Wednesday, January 25, 2012

The 2006 Theft of Symantec's Source Code - Response and Repercussions

If 2011 was the year of the RSA breach, 2012 may well be the year of the Symantec breach (NASDAQ:SYMC). Symantec has recently acknowledged that its source code for multiple products was stolen in 2006 after "Yama Tough", a member of a hacker crew called "The Lords of Dharmaraja", posted a portion of it on Pastebin. It's unlikely in my opinion that the Lords of Dharmaraja were responsible for the original breach. They don't appear to know exactly what they have yet since YT posted that he's delaying the release of the rest of the code until they create some Zero-days for it. If they had it for six years, he wouldn't need the extra time to find ways to exploit it. So some of the questions yet to be answered are who breached Symantec's network in 2006 and how did Yama Tough gain access to it? His claim about stealing it from Indian government servers was clearly a lie.

The worst part is that Symantec, the world's largest security software company, was clueless about the theft of its own source code for almost six years; which means that its thousands of customers were clueless as well. A software company's source code is its crown jewels; both because it's the "brains" behind the company's proprietary software line and because if an adversary had access to it, they could quickly write new malware (known as a "Zero-Day") that would silently compromise any protections that the software offered to its legitimate customers. If the compromised application is security software, like it is in this case, then the impact of the stolen source code is much worse. Since the malware author is writing exploits for heretofor unknown weaknesses in the code, the Symantec customer will probably never know that he's been compromised. If Symantec is this careless about securing and monitoring their Norton code repository, how can they state with confidence that any of their products are safe from compromise? It appears that they can't. Notice the wording in their latest posting at their website (January 24, 2012, 22:50 PST) which refers to a non-Norton product: "The Symantec Endpoint Protection 11 product – which was initially released in the fall of 2007 – was based upon a separate code branch that we do not believe was exposed." (emphasis added)

If my company was a Symantec customer, and we aren't, I wouldn't want to know what Symantec "believes". I'd want to know what Symantec "knows". If they can't say definitively that Symantec Endpoint Protection is safe to use, then my advice to Taia Global clients and others is to not use it. The products that Symantec has acknowledged are compromised in the afore-mentioned notice on its website are:
  • Norton Antivirus Corporate Edition
  • Norton Internet Security
  • Norton SystemWorks (Norton Utilities and Norton GoBack)
  • Norton pcAnywhere
However, in a non-published letter to partners from Randy Cochran (VP, Americas Channel Sales), Symantec expanded the list of affected products to include:
  • Norton Antivirus Corporate Edition
  • Norton Internet Security
  • Norton SystemWorks (Norton Utilities and Norton GoBack)
  • pcAnywhere 12.0, 12.1 and 12.5
  • Symantec Endpoint Protection v11.0, which is four years old
  • Symantec AntiVirus v10.2, which is five years old code (discontinued)
To date, Symantec's handling of this incident has been poor. The company has never addressed why it took  six years to uncover a breach of their source code, nor how it happened in the first place, nor what steps the company is taking to determine whether a further breach of its network has occurred in the succeeding years, nor how they're going to prevent this from happening in the future. Further, how many of Symantec's corporate and government customers have been unknowingly compromised through zero-day attacks because of Symantec's poor network security practices? And finally, how many past breaches that have been publicized were also using these specific Symantec products? I'll be speaking to that last question at the upcoming Suits and Spooks conference on Feb 8th. 

Thursday, January 19, 2012

Inconclusive Attribution Is Worse Than No Attribution

A China expert friend of mine just sent me a link to a Defense News article by Andrew Tilghman "Chinese Virus Targets DoD Common Access Card". Jaime Blasco, lab manager for AlienVault, said "the virus is linked to a “command and control server” that appears to be based in China; some flaws buried deep in the code revealed Chinese language characters, suggesting that only a Chinese speaker would be able to launch it." Tilghman's headline doesn't accurately reflect Blasco's findings. Instead, he chose a sensationalistic headline that would attract readers. Unfortunately, it also attracts researchers, pundits and U.S. government employees who harbor an anti-China slant and who collect stories like this to add fuel to an already hot anti-China sentiment on the Hill.

As I've said many times before, the geolocation of IP addresses mean absolutely nothing since IP addresses are easily obtainable by anyone - both legally and illegally. Chinese characters in the code only mean that a Chinese engineer was involved at some point. How many Chinese engineers work for Western companies or are naturalized citizens outside of the PRC? I shouldn't have to state the obvious fact that because you write using Chinese characters doesn't mean that you work for the Chinese government. That's beyond simple ignorance; bordering on Xenophobia.

Related:
Why I Oppose the 12 Chinese Hacker Groups Claim
Rep. Mike Rogers Needs To Re-Think His China Tactics
The Case Against The Case Against China


Monday, January 16, 2012

Intelligence on Russian Information Warfare Activities

Threat Intelligence and Cyber Intelligence are phrases that are tossed around both frequently and casually these days. Threat intelligence as it's used by the information security community has to do with malware and malicious IPs. Cyber intelligence is used even more loosely and may cover everything from Threat Intelligence to discovering who the members of Anonymous are. My company Taia Global Inc. has been providing highly targeted open source intelligence reports on foreign corporations' government connections as well as the information warfare activities of individual nation states since 2009. Since most of our foreign government clients are interested in the IW activities of the Russian Federation, we focus a lot of attention there. Here is what we've produced in the last few months alone:
  • Center for Computer Emergency Response of the Russian Federation (RU-CERT)
  • Roskomnadzor and the Cyber Vigilantes
  • Russian Federal Security Service Center for Electronic Surveillance of Communications - Military Unit (Vch) 71330
  • Russian Federation Security Council and the Evolution of Russia’s Information Security Doctrine
  • Federal State Unitary Enterprise Scientific Research Institute Kvant (Federal Security Service)
  • Federal Security Service (FSB) Internet Monitoring Vendors
  • Federal Security Service (FSB) Administrative Centers for Information Security
Apart from these specialized reports, we also produced the 2011 Russian Federation Information Security Reference.

If Russia is an important piece of your organization's business or security plans and you'd like more information about our intelligence services for the Russian Federation or other countries in Asia, the EU or elsewhere, you can contact us via the Taia Global website.

Thursday, January 12, 2012

The Lords of Dharmaraja Faked Indian Gov't Memo on Phone Surveillance

On January 6, 2012, ZDNet reported that a hacker named Yama Tough, a member of the Lords of Dharmaraja hacker group, claimed to have access to documents that described an Indian military intelligence operation which gathered intelligence via backdoor access to Nokia, Apple, and Research In Motion smart phones. The document was made to look official, complete with redacted portions. It named authentic Indian government agencies and individuals to frame a fictional account of an "Advanced Cellular Intercept Programme" targeting the U.S. China Economic and Security Review Commission (USCC.gov). The document included portions of intercepted emails allegedly obtained through a mobile phone surveillance program using the acronym RINOA SUR (RIm, NOkia, Apple SURveillance).

The emails were stolen from the Indian embassy in Paris and posted to Pastebin in December by Yama Tough and consist of the .BAT archive for one person - William Reinsch, National Foreign Trade Council member and Commissioner of the USCC. I compared the emails contained in the .bat archive of Mr. Reinsch with the emails allegedly collected through RINOA SUR against multiple USCC commissioners and they were identical, which is either a tremendous coincidence or evidence that Yama Tough has invented this entire scandal in order to get more mileage out of the original hack.

Other problematic issues with the alleged Indian military intelligence operation are that Indian Military Intelligence is not mandated to conduct electronic surveillance, with or without the President's authority under the Indian constitution. Also, memos are not internally redacted within the Indian Civil Service.

The Lords of Dharmaraja are mixing authentic stolen data with invented scenarios in order to get more publicity for themselves. Besides their fictional RINOA SUR operation, they've apparently released some new information via InfoSecIsland. Based upon what we've seen so far, it should be treated with a high degree of suspicion.

Monday, January 9, 2012

The Stratfor E-mail Address Scandal That Isn't

The Guardian just ran a sensational story about hundreds of British government and NATO email addresses being exposed via the Stratfor hack. The L.A. Times ran a similar story featuring other exposed email addresses from various U.S. agencies and organizations including the White House. In fact, my email was among those exposed. My response is - big deal. I publicize my email address on the Web. It's one of many that I use for different purposes. An email in and of itself means very little. An email with a ridiculously easy password could be a problem if the person was foolish enough to use that same combination on his work email address but for most people, especially those in large corporations and the U.S. Government, that's next to impossible to do because of specified password requirements and two-factor authentication. And in the case of obtaining free reports via Stratfor's marketing strategy, why bother using a strong password as long as it and its associated email address are different from ones that you use for work? In fact, programs like Anonymizer give you throw-away email addresses and passwords to use for just such an occasion.

One of the articles that I read claimed that the Stratfor breach included 3 email addresses from the White House. Well, two of those were President@whitehouse.gov and Prez@whitehouse.gov. Does anyone seriously believe that either of those are real? They're most likely the invention of someone who, like me, wanted to read one of Stratfor's "free" reports. Stratfor doesn't validate those email addresses and every time you want to download another free report you need to invent a different email address to register under. That's why Stratfor has so many email addresses in its system. People who want a freebie report are loading them up with valid and invalid email addresses like "Prez@whitehouse.gov".

So what are the repercussions to have your email address listed along with hundreds of thousands of others? Spam and spear phishing attacks are pretty much it and both of those can be easily avoided if you've paid any attention to network breaches in the past year. In the rare case that you used your work email address along with your work password, you're pretty much screwed (and deserve to be for being so carless) but by now you've changed your password anyway. The worst part of the Stratfor hack wasn't the release of those email addresses. It was Stratfor's atrocious handling of its members credit card data and the awful state of its own network security. The worst part may be yet to come, if and when Anonymous releases the contents of those emails between Stratfor analysts and their corporate and government clients. Once that happens, you'll be wishing that all you had to worry about was an exposed email address with a weak password.

Related:
An Open Letter to George Friedman and Stratfor
Was Stratfor Breached By An Insider?

Wednesday, January 4, 2012

Money laundering, Shape shifting, Satellite Spying, and You

When was the last time that you were in a Washington DC conference room with a Hollywood actress, the CISO of In-Q-Tel, two product managers from DARPA, an expert in money laundering, a world-class hacker, a spokesman for George Clooney and John Prendergast's Satellite Sentinel Project, an expert on open source warfare and a former CIA station chief (and that's not all of our speakers)? I'm guessing never because the Suits and Spooks Anti-Conference doesn't follow trends. It breaks them. This one day event will include breakfast, lunch, and a cocktail reception hosted by the Business Executives for National Security (BENS) on the 24th floor of the Waterview Conference Center overlooking the Potomac river and the Capital.

The early bird registration ($395) is coming to a close at the end of business Friday, January 6th. We have extra low rates for U.S. government employees ($295) and for university faculty and students ($195). Everyone who attends will also receive a signed copy of the second edition of my book "Inside Cyber Warfare" (O'Reilly Media 2011). We want to re-shape the way that we think about security and we have room for up to 100 innovative thinkers and decision makers across a multitude of disciplines - NOT just information security. Please be a part of Suits and Spooks in Washington DC next month. The discussions and networking will be truly memorable. Register here today.

Related:
The Use of Covert Cyber Counter Strikes As Active Defense
Spontaneous Analysis of Unstructured Speech for Idea Development using Palantir
George Clooney's Satellite Sentinel Project

Monday, January 2, 2012

Was Stratfor Breached By An Insider?

While waiting for the other shoe to drop on the Stratfor breach (the release of a few million emails), I took a look at who works for the company in an attempt to understand how they could have made so many mistakes in handling their customer and client data as well as their network security. The adage that a company is only as good as its employees is certainly true about Stratfor.

The company was founded in Austin, TX in 1996 by George Friedman, an academic. LinkedIn has profiles on 63 of its employees. According to those profiles none have a background in information security. The company doesn't have a Chief Information Officer, Chief Security Officer, or Chief Information Security Officer. None of its employees' profiles show that any of them have ever worked at NSA, CIA or any other 3-letter agency. Two senior executives (Fred Burton and Scott Stewart) came from State's Diplomatic Security Service. Many of Stratfor's employees came to the company just after they graduated from college including, most importantly, their IT director for almost 13 years Michael Mooney. Mooney graduated from UT Austin in 1994, joined Stratfor in 1997 and left in September, 2011. I've tried to contact Mr. Mooney by email to find out his side of the story, why he left the company, etc., but so far, no joy. Stratfor's Chief Technology Officer Frank Ginac apparently didn't care for his work based upon his "Mooney's Turds" comment posted by Anonymous:
"It blew my mind to discover that our email server backups are being stored on the same physical server. I'm affectionately referring to these little discoveries as 'Mooney turds'."
If Mooney was fired and held a grudge against Ginac and/or Stratfor, then he would certainly have a motive for payback by helping Anonymous root the company's servers. The timing is certainly interesting. Mooney left the company and a new replacement was found for him almost immediately (October, 2011) which suggests that Ginac was unhappy with Mooney and was looking for a replacement before letting him go. Considering the shabby state of Stratfor's network security, the attacker(s) could have been in there for a few months prior to the December 24th event.

I'm not accusing Michael Mooney of being involved. I am, however, stating that attacks by insiders who hold a grudge against their employer are commonplace and Mooney's position along with the circumstances around his departure will certainly be explored by law enforcement as part of the investigation. Apart from who was allegedly involved, there's no mystery about why Stratfor's network was in the state that it was in. Security wasn't a priority and there was no in-house expertise to make it one. Next comes the consequences to Stratfor's customers, which George Friedman (CEO), Frank Ginac (CTO), and Darryl O'Connor (COO) all need to be held responsible for.

UPDATE (0337PST 03JAN12): According to Stratfor CTO Frank Ginac's Twitter stream, he had been looking to hire a System Administrator (Michael Mooney's job) since January 24, 2011. He repeated his need for a Sys Admin on 28 February and 22 July. It turns out that Michael Mooney wasn't the only Stratfor employee to leave the company in September 2011. So did a Cloud engineer named Trent Geerdes. Neither person has responded to my request for comment.

Ironically, four days before tweeting his first announcement (Jan 24, 2011), Ginac had this to say about security:







UPDATE (1850 PDT 18MAY12): To date there has not been any evidence that an insider was involved in this attack. The FBI has made arrests in the case.