Inward Turn

The Emerging Threat of Cyberwar

infosec In the wake of the attack on Sony Pictures in the U.S., many are trying to validate the government’s claim that it was a hack perpetuated by North Korea. If this is true it is the first highly public incident involving state-sponsored cyber espionage, and there will likely be more in the future. The incident has already led to sanctions imposed on North Korea, the first of it’s kind based on these attacks. Clearly the consequences of open cyberwar are ominous and far reaching for the entire world.

it’s been rumored that the United States has been in a prolonged cyber cold war with China for the better part of a decade, and by studying attack data there is clearly a pattern involving the two superpowers. Over the past few years, there have been numerous thefts of classified information and acts of espionage attributed to hackers working for or in collusion with both the U.S., China, and their allies. This includes the break-in at the Lawrence Livermore Labs, the hacking of RSA secure IDs in 2011, the Stuxnet virus that destroyed Iranian centrifuges, and the outing of the NSA’s wiretapping and data collection activities by Edward Snowden. All of these are clear indications that nation-states and government agencies are actively using cyberspace to engage in these operations.

The U.S. Congress has also recently expressed concerns over the import and use of telco, networking, and computing gear from Chinese companies such as Huwei and others. These companies are beholden to the Communist government and the possibility of backdoors, doomsday bombs, and other malicious functions embedded in thousands of devices and machines around the world isn’t that far fetched. This could already be happening, leading to a day when the planet’s computers and the internet are held for ransom. That’s right, that Lenovo you got at a bargain price could already be a ticking logic bomb.

So what would happen if this type of activity escalated and reached full-scale cyberwar? We’ve already seen a glimpse of this when North Korea was promptly knocked off the internet for over nine hours after it was publicly outed as the perpetrators. Technology and the web are now so ubiquitous, the loss of major parts of the internet or critical infrastructure could cause a catastrophic collapse we may never recover from. Financial meltdown or worse could be only a mouse click away and the threat is only becoming greater.

The consequences of the same thing happening to the United States could result in serious problems for the entire world. This very reason is likely why large scale and open cyberwarfare hasn’t really happened yet. It’s similar to the Cold War and the concept of mutually assured destruction; As long as each side had enough to wipe each other out several times over and destroy the world, no one dared to press the button. But as nations begin moving more toward offensive operations in cyberspace, the potential is huge for serious collateral damage to business, critical operations, and civil services.

In the event nations begin large scale cyber attacks against one another, the internet itself will be the first victim, followed by everyone who uses it. Businesses that operate online would be crippled by denial of service and war-based traffic. Even more ominous is the threat to critical infrastructure such as power and financial systems. The blow to the economy could be disastrous if key organizations or internet infrastructure were taken offline, even if they weren’t the actual targets.

In the future, this threat could lead to huge changes in the network and internet landscape. The United States could begin a technological Inward Turn,  a doctrine of technology isolationism. Companies and especially government would rely only on hardware and software from those they trusted and build highly secure private networks. Greater security defenses would be created, eventually leading to more heavily guarded perimeters in cyberspace. Every country might build a Great Firewall, capable of protecting major critical infrastructure and economic resources. Not all traffic would be treated equally, and none of it would be implicitly trusted.

In the face of all out cyberwar businesses could begin the Inward Turn and rely only on trusted sources, hardening their critical systems and access to the outside world. The days of cloud-anything would become numbered, and the highly secured, walled-off private cloud would rule the landscape. The silver lining to this dystopian vision would be the rise of robust solutions and technologies that lead to more secure networks and internet. Ironically, war and the military has historically driven these kinds of revolutionary changes.

It may be worthwhile to think about what would be needed to go into this highly secure future. As unreal as it sounds, the possibility is there and the impact it could have would be astronomical. Organizations would need ways to continue to operate and protect themselves from the side effects of open warfare on the net, as well as continue operations safely and efficiently. And while mostly no one wants such a thing to come true, laying the groundwork now might pay off in a difficult future.

Fixing Weak SSL the Easy Way

infosec IIS Crypto is a great free tool produced by Nartac Sotware that allows Windows Server/IIS admins to easily enable/disable weak SSL cryptos and ciphers. This is a PCI requirement, and I’ve seen it show up on many scan using tools designed to probe for compliance. It’s usually a tedious process of adding/changing registry keys, right up to today’s current Windows OSes.

I recently had two fully patched Win Server 2008 R2 servers that were failing PCI scans using the McAffee Secure online service. IIS Crypto made short work out of what would’ve been a longer after hours change. It even has a PCI button that you can just click and it configs the server for compliance. Saved me a ton of work. Microsoft needs to start turning this off by default though and maybe even ask if you want it turned on, just a thought for the guys at Redmond.

In a unique twist, even after verifying the registry keys were correct after running the tool, McAffee still complained about the problem after a post-change scan. Qualy’s SSL Site Analyzer, a nifty and free online tool, actually passed it with flying colors. Another interesting venture of theirs is the HTTP Client Fingerprinting Using SSL Handshake Analysis project, which produced a mod for Apache and some other interesting reads at the bottom of the page, enjoy.

Auditing By The Seat of Your Pants

Whenever you’re stuck in a small shop with a limited budget, it can be pretty hard to find a good, inexpensive application that can do five things:

Port scanning
Vulnerability scanning
Some kind of patch level detection
Wrap everything up into reporting that can show all the results by machine.
Doesn’t cost an arm, leg, and your first born.

With little to no budget, my auditing tools are varied and I have to cut and paste most of their results into a single report by hand. I’ve gotten pretty nifty with the report formats using color coded Excel sheets, and I get to flex my writing skills but the manual work involved really is frustrating. However, using a combo of the usual free tools (Nessus, Nmap, Microsoft Baseline Security Analyzer, Metaspolit, etc.), I’ve managed to audit a small network of 100+ IPs and 5 subnets in around four to five days, complete with the reports. This also includes external auditing of our two public networks. I still wish I had a free or inexpensive tool that does a lot of what I’m already doing manually, especially bringing in all of the results into a single report complete with an executive summary.

Now, I could be lazy and just compile all the output these tools already generate and call that a “report”, but I’m the creative type and believe in clear documentation that can translate to both non-technical staff and IT staff. They should have a uniform look, because Nessus’ output format is an HTML file and Nmaps’ is a text or XML file. Putting them all together into a printed out clump just looks sloppy, and I don’t go for sloppy with documentation.

There are plenty that do that job, but all of them are pretty hefty pricewise, which leaves those with a low budget for such items in the crunch. There is business opportunity in this area, so you would think this market would have a bit more variety. Changes in the security landscape are pushing it in that direction though, as security and compliance are becoming concerns to even some small businesses. If I was a .NET developer, I think I’d start writing something that did what I wanted. Alas, I’m not, but if any of them are out there lurking, get to coding!