Monthly Archives: December 2013

Channeling the ghost in the machine

acousticcryptanalyisA team of researchers has identified a way to extract full 4096-bit RSA decryption keys just by listening to (detecting) the sounds generated by a computer.  Sound patterns can be associated with particular processes occurring on the computer.  Of special interest are the unique sound patterns generated when cyphertext (text that has been encrypted) is in the process of being decrypted.  The researchers claim that in less than an hour a decryption key can be identified by analyzing sound patterns generated by decryption of particular cyphertexts. Interestingly, this is not sound generated by fans, hard drives, or speakers, but rather sound generated by electronic components such as inductors and capacitors.

Handling interference

Most of the information-yielding acoustics occur above the 10 KHz range.  Fan noise and typical room noise generally occurs at lower frequencies and can be filtered out.

Depending on the environment, some keys can be decrypted by using a smart phone within approximately 30 cm.  Ranges of up to 4 meters have been successful using specialized equipment such as parabolic microphones.

acousticcryptanalysis2

Different computers have different signatures, but distinct core computing operations such as the HLT (cpu sleep), MUL (integer multiplication), & FMUL (floating point multiplication) X86 instructions can be identified in each.

“Magic-touch” attack

Another variant is what the authors call a magic-touch attack. In this scenario, instead of detecting patterns in sound coming from the computer, variations in ground potential of the device can be analyzed.  As with the acoustic analysis, these voltage variations in the device’s ground can be also be correlated to specific processing patterns.  These ground-potential changes can be measured directly or even by simply touching the chassis with one’s hand and then measuring the variation in body potential. Another approach is to measure the ground potential on the far side of a cable that has a ground, such as a VGA cable.

 

I think the genie has escaped …

Getting more for your (cybercriminal) dollar

A couple of years ago $300 might have bought you, if you’re a cybercriminal, the online credentials to access a bank account with maybe $7,000 in it.  Today $300 can get you access (username and password) to an account with well over $100,000 in it according to research from Dell SecureWorks. Prices are dropping.  Which means that more bad guys can get it.

Speculation for the price drop is that a glut exists in the market subsequent to several large scale data breaches over the past year. This condition is expected to last for some time.

Personal identities comprised of information such as name, SSN, date of birth, etc are known as ‘fullz’.  European fullz seem to sell for more than US citizen fullz.  Maybe there is less availability of European stolen identities?

I was Googling ‘fullz’ to find a couple of different definitions, but I kept coming across advertisements to sell fullz, complete with price lists. At first, I thought I had stumbled across some secret cybercriminal stash of online identities, but they’re everywhere.  Here are snippets of some of the ones that I ran across (ie 1st page of a Google search — I didn’t have to dig for these).

fullz4

[click to enlarge]

fullz1 fullz2 fullz3

Joe Stewart with Dell SecureWorks and independent researcher David Shear also report these prices for purchasing botnets (networks of pre-compromised computers from which the buyer can deliver a wide variety of malware options):

  • 1,000 bots = $20
  • 5,000 bots= $90
  • 10,000 bots = $160
  • 15,000 bots = $250

Customers shopping for Distributed Denial of Service Attacks can expect rates similar to these:

  • DDoS Attacks Per hour = $3-$5
  • DDoS Attacks Per Day = $90-$100
  • DDoS Attacks per Week = $400-600

These prices kind of bum me out because they are llloowww.

We hear all of the time that cybercrime and cyberattacks are terrible and getting worse.  These numbers, though, drive that point home — it’s just not hard to buy into this game.

Rats on the West Side, bed bugs uptown

enisa20122013trends

The just-released 2013 ENISA (European Union Agency for Network and Information Security) Threat Landscape report  is consistent with Mick Jagger’s prescient 1978 prediction of the state of cybersecurity, captured here:

Don’t you know the crime rate
Is going up, up, up, up, up
To live in this town you must be
Tough, tough, tough, tough, tough

A number of known threats continue, attack tools are increasingly sophisticated,  more nation-states are becoming proficient with these tools, and the mobile ecosystem is a ripe new battlefield. On the upside, reporting and information sharing between organizations has increased and vendor turn around in response to new vulnerabilities is faster.

I can’t give it away on 7th avenue — cheap and plentiful devices

!n 1969 Jagger-Richards revisit uncertainty & remind us that we can't always get what we want

While known to be a factor for some time, a newcomer to the threat list is the Internet of Things (IoT).  IoT are networked devices that move, control, sense, surveil, video/audio, and otherwise collect and share information from and with the environment. Development tools and production for these networked devices and systems are cheap and billions more are expected in the next couple of years.  (There’s even a conference preparing a road map for a trillion sensors in the next several years.)

Low security is the rule rather than exception for these devices and large amounts of data are being generated. The ENISA report says, “smart environments are considered the ultimate target for cyber criminals.”  For example, preliminary work for phishing attacks can be augmented by gaining information about where a victim’s smart home is, picking up information leakage from their integrated media devices (Xbox One is doing more than just playing Halo), accessing what a user’s energy usage profile might be, etc. ENISA calls out the following top emerging threats in the Internet of Things space:

enisaiot Other threats identified include:

  • Differences in many different smart appliances lead to large variances in context and content of transmitted data, opening avenues for cybercriminals.
  • Devices built on embedded systems, some of which have not yet been widely deployed.  Some of these embedded cores (of many different types and manufacturers) will have unknown and unpublished functions and many will be difficult to maintain (keep patched). Look at the recent D-Link saga.
  • Many devices built on embedded systems do not communicate operational status to the user, eg “I am working,” “I am actively collecting data on your environment, “I am behaving erratically,” “I am off,” etc.
  • Increased data creation leads to increased data storage amounts, data concentration, and corresponding increased bandwidth requirements/loads. Even a little bit of analysis can result in a significant increase in resources. Remember the basic database join (or even simpler Cartesian product) ? — you start with three elements in one list (A,B,C), but want to relate them to data in another list (D,E,F), so you relate them in a third table and you have (AD,AE,AF,BD,BE,BF,CD,CE,CF).  If each element used say 1 MB of space, your initial storage and bandwidth requirement quadrupled from 6 MB (A + B + C + D + E + F) to 24 MB (A + B + C + D + E + F + AD + AE + AF + BD + BE + BF + CD + CE + CF).

For me, the other thing about Internet of Things (IoT) devices is that we often don’t really think of them as sensing, computing, analyzing, data collecting and transmitting devices.  Many seem innocuous and, often, we don’t even know they’re there.

Life’s just a cocktail party

Finally, assuming that these IoT devices have already been vetted by somebody else (like the store that we bought it from) is, unfortunately, flawed logic. Businesses large and small will be rushing to market with typically insecure devices and they won’t be taking the time to analyze all of the use cases of how their product could be misused. As consumers, we need to develop the skill of thinking, ‘how could this device be misused? ‘ Most of us aren’t used to thinking like that.  A family in Texas learned that the hard way a few months ago with their baby monitor. In general, if a device operates over the network and we can see it, then somebody else can see it.

Shadoobie.

[chart images from http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats]

Password usage seems to follow Zipf distribution

Like word distributions and company sizes, frequency of usage of particular passwords seems to follow a Zipf distribution or power law distribution. That is, there are a lot of people that pick from a small common pool of passwords and that the number of people that use a particular password drops off quickly once you step away from that common pool.

passworddistributionMark Burnett’s research shows that, of a list of 10,000 ranked passwords:

  •  91% of users have a password from the top 1000 passwords
  • 79% of users have a password from the top 500 passwords
  • 40% of users have a password from the top 100 passwords

BTW, almost 5% of all users have the password, ‘password’.

List of top passwords here.  Heads up — there’s some colorful language in play here for popular passwords.

Most SMB’s don’t consider cyberattack a substantial risk to their business

Ponemon Institute has released its Risk of an Uncertain Security Strategy study.  It surveyed over 2000 IT professionals overseeing the security role in their respective organizations.  The study identified 7 consequent risks of uncertainty in security strategy:

1. Cyber attacks go undetected
2. Data breach root causes are not determined
3. Intelligence to stop exploits is not actionable
4. Cybersecurity is not a priority
5. Weak business case for investing in cyber security
6. Mobility and BYOD security ambiguity
7. Financial impact of cyber crime is unknown

Most respondents believe that compliance efforts did not enhance security posture: [Do you agree that] “compliance standards do not lead to a stronger security posture?”

ponemoncompliancegraphic

Types of attacks that respondents reported are summarized as:

ponemontypesofattack

Notably, 31% of respondents said that no one person or role was in charge of establishing security priorities.  58% said that management does not see cybersecurity as a significant risk. Finally, the study also indicated that the further up one went in the organization’s hierarchy, the more distant they were from understanding the organization’s cyber risk and related strategy. While not surprising, this is discouraging.

I keep getting back to the idea of force protection that the military had to develop 30 years ago. In response to world events to include attacks on bases and personnel, the military realized that it needed to explicitly remove resources, funds, and capacity off of the operational (pointy) end and use them to protect and resource the rear if they were to be survivable and sustainable. Over time, I think the market will bear this out too for most SMB’s. That is, I believe that those businesses that have been successful over several years will tend to be the ones that have made some investment in cybersecurity and resilience. And of the businesses that disappear after a short time, a high correlation will be made with those that did not invest in resilience.

Even though these conclusions might be fairly obvious, it’s not going to be pretty to watch.