Archive for August, 2016

Election Fraud Alert – August 2016

Tuesday, August 30th, 2016

This made me chuckle: https://www.yahoo.com/news/fbi-says-foreign-hackers-penetrated-000000175.html

Oh, so NOW elections can be hacked? Sheesh… where were these guys when Diebold began putting out voting machines that had no paper trail to corroborate votes with? That was back in the 90s and I remember howling about those. There was the Mexican national election of 1988, in which Cuahutemoc Cardenas was in the lead, strongly, when “the system crashed”… after being restored, Carlos Salinas de Gortari was out in front. All the ballots were burned three years later so that nobody could check to see if the voting database had been restored properly after crashing. President de la Madrid later admitted that the voting that year had been rigged. https://en.wikipedia.org/wiki/Mexican_general_election,_1988

We’ve had in the US media outlets print election results before voting happened (most recently in Florida), voter registration screening software match white felons’ names to innocent black citizens, voter registration software deny the existence of residences (and hence said residents’ right to vote), and other miscarriages of election justice with specifically digital components to them. The idea that only just now are election machines vulnerable to hackers (no doubt mustache-twirling Russians!) is outrageous.

Thing is, those Diebold boxes are incredibly vulnerable to local tampering. There’s no need to run an attack on voting databases over a network. Physical access to the Diebolds means they can be made to report whatever the guy with access wants them to report. No paper trail, remember? So a story like this sounds a lot to me like part of a propaganda campaign, to extend a narrative that needs to be spun for possible future use.

We’ve already seen a narrative connect Russians to Donald Trump. I wonder aloud if we won’t see Trump victories blamed on voter fraud, connected back to “Russians” without any credible evidence offered up, and then see Trump’s cronies face criminal voter fraud charges. Such a move would be a “just in case” maneuver, should the election need a little stealing to get it back on track with how certain people believe it should come out. Interesting how the states mentioned were Illinois, a Democrat-leaning state, and Arizona, a “battleground” state. Illinois is a red herring: Arizona is where fun can be had. That state, plus 10 more electoral votes from either Missouri or Nevada plus New Hampshire, would be all that Clinton needs to get 270 electoral votes and win the election. This is why the story runs… just in case Clinton needs another 11 to win, she’s sown the seeds in Arizona to cast doubt on that election’s outcome, should it go towards the “Russian” favorite son, Donald Trump.

IT Counterintelligence

Monday, August 22nd, 2016

I really don’t like blaming all IT-related intrusions on “hackers”. The elaborate ones aren’t just some kid that’s figured out how to do a ransomware scam. They’re run by criminals and spies, or a mix of both. Being attacked by just hackers has a bit of comfort implied in that wording – hackers only use computers, right? They’re people with poor social skills that never break out of that stereotypical mold, right? But to say that criminals or spies were involved means that the attackers have a wide range of tools at hand to get what they want. They’ll engage in blackmail, murder, deception, all that criminal and spy stuff along with the IT-related intrusions as part of a comprehensive program to gather information.

These guys have zero intention of compromising the target beyond what is needed to gather information. They prefer that there be no ransomware or worm taking things down. They want five nines of uptime as much as the CEO does. They penetrate deep into a network and they require more than just an IPS or DLP in place to keep them from taking secrets out. They need some really paranoid thinking on the part of the target’s employees to minimize what they’re able to gather.

To that end, I’m going to recommend two videos from YouTube about counterintelligence.

Take a look at https://www.youtube.com/watch?v=xbf2I5ObTrk It’s a little harsh, I agree, but it’s also for combat. All the same, it sets up a mindset I’d like users in general to have in regards to security. Don’t write down passwords. Don’t send information over unencrypted, unsecured channels. Don’t think for a minute that LinkedIn and Facebook aren’t unencrypted, unsecured channels… stuff like that…

Another video at https://www.youtube.com/watch?v=27qMsUxmHyo about tracking down and gathering information in a counterintelligence operation. It’s not just a matter of stopping the spies: it’s a matter of making sure that they don’t continue to penetrate one’s organization. If a firewall stops an attacker from getting in one way, it’s not necessarily a success. It just means an attacker will try to find another way in.

Real security is never thinking that the bad guys have given up and walked away. Some will, sure. But the rest? They’re always there, watching and probing. Real security means always watching and maintaining OPSEC‍ .

The Internet of Things with Pre-Installed Backdoors

Friday, August 12th, 2016


Threatpost: https://threatpost.com/undocumented-snmp-string-exposes-rockwell-plcs-to-remote-attacks/119865/

The SEO-friendly URL says it all. The Rockwell PLCs in question have a RW SNMP community common to a range of their devices, undocumented, but if you can find it, you can light up every one of them.

Correction: there’s another SNMP string that allows even more access, also undocumented. That’s what’s makes this newsworthy. Not one backdoor, that’s old news. Two pre-installed backdoors, now we got us a story!

If you work with PLCs, read the article above, check to see if you’re using any of them, and then contact the manufacturer. You need to get all over this like a donkey on a waffle.

The Internet of Things Still in Development

Thursday, August 11th, 2016

So, I just read an article on some solar panels with a wifi connection that had a default admin name and password. That’s not news. What is news is that the solar panels were still in development and were mistakenly shipped to customers.

As we plunge deeper into the world of everything having an IP address, this incident highlights a new concern: what impact does improper labeling have on security? What if these were autonomous vehicles (our favorite bugbear) shipped to a dealer? More terrifying, what if these were controls for a LNG terminal or a nuclear reactor? It’s bad enough we have default credentials on production devices, but now we have to consider a mis-shipment of even less secure development devices.

Or, we can start to say “no”. The promises of cost savings and higher productivity need to be placed against a realistic risk assessment. Is saving a few bucks per IP-enabled lightbulb worth the possibility of a major PCI breach? OK, maybe I’m engaging in hyperbole, as well, but it’s no worse than the hyperbole of IoT marketers that aren’t telling the full story of how human fallibility is always a constant, even when we use computers to speed our poor decision-making processes.

We’ve had product recalls before, and we’ll have them again. But IoT ubiquity means a window of opportunity between the zero-day and the day of repair to wreak havoc, mayhem, and unintended accidents.

I’ll raise another concern: what about device interoperability? I know that if I have medication A, I may have to abstain from substance B if I don’t want a horrendous drug interaction. When will we be able to look at IoT devices working with each other and possibly breaking code as a result of such interoperation?

We need to have a Serious Discussion of Things before we have an Internet of Things.

A Night at the Outsourcer

Friday, August 5th, 2016

Night-at-the-Opera-Contract

Driftwood: All right. It says the, uh, “The first part of the party of the first part shall be known in this contract as the first part of the party of the first part shall be known in this contract” – look, why should we quarrel about a thing like this? We’ll take it right out, eh?
Fiorello: Yeah, it’s a too long, anyhow. (They both tear off the tops of their contracts.) Now, what do we got left?
Driftwood: Well, I got about a foot and a half.

After talking with people from companies whose experiences with their outsourcing‍ contracts can be best described as “disappointing”, I wonder if they didn’t have the equivalent of the‍ Marx Brothers‍ representing them in their contract negotiations. I’m not saying that the corporate lawyers were idiots‍ , just that they may have been outclassed by the outsourcers’ lawyers. This is a specialized situation, after all.

Like the company doing the outsourcing, the outsourcer wants to maximize profits. Outsourcers are not charitable organizations, offering up low-cost business services to help the hapless firm with IT‍ needs. They want to get paid, Jack! Some may want a long-term, quality relationship with a client, but there are plenty out there that want to sign a contract that, on the surface, looks like it will reduce costs, but it contains hidden standard business practices‍ that will rake the clients over the coals.

One of the biggest gotchas in an outsourcing contract is the fact that the relationship between a company and its IT is no longer one of company to employee, but company to contractually provided service. That means the “one more thing” that managers like to ask for from their employees isn’t an automatic wish that will be granted. Did the contract authorize that one more thing? No? Well, that will cost extra, possibly a lot extra.

Another loss is the ability to say, “I know that’s what I wrote, but what I meant was…” as a preface to correcting a requested change. In-house staff can be more flexible and adapt to the refinement of the request. Outsourced staff? Well, it seems as though the staff were engaged to make a specific change, so there’s a charge for that, even though you decided to cancel the change in the middle of it. Now, the change you requested needs to be defined, submitted, and approved in order for us to arrange staff for the next change window…

There’s also the limit on the time-honored technique of troubleshooting the failed change and then making the troubleshooting part of the change. Consider a firewall change and then discovering that the vendor documentation left out a port needed for the application to work. In-house staff have no problem with adding that port and making things work. Outsourcers? If that change isn’t in writing, forget about it until it is. And, then, it may be a matter of rolling back the change and trying again, come the next change window.

Speaking of firewalls, that brings me to the “per line of code” charge. If the contract pays by the line of code, prepare for some bulky code if the contract does not explicitly state that lines of code must be consolidated whenever possible in order to be considered valid and, therefore, billable. Let me illustrate with an example.

My daughter is 14 and has zero experience with firewall rules. I asked her recently how many rules would be needed for two sources to speak to two destinations over five ports. She said five rules would be needed. I then gave a hint that the firewall help file said that ports could be grouped. Then, she proudly said, “one!”

While that’s the right answer for in-house IT staff, it’s the wrong answer for an outsourcer being paid by the line. 20 is the right answer in that case. It blew her mind when I told her how many different firms I’ve heard about that had 20 rules where one would do. As a teenager with a well-developed sense of justice, she was outraged. So long as contracts are signed that don’t specify when, how, and what to consolidate, she will continue to be outraged.

I didn’t have the heart to tell her about how some outsourcers contract to provide services like email, but the contract did not outline all the things we take for granted as part of email but which, technically, are not email. Shared calendars? Not email. Permissions for an admin assistant to open a boss’ Inbox? Not email. Spam filtering? Not email. Email is the mail server sending/receiving to other mail servers and allowing clients to access their own inboxes. Everything else is not email, according to the outsourcers’ interpretation of the contract. Email is just one example, and all the other assumptions made about all the other services add up with the above to create a situation in which the outsourcing costs significantly more than keeping the work in-house.

This can have significant impact on security. Is the outsourcer obligated to upgrade devices for security patching? Is the outsourcer obligated to tune security devices to run optimally? Is the outsourcer required to not use code libraries with security vulnerabilities? If the contract does not specify, then there is zero obligation. Worse, if the contract is a NoOps‍ affair in which the customer has zero visibility into devices or code, then the customer may never know which things need what vulnerabilities mitigated. There may be a hurried, post-signing negotiation of a new section about getting read rights on the firm’s own devices and code… and that’s going to come at a cost.

Another security angle: who owns the intellectual property in the outsourcing arrangement? Don’t make an assumption, read that contract! If the outsourcer owns the architecture and design, your firm may be in for a rough ride should it ever desire to terminate the contract or let it expire without renewing it.

I’m not even considering the quality of work done by the outsourcer or the potential for insider threat – those can be equal concerns for some in-house staff. The key here is that the contract is harsh, literal, and legally binding. That means vague instructions can have disastrous results. Tell an outsourcer to “make a peanut butter and jelly sandwich,” do not be surprised if the outsourcer rips open a bag of bread, smashes open the jars of peanut butter and jelly, mashes the masses of PB & J together, shoves the bread into that mass, and then pulls out the bread slices with a glob of peanut butter, jelly, glass, and plastic between them. He gave you what you specified: it’s not his fault that the instructions were vague.

There can be a place for oursourcing, particularly as a staffing solution for entry-level positions with high turnover. But every time I talk with someone from a place that either is currently in or is recovering from an outsourcing contract that went too far, I hear the horror stories. The outsourcers’ lawyers know what they’re doing and the firm’s lawyers fail to realize how specific they have to be with the contract language to keep from looking like they may as well have been the Marx Brothers‍.

Driftwood (offering his pen to sign the contract): Now just, uh, just you put your name right down there and then the deal is, uh, legal.
Fiorello: I forgot to tell you. I can’t write.
Driftwood: Well, that’s all right, there’s no ink in the pen anyhow. But listen, it’s a contract, isn’t it?
Fiorello: Oh sure.
Driftwood: We got a contract…
Fiorello: You bet.