements in Russia are now making more money off of credit card fraud than the Columbian crime lords are making off the drug trade. Now that’s one hell of a statement! While I’d like to know where he got that information, I wouldn’t necessarily be surprised if it was true.

Finally, Joe hinted at where security software vendors will be headed to expand their market space: intelligent mobile devices. -BB (2010-05-28)

Rootkit Arsenal Discount Flyer

After my talk at CEIC 2010, a couple of people asked me where they could pick up a copy of The Rootkit Arsenal. The publisher (Jones and Bartlett) is offering copies at a discount. See the above link for details. -BB (2010-05-28)

Richard Clarke's Book Reviewed By The New York Times

More cyberwar doom and gloom. Who can come up with the best movie script? Mike McConnell or Richard Clarke? - BB (2010-04-28)

Cryptome's John Young adds his two cents:

"Pity Kakutani [book review author], dim-wittingly flogging for two highly paid promoters of cyber pearl harbors. Cybersec, a favorite DC scam spreading around the globe, meanwhile all govs and coms working together are going full speed at spying on cyber users, as ever, for racketeering national security. What the racketeers want is perfect cybersecurity for their trashing that of everyone else."

SOURCE Boston 2010 Post-Game Wrap-up

The demands of my job prevented me from staying for more than a day, so I sat in on a couple of presentations on the 22nd. Perhaps that’s a good thing, as my mere presence tends to attract black helicopters and clean cut fellows talking into their sleeves. All told, Stacy Thayer and her SOURCE co-conspirators did an admirable job of managing the flow of people and events. The weather was balmy, the lobster was fresh, and (best of all) the Seaport Hotel, where the event took place, was a $2 bus ride from Boston Logan International. -BB (2010-04-23)

Assurance at Oracle

Mary Ann Davidson is a suit that doesn’t sound like a suit. This is definitely a mark in her favor. During her presentation she described how Oracle is trying to build assurance into its products. She said that isn’t so much about establishing a brigade of security police as much as it’s about putting the requisite expertise into development so that engineers do the right thing to begin with. Prevention beats detection, so to speak. Davidson observed: “my goal in life is to be out of a job.”

Opting Into Surveillance

By far, this was the highlight of the day. Moxie Marlinspike offered an insightful look at how small choices about the technology we use can end up being big choices that impact our ability to participate in society. His delivery was crisp and very entertaining. Why mandate telescreens when you can solicit people to voluntarily be monitored? Who needs TIA when we have Google? Who knows more about their local population: Kim Jong-Il or Google? (Hint: it’s not Kim Jong-Il).

I was in the front row taking notes and midway through the talk he came rushing over to where I was seated. At that very moment, I had visions from the movie The Manchurian Candidate flashing through the back of my mind. The Man was finally going to dispatch me with a deep cover plant. Lucky for me, Moxie just wanted a glass of water. “I should have planned ahead,” he muttered under his breath.

The Current State of Metasploit

HD was back, and this time he was wearing a suit and a bit more formal in his manner. Hey, give the guy a break, he’s a father now. With the blessings of the demo gods, HD managed to pack two hours of material into a 60-minute period. As things stand now, Metasploit has attained the 100,000 LOC mark in light of full-time QA and an accelerated release cycle. He also showed off a slick GUI interface and talked about the Express version’s price tag (somewhere around $3K). I think what I appreciate the most was his side-comment that the presentation basically amounted to a thinly veiled sales pitch.

Doing Away With Anonymity

This past week, experts met at a Russian-sponsored security conference in Germany.

"During a panel discussion on computer crime, Col. Gen. Boris N. Miroshnikov, an official with the Russian Interior Ministry, and Stewart A. Baker, a fellow at the Center for Strategic and International Studies in Washington, and the former chief counsel for the National Security Agency, agreed that the most important step in combating Internet crime would be to do away with the anonymity that has long been a central tenet of Internet culture."

As Dan Greer has observed: "If the tariff of security is paid, it will be paid in the coin of privacy"

As Cryptome has observed: "There it is: spies oppose anonymity for anyone except their own criminal operators, winking, 'do what we say not what we do.'"

My thoughts: It's dangerous to install the machinations of a totalitarian state and then simply assume that it will never come to that. There was a time, not so long ago, when social security cards were printed with the caveat that they were not to be used for purposes of identification. -BB (2010-04-17)

RELATED: According to Lt. General Keith Alexander, the impact of new security technology on Internet privacy is classified.

Enter: QubesOS

Notable researchers Joanna Rutkowska and Rafal Wojtczuk (from Invisible Things Lab, aka ITL) have released an open source OS that uses virtualization technology to implement security through isolation. Given the architect's reputation with rootkit technology, who else would you trust to offer a secure platform? -BB (2010-04-07)

Shadows in the Cloud

This investigation is a result of a collaboration between the Information Warfare Monitor and the Shadowserver Foundation. It examines "a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."

As usual, attribution is an issue. The true identity of the attackers is unknown -BB (2010-04-06).

The War on WikiLeaks Continues

"At exactly the time when U.S. government secrecy is at an all-time high, the institutions ostensibly responsible for investigation, oversight and exposure have failed. The American media are largely co-opted, and their few remaining vestiges of real investigative journalism are crippled by financial constraints. The U.S. Congress is almost entirely impotent at providing meaningful oversight and is, in any event, controlled by the factions that maintain virtually complete secrecy."

The CIA document that this article links to is particularly disturbing. Basically, it confirms my suspicion that leaders often depend on voter apathy and manipulate the local population to manufacture consent. It will be interesting to see how things unfold in Iceland. - BB (2010-03-29)

After All These Years: Zero-Day Exploits Persist

Hats off to Peter Vreugdenhil, who bypassed both ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) as part of his bid to compromise IE8 at this year's CanSecWest. Well played, Peter.

RELATED: The reknowned Charlie Miller also demonstrated his superior Black Hat Gong Fu with a Safari hack.

...One tends to wonder how much a fellow like Charlie could make on the open market by selling exploits to the people behind the current generation of APTs? This is literally the sort of technology that can make or break a covert operation. In my opinion, guys like Charlie are worth their weight in plutonium. BB - (2010-03-25)

The Cyber War Has Not Begun

In this essay, James Lewis states that: "Expanded attention to cybersecurity is a good thing, but it seems that it is difficult to discuss this topic without exaggeration. We are not in a 'cyber war.'"

Yet, this doesn't seem to have stopped people from using the term to encourage the sort of hysteria that leads to heavy federal spending. In my opinion, we need to be focusing on cybercrime, not cyberwar. - BB (2010-03-19)

Propaganda Aimed at WikiLeaks

When the New York Times publishes a story on you, you've definitely gotten someone's attention. Perhaps this is what happens when you release unclassified copy of the “standard operating procedures” at Guantánamo Bay. Recently Wikileaks published an Army Counterintelligence analysis of the threat posed by Wikileaks. The report concludes:

"Wikileaks.org uses trust as a center of gravity by assuring insiders, leakers, and whistleblowers who pass information to Wikileaks.org personnel or who post information to the Web site that they will remain anonymous. The identification, exposure, or termination of employment of or legal actions against current or former insiders, leakers, or whistleblowers could damage or destroy this center of gravity and deter others from using Wikileaks.org to make such information public."

The report also speculates that Wikileaks may be supported by the CIA. As the accusations fly, and the water becomes ever more muddied, one is left to ponder who's telling the truth. Now you know why spies refer to their professional environment as the "hall of mirrors." -BB (2010-03-18)

Military Propaganda Techniques

Comes see the tradecraft of the grand rumor mill. This excellent compilation of tactics is based upon "Appendix I: PSYOP Techniques" from "Psychological Operations Field Manual No.33-1" published by Headquarters; Department of the Army, in Washington DC, on 31 August 1979.

UPDATE: To witness a classic example of this sort of manipulation, there's an article you can view online in Monday's WSJ. When it comes to overt, state-sponsored, propaganda on a large scale, China really excels. According to the WSJ's report:

"Chinese news Web sites have also been told they will be required to use only official accounts of the situation if Google.cn is closed... It’s not uncommon for propaganda authorities in China to give orders dictating the nature of news coverage on sensitive issues where they fear dissent. The fact that authorities have decided that Google’s situation should get that treatment suggests they know that many Chinese Internet users, tens of millions of whom are Google users, don’t see things the same way the government does."

...Beware the Ides of March. -BB (2010-03-15)

RELATED: speaking of propaganda, check out the FBI's stern warning and the recent WhiteHouse "leak". -BB (2010-03-05)

The Big Haircut

Another remark that Robert Baer makes in the WSJ piece mentioned earlier is that "The art of assassination, the kind we have seen over and over again in Hollywood movies, may be as passé as killing people by arsenic or with a garrote. You just can't get away with it anymore."

This led to some lively banter among members of the lab this evening. OK, guarded by a phalanx of bodyguards and custom armored vehicles, how would one world power decapitate another nation state?

According to Colonel Stanislav Lunev, a Russian military officer who defected to the United States, the GRU planned to employ suitcase nukes to take out our leadership if the need ever arose. It makes sense, I guess. Why gamble on a huge operation that allows no margin for error when all you really need to do is get a high-yield bomb within range of a capital building?

As Baer asserted: "If it had been a Russian hit, for instance, they would have used a pistol or a car bomb, indifferent to the chaos left behind." Or, in this case, a kiloton nuclear device. -BB (2010-03-03)

Assasination Econometrics

Here's an interesting WSJ article by Robert Baer, a former CIA spook. In it, he concludes that:

"There should be a cost-benefit calculation in deciding whether to assassinate an enemy... There's certainly an argument to be made that we should have assassinated Saddam Hussein rather than invade Iraq."

This sounds remarkably similar to ideas presented by Jim Bell over a decade ago in his "Assasination Politics" manifesto. The difference is that Bell takes Baer's somewhat offhand observation and follows through with it to reach a rather novel corollary.

"Consider how history might have changed if we'd been able to 'bump off' Lenin, Stalin, Hitler, Mussolini, Tojo, Kim Il Sung, Ho Chi Minh, Ayatollah Khomeini, Saddam Hussein, Moammar Khadafi, and various others, along with all of their replacements if necessary, all for a measly few million dollars, rather than the billions of dollars and millions of lives that subsequent wars cost."

"But that raises an interesting question, with an even more interesting answer. 'If all this is so easy, why hasn't this been done before?' I mean, wars are destructive, costly, and dangerous, so why hasn't some smart politician figured out that instead of fighting the entire country, we could just 'zero' the few bad guys on the top?"

"The answer is quite revealing, and strikingly 'logical': If we can kill THEIR leaders, they can kill OUR leaders too. That would avoid the war, but the leadership on both sides would be dead, and guess who is making the decisions about what to do? That's right, the LEADERS!"

"And the leaders (both theirs and ours!) would rather see 30,000,000 ordinary people die in WWII than lose their own lives, if they can get away with it. Same in Korea, Vietnam, the Gulf War, and numerous other disputes around the globe. You can see that as long as we continue to allow leaders, both 'ours' and 'theirs,' to decide who should die, they will ALWAYS choose the ordinary people of each country."

Not to mention that large military operations are costly affairs, demanding a nontrivial infusion of taxpayer dollars. -BB (2010-03-02)

New Information on Aurora Attacks "Leaked"

The New York Times reports that "people involved in the investigation" have disclosed that the recent attacks on Google have been traced back to Shanghai Jiaotong University and the Lanxiang Vocational School.

First it’s Taiwan, then it’s somewhere in the mainland, who knows where things will lead to next? Perhaps Toledo, Ohio? As the NYTimes article concedes, "computer industry executives and former government officials said it was possible that the schools were cover for a 'false flag' intelligence operation being run by a third country."

Keep in mind that, for all intents and purposes, that this is a leak. As Cryptome has observed:

"Leaks depend upon secrets, they thrive on each other. Leakers and secret keepers are complicit and share characteristics: both exaggerate the importance of information they process, keep secret their sources and operations."

You’ll Just Have to Trust Us…

In matters of foreign policy, one way to sideline opposition is to employ the veil of national security. When "experts" try to pull this tactic, I’m reminded of a lecture that a former CIA officer named John Stockwell gave back in 1987. Stockwell, a Major in the Marine Corp who served on the subcommittee of the National Security Council as chief of the CIA's Angola Task Force, noted that:

"It's a very powerful argument, our presidents use it on us. President Reagan has used it on the American people, saying, 'if you knew what I know about the situation in Central America, you would understand why it's necessary for us to intervene.'"

When he questioned his superiors, they assured him that he should just focus on doing his job, that there were wise men in DC sitting in the National Security Council who had access to all the necessary information, who could see the big picture and make the tough decisions. After toiling for years in the field, Stockwell came in from the cold and was rewarded with the opportunity to peek behind the curtain. According to Stockwell:

“What I found, quite frankly, was fat old men sleeping through sub-committee meetings of the NSC in which we were making decisions that were killing people in Africa. I mean literally. Senior ambassador Ed Mulcahy... would go to sleep in nearly every one of these meetings....”

Stow this away somewhere in a far cranial recess, so that as the indictments fly over who is doing what to whom in the new cyber cold war (and why), you can maintain a semblance of objective equilibrium.

HBGary Releases Report on Aurora Malware

This a fairly comprehensive summary of what’s been released to the public so far. HBGary has also developed a tool that can remotely scan Windows machines for the Aurora code and remove it. With regard to identifying the ultimate source of the attacks, the report states:

"At this time, there is very little available in terms of attribution. A CRC algorithm tends to indicate the malware package is of Chinese origin, and many attacks are sourced out of a service called 3322.org — a small company operating out of Changzhou. The owner is Peng Yong, a Mandarin speaker who may have some programming background with such algorithms. His dynamic DNS service hosts over 1 million domain names. Over the last year, HBGary has analyzed thousands of distinct malware samples that communicate with 3322.org. While Peng Yong is clearly tolerant of cyber crime operating through his domain services, this does not indicate he has any direct involvement with Aurora."

Greg Hoglund, the company's CEO (and the godfather of Windows rootkits), recently acknowledged: "there's no hard evidence anywhere that shows that China's government has anything to do with it." Truth is, regardless of what the headlines in the mainstream media infer, we don't know yet who's responsible (though we can definitely speculate). If there's one lesson that I took from Black Hat DC last week it's that attribution on the Internet is problematic. -BB(2010-02-11)

China Toughens Cyber Laws?

Sort of ironic, given the recent NYTimes article on state-sponsored hacking. Then there's the TimesOnline report that quotes officers who believe that they should strengthen their military until China is "strong enough for a hand-to-hand fight with the US."

Talk about mixed messages. Pay no attention to the man behind the curtain. -BB(2010-02-07)

Black Hat DC 2010 Postgame Wrap-Up

Jeff Moss kicked off this year’s Black Hat DC by observing that we’ll probably never be able to completely eliminate cyber attacks, and because of this perhaps we should follow Israel’s example and work on improving our response capabilities. He also mentioned the issue of attribution, my current pet peeve given all the media coverage that cyber-attacks have been getting.

Next up was keynote speaker Greg Schaffer, Assistant Secretary for Cyber Security and Communications. According to Moss, he’s the highest ranking DHS official to ever speak at Black Hat. It was obvious he was up there: lots of abstract references to "spaces" and "practices." Though, I did appreciate his observation that, in the age of worldwide connectivity, every unprotected node is a potential threat. This sort of reminded me of Richard Bejtlich's "Protect The Data" blog entry.

The Joys of Whack-A-Mole

The first session I attended was hosted by a panel of speakers, including the director of Network Abuse at GoDaddy.com. The underlying message (one which Joseph Menn would echo later on the same day) was that going after offenders isn't horribly effective because law enforcement doesn't work that well in an international environment. In so many words, Russia and China don't do squat (and in some cases may actually be shielding offenders). To add insult to injury, when organizations like GoDaddy suspend domains, they end up getting lawsuits thrown at them. Granted no one's ever been successful, but still it's expensive to go through all of the legal steps to get each lawsuit thrown out.

Don’t Worry: It’s An Art Project

Joe Grand offered an informative discussion on how to cross over to the hardware side of hacking. A lot of what he touched on (e.g. the emergence of small-scale collaboration and outsourcing) reminded me of an article that appeared a while back in Wired Magazine about the rise of DIY.

Let’s Go On A Boar Hunt!

If a Russian chief of police and his henchmen invite you to go hunting late at night after several rounds of vodka, lock yourself in your room and don’t open the door for anyone. In this talk, Financial Times journalist Joseph Menn offered highlights from his recently published book "Fatal System Error." All told, Menn paints a pretty ominous picture. Though attribution is possible, it's very (very) resource intensive. Couple this with the fact that Russian authorities seem to be protecting high-level offenders. Menn suggests that we start over because, as things stand now, there's no way to impose rule of law on the internet.

Black Hat DC 2010: Day 02

It’s Greece All Over Again

The caveat of implementing wiretapping functionality in a network infrastructure, AKA Lawful Intercept, is that it can be turned against the people who it was originally intended to help. The Athen's Affair is a well known example of this. In this session, IBM's Tom Cross examined flaws in Cisco's lawful intercept facilities.

White Hat Hacker Mindset

Though I can relate to the basic premise of this session, that the goals of the average pen tester are constrained (and perhaps artificial), I disagree with the speaker’s claim that “In general using rootkits to maintain control is not advisable or commonly done by sophisticated attackers because rootkits are detectable.”

Stealth technology is part of the ongoing arms race between Black Hats and White Hats. To dismiss rootkits outright implies that this arms race is over (and I assure you, it’s not). I suspect that Greg Hoglund, Jamie Butler, Holy Father, Joanna Rutkowska, and several defense contracting agencies would all agree. By definition, the fundamental design goal of a rootkit is to subvert detection.

Always Have a Good Lawyer

The grand finale of this year's Black Hat DC was a session led by HD Moore. This guy, HD, is a geek’s geek; a man whose mind is working so fast that the words tumble out of his mouth like a 10 GB text file streaming to stdout. He gave the audience a personal history of the Metasploit project and some interesting insights into what can happen when the suits get involved. Congrats on the baby HD!

NOTE: I've put up the slides and white paper for my presentation.

Government Agencies Vie for Zero Day Exploits

Here's a story you don't read about every day... -BB(2010-01-29)

"There's also another, highly secretive market for zero days [exploits]: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.

TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn't match.

Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.

One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system."

Oil Companies Targeted

UPDATE: The Register has called out the mainstream media on China's connection with the recent Google attacks: "If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?"

The Christian Science Monitor reports that Marathon, ExxonMobil, and ConocoPhillips appear to have suffered at the hands of an Advanced Persistent Threat ( APT ). The attacks, which took place in 2008, targeted “bid data” which details the potential value of oil-bearing land.

The use of custom tools and spear-phishing hints at the involvement of skilled teams. At the same time, I'll admit that it’s refreshing to note that the experts cited in this article have the integrity to admit that attribution is a fundamental problem, forgoing the urge to shout out accusations:

“A simple thirst for oil is no proof that a country is conducting corporate espionage. Even the suggestion, contained in one of the documents, that some data had flowed from a ConocoPhillips computer to a computer in China could have been the result of some other nation’s cyber-spy unit co-opting Chinese servers to cover their tracks, experts say. Lee and other specialists admit that it will be difficult, and perhaps impossible, to ever determine definitively who was behind the attacks.”

Read that last sentence carefully, and repeat it to yourself over the next few months. -BB(2010-01-26)

Fear and Loathing at SOURCE Boston 2010

In April, our spiritual fixer (Bill Blunden) will infiltrate the home of the Red Sox to speak at the SOURCE Boston conference. His talk will touch on the futility of disk-based forensic analysis. Presentation date TBA. -R. James (Jan. 23, 2010)

Rootkit Envy

About now, I suppose that the engineers who designed the payloads used in the attacks on Google (whoever they may be) are wishing that the stealth technology and anti-forensic measures that they employed were half as good as those that U.S. intelligence agencies use. -BB(2010-01-19)

The China Syndrome - Updates

UPDATE: Metasploit has released a module that utilizes the IE exploit mentioned below.

UPDATE: Code used in the Google attack is now available.

UPDATE: McAfee offers more details about the attack. Also, there's a CNET article that provides additional backdrop.

UPDATE: A newsflash from Reuters reports that the United States has backed Google’s decision to end its support for censorship in China. An official from the Chinese government responded that all foreign companies are expected to abide by Chinese law.

Microsoft’s CEO, Steve Ballmer, is anything but sympathetic:

"I don't understand how that helps us, and I don't understand how that helps China… There are attacks every day. I don't think there was anything unusual, so I don't understand."

I would agree that attacks happen every day. However, I think that the level of expertise demonstrated by the attackers, and the precise nature of the intrusions, warrants a certain amount of attention (especially when one of the targets is a high-profile corporation that publicly flaunts the intelligence of its employees).

Perhaps China doesn't want "help?" Perhaps they'd like this whole thing to blow over so that they could get back to business as usual. - BB (2010-01-15)

The China Syndrome: "Highly Sophisticated/Coordinated Attacks"

Big names like Google and Adobe have recently announced that they've been hit by precision-guided cyber attacks. According to the WSJ, Google and Adobe were among dozens of companies that the attackers targeted. Based on Google's response, it would appear that they believe the intrusions to be state-sponsored. I can almost hear Eric Cartman (screw you guys, I'm going home).

For those readers interested in the "how" of the attacks, this article from Wired magazine offers a number of details. Consultants from iDefense leaked specifics that Google has declined to confirm.

Though there seems to be a political angle to the Google attack, one thing's for sure: theft of intellectual property can offer a huge return on investment. Just ask Vladimir Kryuchkov, former KGB Chairman:

"Intelligence is probably the most profitable structure in the country. It pays its expenses with dividends. One single operation, concerning outer space, pumped 500 million dollars into our economy."

Hell, even Ugly Betty isn't safe! (The Chinese knock-off is a show called "Ugly Wudi")

Russian Security Firm Releases Exploits

Evgeny Legerov, of the Moscow-based company Intevydis, explains why he thinks responsible disclosure is flawed and why Intevydis is releasing a series of zero-day exploits:

"We do not support it [responsible disclosure]. Because it is enforced by vendors and it allows vendors to exploit security researches to do QA work for free."

"You – ABCD company, making N millions per year selling your buggy XYZ product all over the world, why are you asking to give the results of the hard work during many years for free? Instead of wasting your and our time would not it be better to allocate resources to enforce good coding practices for all your amateur software developers?"

Offensive Technology in CS Programs

This morning the New York Times published a story detailing how American universities are scrambling to develop academic programs that focus on computer security:

"Banks, military contractors and software companies, along with federal agencies, are looking for 'cyber ninjas' to fend off a sophisticated array of hackers, from criminals stealing credit card numbers to potential military adversaries."

Here’s a question: how many of these newly minted programs give their students first-hand experience creating offensive (e.g. malicious) software? The Times article mentioned an MS program in cyber-security offered by NYU-Poly. I checked out the curriculum to this program and didn’t see anything remotely resembling a course on malware design. Why are institutions in other countries, like Canada and Finland, able to offer such courses? Once more, will this state of affairs put the U.S. at a long-term strategic disadvantage?

The best way to construct an effective defense is often through direct exposure to offensive technology (why should the bag guys be the only ones with the requisite know-how?). If we fail to encourage an open discussion of malware analysis and development in academia, we’ll end up in a position where we’re constantly playing catch-up with the Black Hats. Given the steady rise of cyber-crime over the past few years, this is not somewhere that the United States will want to be. -BB (2010-01-04)

Dry Rot And The Internet

A termite infestation is one of the most insidious and destructive predicaments that a wood-framed structure can face. Infestations typically start in some obscure corner, well out of sight, and spread silently, inch-by-inch over the course of years. Colonies can number into the millions, using a decentralized swarm intelligence that’s self-organizing. By the time that the owner becomes aware of the problem it’s often too late, the integrity of the entire building has been compromised.

Now imagine this scenario played out by a state-sponsored botnet that’s employing a bare-metal rootkit to fly below radar level; perhaps the result of a hardware vendor cooperating with an intelligence agency to embed stealth technology at the circuit level. The infestation could occur over the span of several years, as the botnet spreads to hundreds of millions of hosts using a decentralized peer-to-peer swarm intelligence that relies on a carefully designed covert channel. The botnet could sit dormant (in a manner similar to Conficker), a massive sleeper cell that exists only to propagate, waiting for the order to wake up in the event of Wold War III. Or it could work to progressively corrupt data, instituting alterations until even the backups of backups are bad.

What would happen if the circuit-level backdoor was discovered by other nation state players and unleashed against its maker? According to researchers that I’ve spoken with, these are cyber-war scenarios that the DoD has examined.

But is this really what we need to be worried about on a day-to-day basis? Bruce Schneier says cyber-crime is the real threat (and I would agree with this). Though, he also pointed out in a 2005 essay that:

“The countermeasures aimed at preventing both cyberwar and cyberterrorist attacks will also defend against cybercrime and cybervandalism. So even if organizations secure their networks for the wrong reasons, they'll do the right thing.”

This is akin to NASA’s Apollo program, which yielded a number of technological advances as a byproduct of our ultimate goal of landing on the moon. So, even if we never actually made it to the moon, the effort would have been worth it in the long run. -BB (2009-12-30)

Open Source Anti-Virus as the Public Option

Yesterday afternoon, over lunch, a colleague of mine who was born in Hungary pointed out that the United States is the only industrialized country that doesn’t provide universal health care to its citizens. Then he went on to explain how medical care was a basic human right and that society, as a whole, benefits from keeping its population in good health.

Could the same argument be made with regard to computers? Should there be a state-funded alternative (e.g. open source anti-virus) so that users could take steps to maintain the health of their systems? After all, decreasing the number of compromised machines has its benefits, right? Or would this approach just provide attackers with a better way to implement instance-specific attacks, leaving users with a false sense of security? This is one of those “dangerous ideas” that I’d encourage people to think about. -BB (2009-12-23)

Black Hat Vertical Integration

While bulletproof hosting services have proven valuable to online criminals, some groups are moving up the food chain by directly allocating blocks of IP addresses from Regional Internet Registries (RIR) and Local Internet Registries (LIR). According to a posting by Kasperksy:

"Attackers who own their own large blocks of IP space have a much easier time hiding their activities than do criminals who have to go through legitimate ISPs or hosting providers. There's no abuse desk to complain to, no recourse for people who find themselves being attacked by a given range of IP addresses."

In theory, this sort of thing shouldn’t happen. The problem is that in certain parts of Europe the record-keeping and oversight facilities necessary to verify applicant organizations are lacking (again, this is an infrastructure issue). A couple of years back, the Russian Business Network was able leverage this aspect of address allocation to score a large block of IP addresses from RIPE, essentially becoming a rogue ISP.

Fear and Loathing at CEIC 2010

In May of 2010, our fearless leader (Bill Blunden) will head back to Vegas to speak at the Computer and Enterprise Investigations Conference. Anti-forensics and rootkits will likely be on the menu. Presentation date TBA. -R. James (Dec. 12, 2009)

Why Isn’t China Throttling Its Malware?

Anyone who has done business in Hong Kong knows that, despite the rapid growth of mainland China, this region still has one ace up its sleeve: infrastructure, thanks to the British colonialists. Specifically, I’m talking about the legal and regulatory oversight necessary to support economic activity.

For example, if you want to buy or sell gold, it’s generally less risky to do so in Hong Kong because there’s a significant amount of checks and balances in place to safeguard buyers and sellers. In fact, it’s fairly common for merchants from the mainland to travel to Hong Kong to deal in gold for this very reason. Simply put, the infrastructure is better.

This reality points to basic underlying flaws in China’s system. Perhaps this is to be expected, given that the current system evolved as a result of thousands of years of rule by dictatorship, in one form or another. China simply doesn’t have the tradition of checks and balances that are the hallmark of a democratic society. This, in turn, may explain why the vast majority of bullet-proof internet hosting services operate out of China. -BB (2009/11/29)

U.S.-China Economic and Security Review Commission, 2009 Report

This congressional committee report, in Section 4 of Chapter 2, concludes that:

"The direct attribution of such activities targeting the United States presents challenges due to hackers’ ability to conceal their locations. Nonetheless, a significant and increasing body of circumstantial and forensic evidence strongly indicates the involvement of Chinese state and state-supported entities."

The report doesn't go into the details of exactly how we know who's attacking us. In so many words, they're saying "we just know, trust us." Boy, that sounds like a slam dunk to me! I can't help but wonder if the actual perpetrator is simply making effective use of anti-forensics to place the blame on somebody else?

Regardless of who's culpable. The existence of state-sponsored hacking isn't necessarily earth-shaking news. As the recent 60 Minutes piece demonstrated, we're probably one of the more active players in this field. So, when other countries discover the existence of advanced persistent threats in their networks, some of the binaries that they recover probably can be attributed to us.

Fear and Loathing at Black Hat DC 2010

In late January, Bill will be navigating the beltway to speak at Black Hat DC 2010. Hopefully life in Northern California hasn't softened him up so much that he can't handle winter on the east coast. -R.James (Nov. 12, 2009)

Wired Magazine on the 60 Minutes Report

One side claims the 2007 power outage in Brazil was due to hackers and the other side dismisses it as the result of poorly maintained high voltage insulators. Who do you believe? This story from Wired reminds me of an observation that Bruce Schneier made recently.

"We tend to be poor judges of risk. We overact to rare risks, we ignore long-term risks, we magnify risks that are also morally offensive. We get risks wrong -- threats, probabilities, and costs -- all the time. When we're afraid, really afraid, we'll do almost anything to make that fear go away. Both politicians and marketers have learned to push that fear button to get us to do what they want."

As an experiment, read through the news stories that I've collected over the past year and ask yourself which threat seems more immediate: cyberwar or cybercrime. Naturally, some people would argue that the actual threat that cyberwar represents can't be properly evaluated because much of the truly substantive evidence must be kept secret for the sake of national security... -BB (2009/11/11)

60 Minutes: Sabotaging the System

This evening I watched a piece by 60 Minutes that focused on threats to our infrastructure from computer-based attacks. While some aspects of the broadcast verged on sensationalism (which is only natural, given that 60 Minutes is trying to attract viewers on behalf of their advertisers), I was encouraged by the inclusion of points that are typically neglected when it comes to news stories like this.

For example, take the following observation made by Jim Lewis, director of the Center for Strategic and International Studies:

"We're in the top of the league. We are really good. And if you talk to the Russians or the Chinese, they say, 'How can you complain about us, when you do exactly the same thing?' It's a fair point with one exception: we have more to steal. We have more to lose. We're the place that depends on the Internet. We've done the most to take advantage of it. We're the ones who've woven it into our economy, into our national security, in ways that they haven't. So, we are more vulnerable."

Sure, our networks have been penetrated and data has been stolen. But we’re not an innocent bystander here. Heck, we break into networks in other countries too … all of the time. In fact, we’re pretty damn good at it. So should do we, as a country, have the right to be indignant when intruders breach our security? Personally I think embarrassment might be a better response. Obviously our offense is much better than our defense. But why does this state of affairs exist? The 60 Minutes report hinted that part of the problem has to do with the financial prerogatives of the corporations that create high-tech products. Specifically, Congressman Jim Langevin noted that:

"The private sector has different priorities than we do in providing security. Their, in a sense bottom line, is about profits. We need to change that. We need to change their motivation so that when we see a vulnerability like this we can require them to fix it."

In my opinion, instituting meaningful change is going to be difficult, as legislators will be forced to bite the hand that feeds. Don’t think for a minute that all of those hi-tech lobbyists will roll over and purr if our representatives start talking about measures that might adversely impact the bottom line. Offshore outsourcing, for instance, represents a long-term threat to the technical leadership that the United States has maintained since World War II. Yet, our legislators are woefully silent when it comes to actually doing anything about it. Guess what happens when most of our hardware is manufactured in other countries because it's cheaper? According to Jim Gosler:

"We have found microelectronics and electronics embedded in applications that shouldn't be there. And it's very clear that a foreign intelligence service put them there.”

Would you like some fries with that? -BB (2009-11-08)

Peter Kleissner: It's Just Technology

After presenting the "Stoned Again" bootkit at Black Hat USA 2009, Peter's then employer (Ikarus Software) asked him to resign. This is ridiculous. As Professor George Ledin of Sonoma State has pointed out, it's probably more dangerous not to have an open discussion of malware technology. It seems the AV industry would rather gag everyone and stifle external research.

Reading this Washington Post article made me think of Colonel Kurtz from the movie Apocalypse Now.

"I've seen horrors... horrors that you've seen. But you have no right to call me a murderer... you have no right to judge me."

Microsoft's (Lack of) Forensic Tools - Continued

A reader contacted us this morning to let us know that Microsoft does actually offer a forensic tool. It's a custom USB drive that ships with a suite of 150 commands. Unfortunately, Microsoft seems to limit distribution of its forensic thumb drive to law enforcement personnel.

The tool's public announcement, from 2008, can be viewed here. Microsoft's official page for this product is here.

Can You Believe It? They're Spying on Us!

Yet another vague story from the Wall Street Journal about an unnamed company that had its machines compromised by intruders who were "likely supported, if not orchestrated," by the Chinese government. Note that attribution is one of the primary issues when it comes to cyber-attacks. Recall the news stories that came out earlier this year that had legislators clamoring for retaliation. As it turned out, the reported attacks didn't come from North Korea, but from somewhere in Miami (or who knows where).

Keep in mind, dear reader, that the art of starting wars has been honed for thousands of years. Whenever I read this sort of story, I'm reminded of a particularly chilling quote from Gilbert's Nuremberg Diary that's attributed to Hermann Göring:

"Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is to tell them they are being attacked, and denounce the pacifists for lack of patriotism and exposing the country to danger."

Finally, just to be fair, even if this actually is the work of attackers backed by China, I'm pretty sure we're spying on China also. It's just that we're not as noisy or conspicuous when we do. -BB (2009/10/23)

The Invisible Giants

In the early 1900s, the city of Cleveland established itself as a center of economic activity. Its status was reflected by the fact that, in the wake of the Federal Reserve Act, Cleveland was chosen to host one of the Fed’s twelve regional banks. The driving force behind Cleveland’s ascent during this period can be traced back to the Van Sweringen brothers, who developed a railroad empire that was based in the city. The Van Sweringen brothers were elusive, low key, billionaires. One might even go so far as to say that discretion was their hallmark. They literally had a man on their payroll whose sole job it was to keep their name out of the papers. The economic equivalent of a rootkit, they preferred to exercise their power indirectly from behind the scenes, with subtlety. Hence, cynics who scoff at the notion of hidden rulers and their intermediaries in the power structure might be well advised to recall a statement made by then President Woodrow Wilson:

"A great industrial nation is controlled by its system of credit. Our system of credit is privately concentrated. The growth of the Nation, therefore, and all our activities are in the hands of a few men... We have come to be one of the worst ruled, one of the most completely controlled and dominated, governments in the civilized world—no longer a government by free opinion, no longer a government by conviction and the vote of the majority, but a government by the opinion and the duress of small groups of dominant men."

Related: Thought control in economics. A professor at Wellesley observes that "supply and demand curves only determine prices in perfectly competitive markets … which don’t exist. I considered this key to my students’ education, especially since mainstream economists apply the framework inappropriately so often."

We're Number 1 (Well, Sort Of)

As of 7:27am PST (2009-09-17), The Rootkit Arsenal is the #1 selling book in the Security category of the “Business & Culture” sub-section of the “Computers & Internet” section at amazon.com. Though, strictly speaking I think I should point out that with its overall sales ranking of 8,399 the book is hardly the most popular technical book at amazon.com. My suspicion is that books are assigned to these carefully delineated groups for marketing purposes. Ahem. Anyway, having put this into context, I’d like to extend my thanks to everyone who's read the book and also to my cohorts here at Below Gotham Labs. Keep those e-mails coming. -BB

State-Sponsored Rootkits

Recently, a professional malware developer who worked for ERA IT Solutions (a commercial software company that supplies security tools to the Swiss government) released VoIP monitoring code to the public. That’s right, you heard correct, there are professional software engineers actively designing malware on behalf of national governments. That’s their day job. This is one reason why I think that the spooks (not the hackers, or the crooks) wield the most sophisticated Rootkits. They have the money, the connections, and the legal mandate to build high-quality malware.

Security through obscurity may not be an impenetrable shield but it is a barrier, and not always a trivial one. Results that might take an independent lab several months of excruciating reverse engineering might only take a few days for a lone engineer who happens to possess the necessary design documents and specifications. Having the cooperation of OEMs and software vendors can make the difference between a buggy proof of concept and a robust, production-quality, implementation with all the bells and whistles. This is because effort that otherwise would be spent isolating magic numbers and decomposing obscure protocols can be directed towards actual software development.

I’ll probably never know exactly how far ahead state of the art rootkits are from what we see at conferences like Black Hat. I don’t have the requisite security clearance. But if my instincts are correct, the things that show up in the public sector are relatively basic instruments that merely hint at what’s been done by the intelligence agencies. To see what I’m talking about, check out the rootkit described in this article. -BB (2009-08-30)

Microsoft's (Lack of) Forensic Tools

For many years, I wondered why Microsoft couldn’t release a set of utilities that were as serviceable as those offered by the researchers at Winternals. Then, on July 18th of 2006, Microsoft announced they were acquiring Winternals. Will we have to wait for a similar event to occur in order to have access to robust, native, forensic tools?

After all, if anyone possesses the information necessary to build a stable and comprehensive suite of forensic tools for Windows it would be, well, Microsoft. Perhaps they’re worried that such apps would be used by reversers to peek at things that they’re not supposed to? Who knows? I just wish that I could sidestep the process of having to deal with freeware that randomly crashes or shelling out big bucks for overpriced third-party software. -BB (2009-08-19)

Sun Tzu and Cyber War in Georgia

“A wise general makes a point of foraging on the enemy. One cartload of the enemy's provisions is equivalent to twenty of one's own, and likewise a single pound of his provender is equivalent to twenty from one's own store” –Sun Tzu, The Art of War

While reading the Wall Street Journal’s article on the DDoS that took place last year in Georgia, I couldn’t help but think of the above quote. The perpetrators used our infrastructure to support their attack. They used U.S.-based social-networking sites, stolen American identities, and modified code that Microsoft provides for free.

As the article observed: "cyber-warfare has outpaced military and international agreements, which don't take into account the possibility of American resources and civilian technology being turned into weapons."

Encryption Keys and Plausible Deniability

Recently an article appeared in the Register about two people who were convicted for failing to reveal their encryption keys to authorities. If you’re using an encryption package that allows you to create, and encode, a virtual file system (i.e. a large file that the software mounts and treats as a logical disk), one way you could protect yourself would be to create a secondary encrypted file system within another. This way, if you’re coerced into providing an encryption key you could offer the key to the outer file system (which you might want to populate with a smattering of decoy files) while concealing the inner file system somehow. This is the motivation behind TrueCrypt’s “hidden volume” feature.

I suppose that if you really wanted to be paranoid, you could create yet another encrypted file system within the secondary file system...

Computer Security Meets Ulam’s Dilemma

Stanislaw Ulam was a Mathematician from Poland who came to the United States at the outbreak of World War II and subsequently was involved in the Manhattan Project. He observed that, over time, mathematics had grown into such a vast discipline that making progress required focusing on a narrow area of specialization. The problem with this tendency is that it makes it much more difficult to grasp, and appreciate, developments in other sub-domains.

Having walked the halls at Black Hat, I can see the same thing happening to computer security. Fields like web-based attacks and firmware exploits are so rich with ideas and technical minutiae that specialization is becoming a matter of necessity. The emerging ecosystem that supports the creation and deployment of malware reflects this fact. One engineer builds a rootkit that gets bundled as a payload in an exploit used by a worm that's written by another engineer, who then sells it to someone else who uses it to seed the internet and grow a botnet, that gets rented out by a front man from somewhere else…

Like an Eskimo stuck on an iceberg that’s breaking apart, it gets harder and harder to keep a foothold on every field until finally it becomes impossible. Eventually, you have to choose your own little plot of conceptual real estate and try to keep an eye on related subjects. In the worst case, you choose an area that dwindles into obscurity (remember Trusted Xenix?), and then… well, it helps if you can swim.

Black Hat USA 2009 Material Posted

Here's the white paper and slide deck that I presented at Black Hat USA 2009. My comments on the event follow below.

Black Hat USA 2009: Postgame Wrap-Up

Looking back over the two-day event, the first thing that struck me was the sheer scale of the conference and how well they were able to manage the flow of people. Caesar’s Palace was definitely a suitable venue for this conference.

I started off the first day with the keynote address by Douglas Merrill, whose talk revolved around psychological acceptance (i.e. security measures are futile unless users are willing to actually use them). Next, I sat in on Peter Kleissner’s presentation on the Stoned Again Bootkit, which detailed a framework for loading arbitrary payloads into the kernel during system startup.

The highlight of the morning session was the talk led by Peter Silberman and Steve Davis , from Mandiant, who demonstrated how to re-construct Metasploit intrusions using a custom tool in conjunction with Memoryze to scan the address space of a compromised process.

In the afternoon I stayed primarily on the rootkit track. I sat through Erez Metula’s discussion of user-mode rootkits, which embed themselves in virtual machine runtime environments (e.g. the JRE, or .NET) by altering the bytecode libraries that they rely upon. This talk was particularly well organized and easy to follow, though the emphasis in this case appeared to be on data exfiltration and manipulation. Metula observed that absolute stealth would probably require the assistance of a system-level rootkit.

I ended the first day with the presentation on “Ring -3” rootkits from the Invisible Things Lab (ITL), which focused on firmware-related subversion that targeted a special region of memory reserved for Intel’s Active Management Technology. This time, Joanna sat with the audience while her two colleagues (Alexander Tereshkin and Rafal Wojtczuk) did most of the talking. The trend that the speakers touched upon is that vendors often try to protect against malware by putting special management code in remote locations that the operating system (and any malware that it might be hosting) cannot access. This is all nice and well until malware somehow loads itself into these specially protected regions...

On the second day of Black Hat, I started with a presentation by ITL and then sat in on Nick Harbour’s discussion. Nick, a reputed Ninja, examined API tracing via detour patching as a way to reverse engineer malware. He also demonstrated a novel technique for unwrapping packed binaries using a customized version of kernel32.dll.

Being a native of the Bay Area, I couldn’t resist the talk on smart parking meters given by Joe Grand, Jacob Appelbaum, and Chris Tarnovsky. I can’t speak for everyone, but the photograph of the meter with $999.99 worth of parking time brought many people to a standing ovation. Over the next few months I’m going to be eagerly watching the Mission District for hacked parking meters. Let’s hear it for a truly great presentation!

I also sat in on the Feds versus Ex-Feds panel for a bit. Man, those feds are a cheeky bunch. I suspect they were overcompensating as they may have expected the same from us. One audience member commented that he was essentially asked to: “step up to the microphone, sir, and be shot.”

Around the mid-point of the discussion panel, I left to go prep for my own talk. During my presentation on anti-forensics I looked down into the audience and recognized a couple of well-known people whose work I truly respect: Richard Bejtlich and Jamie Butler. Whoa. That was cool. Thanks so much, Richard and Jamie, for taking the time to sit through my talk!

Fear and Loathing at Black Hat USA 2009

Bill Blunden will be joining the pilgrimage to Vegas this July to speak at Black Hat USA 2009. The title of his presentation is Anti-Forensics: The Rootkit Connection. The speaker schedule is available here. It looks like Bill will be speaking on July 30th from 16:45-18:00 in the Augustus Ballroom on the Fourth Floor.

Fear and Loathing in San Francisco

On May 15th, 2009, at San Francisco State University I’ll be giving an encore performance of the rootkit presentation that I gave at Sonoma State back on April 9th. The talk will be given in the HSS building, room 362, from noon to 1:30pm.

The Rootkit Arsenal: Approach versus Intent

"If you know the enemy and know yourself, you need not fear the result of a hundred battles."
—Sun Tzu

Recently a number of people have raised the issue of whether an open discussion of Black Hat tradecraft is a dubious proposition. The general concern being that a book like The Rootkit Arsenal poses a threat because it will show bad people how to do bad things. In response to the e-mails that I’ve received, I’d like to take a moment and directly address this topic.

The Rootkit Arsenal offers both concepts and source code. Ultimately, I’m a broker. I can’t control what the reader does with what they read. However, I might add that the bad guys already know this stuff. In fact, many of the book’s tactics were excavated from Black Hat sites. It’s the average system administrator who needs to appreciate just how potent this technology can be.

Hence, though the approach of my book is obviously from the vantage point of a Black Hat, my intent is to offer insights which normal, law-abiding, IT professionals might find useful. Trying to secure the Internet by limiting access to potentially dangerous information is a recipe for disaster. Security through obscurity is not the answer. As Mark Ludwig put it in his seminal book The Giant Black Book of Computer Viruses, "No intellectual battle was ever won by retreat. No nation has ever become great by putting its citizens’ eyes out."

Malware Research at American Universities

Why is the obscure art of malware so, well, obscure? Why aren't students at MIT, Princeton, Caltech, and Stanford actively studying this relevant topic? According to George Ledin of the Anti-Conficker Project, "The AV industry has kept everything under wraps, most university professors are busy with their cozy niche and don't want the aggravation, and the topic is dangerous, unchartered territory."

But this answer begs the question: why is this dangerous territory? Heck, software is just software. Right? Ledin presents his case, quite well, in the January 2005 issue of the CACM.

Here's what Niccolò Machiavelli would say: "And it ought to be remembered that there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, then to take the lead in the introduction of a new order of things. Because the innovator has for enemies all those who have done well under the old conditions and lukewarm defenders in those who may do well under the new. This coolness arises partly from fear of the opponents, who have the laws on their side, and partly from the incredulity of men, who do not readily believe in new things until they have had a long experience of them"

Fear and Loathing in Sonoma

At the request of George Ledin, the Spring 2009 Computer Science Colloquium organized by Sonoma State University will be hosting a presentation by Bill Blunden in April. The hour-long talk, entitled The Rootkit Primer, will provide an overview that examines the core services that rootkits provide, how they provide these services, and who's using this technology.

Powerpoint slides of the talk can be found here.

The Rootkit Arsenal

In late April, Wordware Publishing will be sending my book The Rootkit Arsenal to press. The manuscript was several years in the making and the book investigates a broad range of related topics (e.g. system-level code, anti-forensics, reversing, etc.). Unlike the vast majority of computer security books The Rootkit Arsenal does not attempt to veil itself with ethical window dressing. My book approaches its material, without apologies, from the standpoint of a Black Hat. No doubt this publication will ruffle a few feathers.

Greetings and Welcome

This entry marks the launch of the web site for Below Gotham Labs. We'd like to thank everyone involved and encourage our visitors check out the latest news, events, and publications.