Crouching Pterodactyl, Mandiant Dragon

Mandiant has an entertaining and on-going series of presentations called “State of the Hack”. In the latest episode they offered a series of slides on the threat of intellectual property and brand theft, naturally starting with the U.S. Air Force.

Corporate espionage is a serious problem globally. The Mandiant program is far more focused, however. They ignore all theft perpetrated by everyone other than China from America. I won’t try to guess why they fixate, but I also can’t help but point out that in their zeal to demonstrate the connection they mistakenly label the following image as a “China Dragon”:

Kudos to them for putting a link to the original source in their slide. I always try to do that myself and really appreciate seeing attribution. So I went to the link in their slide and right away noticed, prominently displayed at the top of the photo, the following phrase:

This is what the pterodactyl looks like

Oops. That’s no Dragon.

I guess they also don’t want you to know the photo is by Sharon.

Then I did the side-by-side comparison that they recommended, with images of the Predator B, and I noticed many clear differences.

Also not a Dragon

Maybe I see differences instead of similarities because I’m too far into the trees/details of things and missing the big-picture forest from Mandiant’s view.

I suspect if you pull back far enough not only does the word “pterodactyl” look a lot like “dragon” but eventually everything looks like it comes from China. Bada bing. I’ll be here all week.

The presentation as a whole is still worth a watch. A celebrity defense argument that comes later that is far more interesting to me. Or maybe I can digest it more easily because it doesn’t go into claims of the motives of the attacker. I find that I agree with their assessment of defensive measures, not least of all because I presented on this issue at the RSA SF Conference in 2010 and earlier at CSAS — social networking exposure parallels the lessons from celebrity exposure.

So I can guess that on most security theory I would likely agree with the presenters. But when they head down their path of focused attribution it leaves me cold, which only makes an obvious error even more difficult to ignore.

BayThreat Images: A-Cat

A couple people have asked to see again the photos I used in my presentation last week at BayThreat. It was called “Sharpening the Axe” because I discussed how to be as efficient as possible when pentesting cloud and virtual environments. I thought I should perhaps just post the photos here for convenience. Here are the first two, showing efficiency in modern sailing with an the International A-Class Catamaran. Both are a custom Bimare XJ built by Ben Hall.

Downwind, North American Championships in Islamorada, Florida

Upwind, club race in Santa Cruz, California

SF Health Inspectors Charged with Fraud

Two San Francisco health inspectors have been charged with taking payments to falsify results.

Both Sanders and Stewart are former employees of the city Public Health Department. Each took hundreds of bribes of $100 to $200 apiece from restaurant managers and owners in 2007 and 2008 in exchange for allowing them to pass their food safety manager exams, District Attorney George Gascón said.

[…]

Gascón said the managers and owners who allegedly bribed Stewart and Sanders would not be prosecuted because many of them thought the payments were legitimate fees. For many of the managers and owners, English was their second language, the district attorney said.

“We believe that the greater culpability goes to the public employees,” Gascón said.

That policy, of course, encourages the managers and owners to turn in corrupt inspectors.

Metasploit update and DNS fuzz challenge

Two new challenges are mentioned in today’s update to the Metasploit framework. One is based on the fuzz module for DNS

Metasploit contributor pello brings us a new auxiliary module, dns_fuzzer.rb. As part of testing, I threw this module against three different DNS resolvers to just watch the traffic, and promptly crashed one of targets. Clearly, grown-up DNS servers shouldn’t fall over in the face of malformed traffic delivered at regular Internet speeds, so if you’re feeling like hunting for remote 0-day for fame and fortune, you could do worse than starting with this module.

Whatevz. Fame and fortune from testing quality with a fuzzer is so 2000-and-late. Let’s see some destroy_foreign_cyberarmy.rb module action.

The other is to create and submit resource scripts

There’s exactly one rc script in there right now (thanks Mubix!), but if you have a resource script that you’d like to share, please feel free to submit it via a pull request to our GitHub repository — especially if your favorite resource script does something novel and interesting with modules, targets, or something we haven’t thought of yet.

SF Police Shootout, Larkin and Bush

San Francisco police pulled over a car this afternoon around 1:30 pm near the intersection of Larkin and Bush, as reported by local news stations KTVU and KRON.

The stories are not yet identical but essentially the driver left the car and started firing a gun at the police. Police returned fire. A passenger in the car escaped.

The KTVU witness account says officers fired a single shot.

Hamood Albadani, 52, who was visiting San Francisco from Michigan, said he witnessed the shooting while walking on Sutter Street.

He said that he was at the intersection of Sutter and Larkin streets when he saw a man fire five or six shots toward a parked car, but couldn’t see if he was shooting at anything in particular.

He said the shooter was in the street, and that a police officer approached him from the sidewalk and fired one shot to the man’s head, taking him down.

KRON says it was multiple shots.

Witnesses say the driver fired two shots at the officer who was not hit. The police officer returned fire hitting the fleeing man several times including at least once in the chest.

The man is now in hospital. The officers were not injured.

Bloomberg Fear: All Has Been Lost to Chinese

Anyone remember the controversy in Europe over Americans stealing commercial secrets? I’m not talking about Budweiser, Cheddar Cheese, Parmesan Cheese, Champagne, assembly lines or the millions of others ideas ruthlessly transfered to the American market in the 1800s and 1900s without any credit or attribution to the European sources they came from. I doubt any American you ask today knows Cheddar is from a town called Cheddar, England or even knows that such a town exists. The AP framed that old problem by quoting a prominent trade expert in America.

Gary Litman, vice president for European affairs for the U.S. Chamber of Commerce, said it’s too late to rename imitation Italian products that are already firmly established. “You cannot change history that easily,” he said.
[…]
Litman said most American buyers probably don’t care whether the cheese was made in Parma. “No one thinks it’s coming from Parma. They don’t even know where Parma is. They couldn’t find it on a map.”

No, not that controversy about imitations and knowledge transfer. I actually am talking about a different one; the much more recent case as described by the BBC in 2000 as “Big brother without a cause

The Echelon spy system, whose existence has only recently been acknowledged by US officials, is capable of hoovering up millions of phone calls, faxes and emails a minute.

Hoovering secrets? Why would America want to do that? Surely it is only for the safety and defense of the country. They can’t possibly be using it to steal secrets about cheese.

Its owners insist the system is dedicated to intercepting messages passed between terrorists and organised criminals.

But a report published by the European Parliament in February alleges that Echelon twice helped US companies gain a commercial advantage over European firms.

[…]

Mr Campbell believes that when the Cold War ended, this under-employed intelligence apparatus was put to use for economic gain.

“There’s no safeguards, no remedies, ” he said. “There’s nowhere you can go to say that they’ve been snooping on your international communications. It is a totally lawless world.”

Now that’s just crazy talk. Lawless world? Or is it…? Are there other examples of this kind of problem?

A lengthy Bloomberg article has just appeared that tries to paint the U.S. as innocent victim of Chinese lawless behavior. I find a strikingly familiar style to the story. Note this quote, for example.

“The situation we are in now is the consequence of three decades of hands-off approach by government in the development of the Internet,” Falkenrath said.

I think he means the lawless world that Campbell warned about in 2000. Falkenrath’s quote is vague so here’s an even better quote.

“What has been happening over the course of the last five years is that China — let’s call it for what it is — has been hacking its way into every corporation it can find listed in Dun & Bradstreet,” said Richard Clarke, former special adviser on cybersecurity to U.S. President George W. Bush, at an October conference on network security. “Every corporation in the U.S., every corporation in Asia, every corporation in Germany. And using a vacuum cleaner to suck data out in terabytes and petabytes. I don’t think you can overstate the damage to this country that has already been done.”

In contrast, U.S. cyberspies go after foreign governments and foreign military and terrorist groups, Clarke said.

“We are going after things to defend ourselves against future attacks,” he said.

Well, it is not like the U.S. is going to go around saying “hey everyone, we’re stealing your secrets” even if they were. So Clark could honestly believe what he is telling the press but it doesn’t change the fact that the U.S. might continue denying corporate espionage while actually performing it.

Ok, I know what you’re thinking. China has spies funded with state money. That makes it different from American spies because in America the spies are unorganized and beg on the street for pennies, right? Ashcroft paying Choicepoint tens of millions (before they payed him) to collect information on companies around the world and sell it to the government, that was an exception to the rule about funding spies with state money, right?

The Chinese are said to now be going at it with a national determination not seen since…the “hoovering” by Echelon.

Segmented tasking among various groups and sophisticated support infrastructure are among the tactics intelligence officials have revealed to Congress to show the hacking is centrally coordinated, the person said. U.S. investigators estimate Byzantine Foothold is made up of anywhere from several dozen hackers to more than one hundred, said the person, who declined to be identified because the matter is secret.

If they run that “sophisticated support infrastructure” anything like Choicepoint then all the U.S. has to do is get on the phone to China, give some random identity of a false company and offer to buy the data. Bada bing.

But seriously, the Bloomberg story starts off strong and repeats an old scary picture of a vacuum cleaner (vacuum one, vacuum two, vacuum three, vacuum four, vacuum five, etc.) sucking all the data out of America. Is it any coincidence that a company in Hong Kong acquired Hoover in 2007?

Then Bejtlich gets in a quote that changes the tone completely.

“The guys who get in first tend to be the best. If you can’t get in, the rest of the guys can’t do any work,” said Richard Bejtlich, chief security officer for Mandiant Corp., an Alexandria, Virginia-based security firm that specializes in cyber espionage. “We’ve seen some real skill problems with the people who are getting the data out. I guess they figure if they haven’t been caught by that point, they’ll have as many chances as they need to remove the data.”

The attackers have skill problems with their vacuum cleaner? The imagery is ruined. Who needs skill to use a vacuum? Now I see a bunch of guys running around in circles with USB drives, bumping into each other and falling down.

Such tracing is sometimes possible because of sloppiness and mistakes made by the spies, said another senior intelligence official who asked not to be named because the matter is classified. In one instance, a ranking officer in China’s People’s Liberation Army, or PLA, employed the same server used in cyberspying operations to communicate with his mistress, the intelligence official said.

Cue Benny Hill

But seriously, again, the story does have an interesting counterpoint to my point in a recent blog post. I asked if there was no risk of retribution and China has unlimited human resources then why the U.S. military is trying to convince us that there are a small number of attackers.

Bloomberg brings up the possibility of large numbers of Chinese entrepreneurs hacking for profit.

Driving China’s spike in cyberspying is the reality that hacking is cheaper than product development, especially given China’s vast pool of hackers, said a fourth U.S. intelligence official. That pool includes members of its militia, who hack on commission, the official said. They target computing, high technology and pharmaceutical companies whose products take lots of time and money to develop, the official said.

They don’t target our food and beverage industry?

Oh, right, they probably just go to Europe to steal the original information and not American knock-offs. I’m only being half-facetious. Europe obviously has a lot of IP at risk and innovation as good or even better than in America.

We heard complaints about Americans spying on European companies in 2000. The French complained in 2005 about China and there was a fair bit of discussion in 2010 about Renault. Why don’t we hear anything now from the European security experts, or from the European Generals and politicians, similar to the arguments by the U.S.? Where is the comparable outrage about the need to retaliate and fight the Chinese spies; why hasn’t Bloomberg included targets outside the U.S.?

Although I like the WSJ treatment of the topic far better than Bloomberg, they too fail to mention the European angle let alone other areas of the world with innovation (e.g. India, who is often trading harsh words with China). The reports from Europe seem to be far more cloak and dagger, as if their computers are impenetrable.

…an unnamed French company realised too late that a sample of its patented liquid had left the building after the visit of a Chinese delegation. It turned out one of the visitors had dipped his tie into the liquid to take home a sample in order to copy it.

Well then I guess we are left to imagine a Chinese cyberarmy squad throwing up their hands in disgust. American companies all were easily penetrated with just a simple email attachment but now, unable to get through through the French company’s defenses, one of the Chinese agents says “that’s it, I’m putting on a tie and going in”.

And then there is the case of Chinese students paying tuition and attending class to learn about vacuum cleaner technology from the British. What kind of elite cyberarmy agent pays tuition and actually goes to class? Those British computers must be seriously hardened to force students to attend classes. At least now we know where spies get the latest vacuuming techniques from…

MythBuster’s Accident: The Breach Apology

I wrote just a few days ago about the cannonball that got away. Then I forgot about the story until I just happened to notice the Mythbuster’s show hosts being quoted with contradictory statements in two different papers.

Note the sincerity reported in the San Francisco Chronicle:

After assuring Shetty, his two children, his wife and her parents that they would never again blast a home with heavy ordnance, Hyneman and Savage said the incident was the worst thing that had happened during thousands of experiments over eight years on the Discovery Channel show.

They also promised they wouldn’t air the footage they had filmed of the near-catastrophic cannon shot.

Nice breach response. A personal visit and a promise. Small problem, however, here’s a completely different response in the Los Angeles Times:

Savage said that despite the mishap, the cannon episode will still air, mostly likely in the spring.

The accident is “by far the most serious event that has occurred” on the show, Hyneman added. But he and his partner are taking it seriously. “It’s one of the reasons we have such a good safety record overall,” he said.

People that bring up “we have a good safety record overall” right after a breach aren’t thinking about the victims. People that promise not to air an episode but also say it will be seen in the spring….

Maybe this contradiction is a matter of sloppy reporting and misquotes? Or is it just a fine example of how people in northern and southern California view risk differently (reporter bias)?

Amusing example of how breach responses need to be formed carefully and with consistency.

People’s Gas Breach not Infinite

According to the latest reports from the Chicago-area, a contractor who breached an energy company was unable to steal infinity.

It’s still bad news for the “finite” number of records he did access.

Peoples Gas and sister utility North Shore Gas have notified an undisclosed number of customers of the possible theft and potential use of personal information about them by a contract worker.

[…]

They said, though, that the number is “finite and very small.” The companies said they had no information to indicate that the number of customers affected by the possible identity theft would grow.

The contracted employee has been fired and is “subject to criminal investigation and prosecution,” the companies said.

Never mind the X-men. A cartoon comes to mind with an evil character who has the amazing ability to steal an infinite amount of data. Oh no! It’s…it’s…SAN Man! Egress man?

Another U.S. Spy Plane Crash

The news today of another unmanned aerial vehicle (UAV) crash makes me think I should have been more explicit in my last blog post about the risk from UAVs. The latest crash was a Predator stationed in the Seychelles to monitor the Indian Ocean and nearby countries for al Qaeda/al Shabaab activity. Clearly the UAV are very likely to crash, as hinted by a quote in my earlier post:

…a 2008 report by the Congressional Research Service, the nonpartisan analytical arm of Congress, found UAVs have an accident rate 100 percent higher than manned aircraft.

Why do they crash so often? Some like to speculate about the risk of malware. Oh, malware. If only you were not just a symptom. Let’s review some of the many possible factors contributing to a high risk of crashes.

1) Perhaps it is because no human is on board — asset value of risk calculations makes safety procedures less thorough. It is costly to lose a UAV but not costly enough to force better risk management.

2) Perhaps it is caused by emerging/unfamiliar technology. Although planes have been around for a while, remote control seems to have a few quirks especially when communication is interrupted — planes crash instead of entering a fail-safe return-to-base mode (something smarter than a “predetermined autonomous flightpath”).

As an aside, we can’t call these aircraft “drones” because they crash when they lose human guidance. Yet that’s the popular term for them. I try hard not to use it but I still catch myself calling them drones all the time. Given the high rate and sources of error the military probably wishes they were dealing with drones by now. But I digress…

The real story here is a combination of human risk management errors that has made the crashes more likely, as explained last year in the LA Times.

Pentagon accident reports reveal that the pilotless aircraft suffer from frequent system failures, computer glitches and human error.

Design and system problems were never fully addressed in the haste to push the fragile plane into combat over Afghanistan shortly after the Sept. 11 attacks more than eight years ago. Air Force investigators continue to cite pilot mistakes, coordination snafus, software failures, outdated technology and inadequate flight manuals.

Flight manuals. That says “checklist” to me. Note the details of a federal investigation labeled NTSB Identification: CHI06MA121 for a 2008 Predator B plane crash in Arizona.

The investigation revealed a series of computer lockups had occurred since the [U.S. border on a Customs and Border Protection (CBP) Unmanned Aircraft (UA)] began operating. Nine lockups occurred in a 3-month period before the accident, including 2 on the day of the accident before takeoff and another on April 19, 2006, 6 days before the accident. Troubleshooting before and after the accident did not determine the cause of the lockups. Neither the CBP nor its contractors had a documented maintenance program that ensured that maintenance tasks were performed correctly and that comprehensive root-cause analyses and corrective action procedures were required when failures, such as console lockups, occurred repeatedly.

[…]

The pilot’s failure to use checklist procedures when switching operational control from PPO-1 to PPO-2, which resulted in the fuel valve inadvertently being shut off and the subsequent total loss of engine power, and lack of a flight instructor in the [ground control station], as required by the CBP’s approval to allow the pilot to fly the Predator B. Factors associated with the accident were repeated and unresolved console lockups, inadequate maintenance procedures performed by the manufacturer, and the operator’s inadequate surveillance of the UAS program.

I am reminded of a quote in another recent post about aviation risks but from the 1940s.

Life Begins With a Checklist…and it May End if You Don’t Use It

the poetry of information security