Tag Archives: risk

More ghosts in the machine

Leave a reply

It turns out that the microprocessors that are on almost every SD memory device produced are accessible and fully programmable. This has significant implications for security and data assurance and is an archetypal example of what we are facing regarding new risks from the Internet of Things (IoT).

Two researchers, Sean Cross who goes by xobs and Andrew Huang, aka bunnie, presented at Chaos Communication Congress last week and simultaneously released a blog post on their discovery and approach.

SD Card Image

SD devices are ubiquitous and found in smart phones, digital cameras, GPS devices, routers and a rapidly growing number of new devices.  Some of these are soldered onto circuit boards and others, probably more familiar to us, are in removable memory devices developed by Kingston, SanDisk and a plethora of others.

 

Microprocessors built into memory devices?

According to the presentation and Bunnie’s blog post, the quality of memory in some of these chips varies greatly.  There is variance within a single manufacturer, even a highly reputable one like SanDisk. There is also variance because there are many, many SD device manufacturers and a lot of those don’t have the quality control or reputation of the larger companies.  In his presentation, he gives a funny anecdote involving a fabrication factory tour of a manufacturer in China that was complete with chickens running across the floor.

So, on any memory device produced, there are bad sections. Some devices have a lot more than others, eg up to 80% of the memory real estate is unusable.  That’s where the onboard microprocessors come in.  These microprocessors run algorithms that identify bad memory blocks and perform complex error correction.  Those processes sit between the actual physical memory and the data that is presented at the output of the card. On a good day, that data that the user sees via the application on the smart phone, camera or whatever is an error-corrected representation of what the actual ones and zeros are on the chip. Ideally, that data that ultimately reaches you as the user appears to be what you think your data should be.

“Mother nature’s propensity for entropy”

Huang explains that as business pressures demand smaller and smaller memory boards, the level of uncertainty of the data in the memory portion of the chip increases.  This in turn increases the demand on error correction processes and the processor running them. He suggests that it is probably cheaper to make the chips in bulk (with wide quality variance) and put an error-correcting processor on the chip than it is to produce a chip and then fully test and profile it.  In their research, it was not uncommon to find a chip labelled with significantly smaller capacity than that available on the actual chip.

What Cross and Huang were able to do is actually access that microprocessor and run their own code with it.  They did this by development of their own hardware hacking platform (Novena), physically cracking open a lot of devices (breaking plastic), lots of trial and error, and research on Internet search sites, particularly Google and China’s Baidu.

The fact that there is a way to get to the processes that manipulate the data sitting on the physical memory has significant implications. Ostensibly, these processors are there to support error correction so that your data appears to be what you want it to be.  However, if (when) those processors are accessed by a bad guy:

  • the bad guy can read your data while it’s on its way to you, ie Man In the Middle (MITM) attack
  • the bad guy can modify your data in place — to include modifying encryption keys to make them less secure
  • the bad guy can modify your data while it’s on its way to you
  • others

Illusion of perfect data

At about 7:28 in the video, Huang makes a statement that I believe captures much of the essence of the risk associated with IoT:

“… throw the algorithm in the controller and present the illusion of perfect data to the user …”

While this specific example of IoT vulnerability is eye-opening and scary, to me it is a way of showcasing a much bigger issue. Namely, the data/information presented to us as a user is not the same data/information that is stored somewhere else. That physically stored data has gone through many processes by the time it reaches the user in whatever software/hardware application that they are using.  Those intermediate processes where the data is being manipulated, ostensibly for error correction, are opportunities for misdirection and attack.  Even when the processes are well-intentioned, we really don’t have a way of knowing what they are trying to do or if they are being successful at what they are trying to do.

What to do

So what can we do? Much like watching a news story on TV or reading it online, the data/information that we see and use has been highly manipulated — shortened, lengthened, cropped, edited, optimized, metadata’d, and on and on — from its original source.

matrixmoviecover

Can we know all of the processes in all of the devices? Unlikely.  Not to get too Matrix-y, but how can we know what is real? I’m not sure that we can.  I think we can look at certifications of some components and products regarding these intermediate processes, similar to what Department of Defense and other government agencies wrestle with regarding supply chain issues.  However, there will be a cost that the consumer feels for that and the competition driven from the lower cost of non-certified products will be high. Maybe it’s in the public interest that products with certified components are publicly (government) subsidized in some way?

An unpleasant pill to swallow is that some, probably substantial, portion of the solution is to accept that we simply don’t know.  And knowing this, modify our behavior — choose what information we save, what we write down, what we communicate. It’s not the idyllic privacy and personal freedom place that we’d prefer, but I think at the end of the day, we won’t be able to get away from it.

 

slides from conference 
Bunnie blog
Xobs blog
[MicroSD image from Bunnie blog]

 

We’re gonna need a bigger boat — FTC ruling on (at least one) IoT device

Leave a reply

biggerboatI missed this when it came out in last fall, but it is a step in the right direction.  An IoT manufacturer has settled with the FTC  for “failure to reasonably secure IP cameras against unauthorized access” for their cloud-connected IoT video camera.  According to the complaint, the FTC went after the manufacturer, TrendView, for several issues with its SecurView cameras to include:

  • transmitted user login credentials in the clear
  • user credentials stored in the clear
  • vendor failed to implement a process to actively monitor security vulnerability reports from third-party researchers
  • lack of security architecture review
  • lack of security review and testing during software development

The FTC alleged that these, among others, contributed to putting users at “significant risk.”

Also, according to this article at ReadWrite.com,  a security researcher figured out that one of the Internet domain names that the manufacturer had listed as a secure host for video streams was not registered!  The researcher, Craig Heffner, now with Tactical Network Solutions, was able to acquire that domain name. If desired, he could have then picked up all of the video streams from users pointing their devices to that domain.  Since the users were advised by the manufacturer to use that domain name, the users would have no idea that their data could have been streaming to someone else.

And the networked-based video surveillance business is booming.  Per the FTC complaint, IP (Internet Protocol) video camera sales were $6.3 million in 2010, $5.8 million in 2011, and $7.4 million in 2012.  Remember, this is just one company’s products.  There are many others and the number of manufacturers will continue to grow.

Without such challenges by an agency like the FTC, there is little to motivate manufacturers to supply products that have been developed with reasonable security oversight in the process.  That said, with tens of billions of IoT devices expected in the next few years, I don’t think that the FTC, as it stands, is going to be able to make a huge dent.  It seems to me that an entirely new way of viewing and enforcing privacy law is required and I don’t see that coming in the near future.

As Brody observed in the movie Jaws in 1975, “We’re gonna need a bigger boat.”

Getting more for your (cybercriminal) dollar

Leave a reply

A couple of years ago $300 might have bought you, if you’re a cybercriminal, the online credentials to access a bank account with maybe $7,000 in it.  Today $300 can get you access (username and password) to an account with well over $100,000 in it according to research from Dell SecureWorks. Prices are dropping.  Which means that more bad guys can get it.

Speculation for the price drop is that a glut exists in the market subsequent to several large scale data breaches over the past year. This condition is expected to last for some time.

Personal identities comprised of information such as name, SSN, date of birth, etc are known as ‘fullz’.  European fullz seem to sell for more than US citizen fullz.  Maybe there is less availability of European stolen identities?

I was Googling ‘fullz’ to find a couple of different definitions, but I kept coming across advertisements to sell fullz, complete with price lists. At first, I thought I had stumbled across some secret cybercriminal stash of online identities, but they’re everywhere.  Here are snippets of some of the ones that I ran across (ie 1st page of a Google search — I didn’t have to dig for these).

fullz4

[click to enlarge]

fullz1 fullz2 fullz3

Joe Stewart with Dell SecureWorks and independent researcher David Shear also report these prices for purchasing botnets (networks of pre-compromised computers from which the buyer can deliver a wide variety of malware options):

  • 1,000 bots = $20
  • 5,000 bots= $90
  • 10,000 bots = $160
  • 15,000 bots = $250

Customers shopping for Distributed Denial of Service Attacks can expect rates similar to these:

  • DDoS Attacks Per hour = $3-$5
  • DDoS Attacks Per Day = $90-$100
  • DDoS Attacks per Week = $400-600

These prices kind of bum me out because they are llloowww.

We hear all of the time that cybercrime and cyberattacks are terrible and getting worse.  These numbers, though, drive that point home — it’s just not hard to buy into this game.

Rats on the West Side, bed bugs uptown

Leave a reply

enisa20122013trends

The just-released 2013 ENISA (European Union Agency for Network and Information Security) Threat Landscape report  is consistent with Mick Jagger’s prescient 1978 prediction of the state of cybersecurity, captured here:

Don’t you know the crime rate
Is going up, up, up, up, up
To live in this town you must be
Tough, tough, tough, tough, tough

A number of known threats continue, attack tools are increasingly sophisticated,  more nation-states are becoming proficient with these tools, and the mobile ecosystem is a ripe new battlefield. On the upside, reporting and information sharing between organizations has increased and vendor turn around in response to new vulnerabilities is faster.

I can’t give it away on 7th avenue — cheap and plentiful devices

!n 1969 Jagger-Richards revisit uncertainty & remind us that we can't always get what we want

While known to be a factor for some time, a newcomer to the threat list is the Internet of Things (IoT).  IoT are networked devices that move, control, sense, surveil, video/audio, and otherwise collect and share information from and with the environment. Development tools and production for these networked devices and systems are cheap and billions more are expected in the next couple of years.  (There’s even a conference preparing a road map for a trillion sensors in the next several years.)

Low security is the rule rather than exception for these devices and large amounts of data are being generated. The ENISA report says, “smart environments are considered the ultimate target for cyber criminals.”  For example, preliminary work for phishing attacks can be augmented by gaining information about where a victim’s smart home is, picking up information leakage from their integrated media devices (Xbox One is doing more than just playing Halo), accessing what a user’s energy usage profile might be, etc. ENISA calls out the following top emerging threats in the Internet of Things space:

enisaiot Other threats identified include:

  • Differences in many different smart appliances lead to large variances in context and content of transmitted data, opening avenues for cybercriminals.
  • Devices built on embedded systems, some of which have not yet been widely deployed.  Some of these embedded cores (of many different types and manufacturers) will have unknown and unpublished functions and many will be difficult to maintain (keep patched). Look at the recent D-Link saga.
  • Many devices built on embedded systems do not communicate operational status to the user, eg “I am working,” “I am actively collecting data on your environment, “I am behaving erratically,” “I am off,” etc.
  • Increased data creation leads to increased data storage amounts, data concentration, and corresponding increased bandwidth requirements/loads. Even a little bit of analysis can result in a significant increase in resources. Remember the basic database join (or even simpler Cartesian product) ? — you start with three elements in one list (A,B,C), but want to relate them to data in another list (D,E,F), so you relate them in a third table and you have (AD,AE,AF,BD,BE,BF,CD,CE,CF).  If each element used say 1 MB of space, your initial storage and bandwidth requirement quadrupled from 6 MB (A + B + C + D + E + F) to 24 MB (A + B + C + D + E + F + AD + AE + AF + BD + BE + BF + CD + CE + CF).

For me, the other thing about Internet of Things (IoT) devices is that we often don’t really think of them as sensing, computing, analyzing, data collecting and transmitting devices.  Many seem innocuous and, often, we don’t even know they’re there.

Life’s just a cocktail party

Finally, assuming that these IoT devices have already been vetted by somebody else (like the store that we bought it from) is, unfortunately, flawed logic. Businesses large and small will be rushing to market with typically insecure devices and they won’t be taking the time to analyze all of the use cases of how their product could be misused. As consumers, we need to develop the skill of thinking, ‘how could this device be misused? ‘ Most of us aren’t used to thinking like that.  A family in Texas learned that the hard way a few months ago with their baby monitor. In general, if a device operates over the network and we can see it, then somebody else can see it.

Shadoobie.

[chart images from http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape-2013-overview-of-current-and-emerging-cyber-threats]

Password usage seems to follow Zipf distribution

Leave a reply

Like word distributions and company sizes, frequency of usage of particular passwords seems to follow a Zipf distribution or power law distribution. That is, there are a lot of people that pick from a small common pool of passwords and that the number of people that use a particular password drops off quickly once you step away from that common pool.

passworddistributionMark Burnett’s research shows that, of a list of 10,000 ranked passwords:

  •  91% of users have a password from the top 1000 passwords
  • 79% of users have a password from the top 500 passwords
  • 40% of users have a password from the top 100 passwords

BTW, almost 5% of all users have the password, ‘password’.

List of top passwords here.  Heads up — there’s some colorful language in play here for popular passwords.

Most SMB’s don’t consider cyberattack a substantial risk to their business

Leave a reply

Ponemon Institute has released its Risk of an Uncertain Security Strategy study.  It surveyed over 2000 IT professionals overseeing the security role in their respective organizations.  The study identified 7 consequent risks of uncertainty in security strategy:

1. Cyber attacks go undetected
2. Data breach root causes are not determined
3. Intelligence to stop exploits is not actionable
4. Cybersecurity is not a priority
5. Weak business case for investing in cyber security
6. Mobility and BYOD security ambiguity
7. Financial impact of cyber crime is unknown

Most respondents believe that compliance efforts did not enhance security posture: [Do you agree that] “compliance standards do not lead to a stronger security posture?”

ponemoncompliancegraphic

Types of attacks that respondents reported are summarized as:

ponemontypesofattack

Notably, 31% of respondents said that no one person or role was in charge of establishing security priorities.  58% said that management does not see cybersecurity as a significant risk. Finally, the study also indicated that the further up one went in the organization’s hierarchy, the more distant they were from understanding the organization’s cyber risk and related strategy. While not surprising, this is discouraging.

I keep getting back to the idea of force protection that the military had to develop 30 years ago. In response to world events to include attacks on bases and personnel, the military realized that it needed to explicitly remove resources, funds, and capacity off of the operational (pointy) end and use them to protect and resource the rear if they were to be survivable and sustainable. Over time, I think the market will bear this out too for most SMB’s. That is, I believe that those businesses that have been successful over several years will tend to be the ones that have made some investment in cybersecurity and resilience. And of the businesses that disappear after a short time, a high correlation will be made with those that did not invest in resilience.

Even though these conclusions might be fairly obvious, it’s not going to be pretty to watch.

Cyber Readiness Index

Leave a reply

cyberreadinessindex

Keeping the costs in the value equation
[From Cyber Readiness Index 1.0, Melissa Hathaway.]

Consulting firm, Hathaway Global Strategies, has developed a “Cyber Readiness Index,” or CRI, based on economic growth.  The objective of the index is to measure maturity and commitment to protecting the investment in cyber infrastructure of each of the 35 countries included.  Specifically, the index looks at these five areas:

  1. national strategy
  2. incident response
  3. ‘e-Crime’ law enforcement
  4. information sharing
  5. R&D

The index combines measures of both economic prosperity and exposure to cyber risk.  For example,  cybercrime, resiliency issues, identity theft, intellectual property theft, and other cyber factors are highlighted to illustrate diminished country GDP.

Some conclusions that the study draws include:

  • Increase in prosperity that Internet technology and connectivity have brought over the past 30 years may not outweigh “the unreliability and riskiness caused by new threats”
  • Costs of malicious cyber activity and risk must be included in a nation’s evaluation of its prosperity so that security investment can be measured

I like the approach of this index.  As I suggested in my post on “Force Protection“, businesses and countries that depend on the Internet will have to redirect a real amount of its operating capacity to analyze risk and provide information security, just as the military did with personnel and physical assets in the late 70’s/early 80’s, if it is to continue to move forward.