In Through The Out Door

The standard way to take control of someone else’s computer is by exploiting a vulnerability in a software program on it. This was true in the 1960s when buffer overflows were first exploited to attack computers. It was true in 1988 when the Morris worm exploited a Unix vulnerability to attack computers on the Internet, and it’s still how most modern malware works.

Vulnerabilities are software mistakes–mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. These vulnerabilities lie dormant in our software systems, waiting to be discovered. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don’t get patched, so the Internet is filled with known, exploitable vulnerabilities.

New vulnerabilities are hot commodities. A hacker who discovers one can sell it on the black market, blackmail the vendor with disclosure, or simply publish it without regard to the consequences. Even if he does none of these, the mere fact the vulnerability is known by someone increases the risk to every user of that software. Given that, is it ethical to research new vulnerabilities?

Unequivocally, yes. Despite the risks, vulnerability research is enormously valuable. Security is a mindset, and looking for vulnerabilities nurtures that mindset. Deny practitioners this vital learning tool, and security suffers accordingly.

Security engineers see the world differently than other engineers. Instead of focusing on how systems work, they focus on how systems fail, how they can be made to fail, and how to prevent–or protect against–those failures. Most software vulnerabilities don’t ever appear in normal operations, only when an attacker deliberately exploits them. So security engineers need to think like attackers.

People without the mindset sometimes think they can design security products, but they can’t. And you see the results all over society–in snake-oil cryptography, software, Internet protocols, voting machines, and fare card and other payment systems. Many of these systems had someone in charge of “security” on their teams, but it wasn’t someone who thought like an attacker.

This mindset is difficult to teach, and may be something you’re born with or not. But in order to train people possessing the mindset, they need to search for and find security vulnerabilities–again and again and again. And this is true regardless of the domain. Good cryptographers discover vulnerabilities in others’ algorithms and protocols. Good software security experts find vulnerabilities in others’ code. Good airport security designers figure out new ways to subvert airport security. And so on.

This is so important that when someone shows me a security design by someone I don’t know, my first question is, “What has the designer broken?” Anyone can design a security system that he cannot break. So when someone announces, “Here’s my security system, and I can’t break it,” your first reaction should be, “Who are you?” If he’s someone who has broken dozens of similar systems, his system is worth looking at. If he’s never broken anything, the chance is zero that it will be any good.

Vulnerability research is vital because it trains our next generation of computer security experts. Yes, newly discovered vulnerabilities in software and airports put us at risk, but they also give us more realistic information about how good the security actually is. And yes, there are more and less responsible–and more and less legal–ways to handle a new vulnerability. But the bad guys are constantly searching for new vulnerabilities, and if we have any hope of securing our systems, we need the good guys to be at least as competent. To me, the question isn’t whether it’s ethical to do vulnerability research. If someone has the skill to analyze and provide better insights into the problem, the question is whether it is ethical for him not to do vulnerability research.

This was originally published in InfoSecurity Magazine, as part of a point-counterpoint with Marcus Ranum. You can read Marcus’s half here.

[From The Ethics of Vulnerability Research]

Dr. Andrew S. Erickson is one of the premier sources on Chinese Maritime analysis, and a blog favorite. Previous coverage of his work here and here. Last year Dr. Erickson published New U.S. Maritime Strategy: Initial Chinese Responses, an examination and insightful study of China’s reaction to the new US Maritime Strategy. The following sample is but a taste of this brilliant document, a 22 page

[From Observing Chinese Reactions to the New Maritime Strategy]

How dangerous is China? Ask the Russians, who are organizing their lawyers to go after the one place China seems to take seriously, their wallet. There has been some very interesting discussions taking place over in Russia, and it turns out, while they didn’t really care that the Type 39 Song Class submarine was built based on the old Romeo design, they aren’t very happy to learn the Yuan class

[From Challenges of War and Peace]

Has China “secretly built a major underground nuclear submarine base that could threaten Asian countries and challenge American power in the region”? Thomas Harding, writing in the London Daily Telegraph early this month, has declared that it is.

According to Hardy, “Satellite imagery, passed to The Daily Telegraph, shows that a substantial harbour has been built which could house a score of nuclear ballistic missile submarines and a host of aircraft carriers.”

The threat from Chinese submarines, long touted by “hard liners” in the West, now includes the ballistic missile submarine base and protective tunnels for the craft being constructed at Sanya on the southern tip of Hainan Island in the South China Sea.

The report comes almost simultaneously with word that a Chinese Type 094 (NATO Jin-class) ballistic missile submarine was sighted at the base in satellite images. Also visible was a newly constructed pier that appears to be a demagnetization facility for submarines. Demagnetization is conducted before a submarine deploys to remove residual magnetic fields to reduce the craft’s vulnerability to magnetic mines.

The satellite image was taken by the QuickBird commercial satellite on 27 February 2008, and purchased by the Federation of American Scientists from DigitalGlobe.

China is believed to have completed two Jin-class SSBNs with at least one more unit under construction. (An older SSBN is also in service; see below.) The U.S. Intelligence Community estimates that China would probably build five SSBNs if it wants to have a near-continuous deterrent at sea. Each Jin-class SSSBN will carry 12 JL-2 nuclear-armed ballistic missiles. A “score” of such submarines — as reported in some newspaper accounts — seems highly unlikely.

While some Western defense analysts as well as journalists are touting this new Chinese capability, it should be noted that there have been submarine tunnels in southern Hainan for probably two decades or more and that similar (albeit smaller) tunnels are also found at the Northern Fleet’s Jianggezhuang naval base. Indeed, China has long constructed tunnels for military (and civilian) purposes in the even of a nuclear conflict. This writer visited some of those near the base complex of Dairen, near the Soviet-Russian border.

Further, while submarines could be “hidden” in the tunnels, they could be observed by U.S. reconnaissance satellites as they enter and leave the tunnels. This possibility, coupled with the likely noise level of the Jin-class SSBNs would increase their vulnerability to U.S. detection and surveillance methods.

Also, in wartime, any submarines in the tunnels at the outbreak of hostilities would be vulnerable to the tunnels being easily blocked by U.S. conventional or nuclear weapons.

Certainly the Chinese Navy is being modernized, although it is significantly smaller than it was during the Cold War era. The slow development pace of China’s SSBN force, the failure of the first Chinese SSBN, the Type 092 (NATO Xia) completed in 1988, to have ever made a deployment, and persistent reports that a ballistic missile for the SSBNs is not yet available, raise major questions about this aspect of the “Chinese threat.”

[From A Super Secret Sub Base?]

A Canadian law clinic has asked the country’s Privacy Commissioner to take a closer look at the deep packet inspection being used by Bell Canada and others. While the technology also raises net neutrality concerns, in this case the issue is privacy.

[From Deep packet inspection under assault over privacy concerns]

Deep packet inspection gets a major speed bump to 80Gbps of real-time traffic analysis with 96 percent accuracy. Even the largest networks can now throttle P2P with ease… even when it’s encrypted.

[From Throttle 5 million P2P users with $800K DPI monster]

U.S. military to build botnet?
[From Brief: U.S. military to build botnet?]

[From Proposed Cybersecurity Bill To Pressure DHS ]

There are new developments in the case of the counterfeit Cisco routers, which we have been discussing for some time. The NYTimes updates the story after an FBI PowerPoint presentation made its way onto the Web. It seems that experts at Cisco have examined some of the counterfeit routers in detail and proclaimed that they contain no back doors. Others don’t believe we can be so sure. “Last month, [DARPA] began distributing chips with hidden Trojan horse circuitry to military contractors who are participating in the agency’s Trusted Integrated Circuits program. The goal is to test forensic techniques for finding hidden electronic trap doors, which can be maddeningly elusive… The threat was demonstrated in April when a team of computer scientists from the University of Illinois presented a paper at a technical conference in San Francisco detailing how they had modified a Sun Microsystems SPARC microprocessor… The researchers were able to create a stealth system that would allow them to automatically log in to a computer and steal passwords.”

[From FBI Says Military Had Counterfeit Cisco Routers]

IBM Developerworks’ recent analysis of how the NSA built SELinux to withstand attacks. The article shows us some of the relevant kernel architecture and compares SELinux to a few other approaches. We’ve discussed SELinux in the past. Quoting: “If you have a program that responds to socket requests but doesn’t need to access the file system, then that program should be able to listen on a given socket but not have access to the file system. That way, if the program is exploited in some way, its access is explicitly minimized. This type of control is called mandatory access control (MAC). Another approach to controlling access is role-based access control (RBAC). In RBAC, permissions are provided based on roles that are granted by the security system. The concept of a role differs from that of a traditional group in that a group represents one or more users. A role can represent multiple users, but it also represents the permissions that a set of users can perform. SELinux adds both MAC and RBAC to the GNU/Linux operating system.”

[From How the NSA Took Linux To the Next Level ]

Because you were probably just thinking that your choices on operating systems were feeling a little limited.

[From Sun Launches OpenSolaris on a Post-OS World]

India, Belgium warn of Chinese attacks

[From Brief: India, Belgium warn of Chinese attacks]

[From FBI Backs Down On Web Gagging Order]

:)

Excellent article, chronicling the surveillance debate from the mid 1980s until today. Don’t expect good coverage of the current debate, however: the legality of the NSA’s recent domestic eavesdropping program, and the legality of the assistance provided by the telcos.

Can the Linux community get over its “not invented here” ideology which has often hindered its ability to adopt technological improvements from outside sources? I keep saying myself, I hope so. But recent events have shown me that we have a long way to go until we become a culture of inclusion and not of [...]

[From Unixfication II]

Esther Schindler writes “CSO has an annotated, zoomable map of real botnet topologies showing shows the interconnections between the compromised computers and the command-and-control systems that direct them. The map is based on work by security researcher David Voreland; it has interactive controls so you can zoom in and explore botnets’ inner workings. Hackers use botnets for spamming, DDoS attacks and identity theft. One recent example is the Storm botnet, which may have comprised 1 million or more zombie systems at its peak. As with any networking challenge, there are good (resilient) designs and some not-so-good ones. In some cases the topology may be indicative of a particular botnet’s purpose, or of a herder on the run.”

[From What a Botnet Looks Like ]

This article first appeared in Aviation Week’s Ares Weblog.

President Bush publicly acknowledged that Syria has been doing something suspicious involving nuclear development and North Korea. Following his lead, other officials are quietly dropping clues about how Syria’s suspicious facility was attacked.

The Israel Air Force’s stunning, undetected flight through Syria’s air defenses late last year — as part of a raid on a suspected nuclear facility — bears electronic fingerprints similar to those left in Baghdad by the U.S. in 1991 and 2003, say U.S. military and IT industry specialists.

The raid on Syria was winked at by the U.S. which also supplied some non-participatory support, they say.

The answer to the question of why the U.S. was involved is that “The Israelis can do things [within the region and Israel's political structure that] we sometimes can’t do,” says a senior U.S. Air Force official with long background in black operations. Syria’s construction of the facility and North Korea’s participation “was an area of concern for us as well, so there was some help provided in discussing vulnerabilities and providing other knowledge [of Syria's integrated air defenses and electrical grid]. What occurred, isn’t inconsistent with what happened in Iraq twice before.”

So what did the U.S. forces do in Iraq in 1991 and 2003 to confound air defenses, communications and the ability to command forces in the field?

Read the rest of this story, see pics of Marine LAVs getting busy and get inside a big ‘ole helo gaggle from our good friends at Aviation Week on Military.com.

[From US Electronic Fingerprints in Syria?]

China is well known for its global cyber espionage efforts. And while the United States has received most of the media attention given to cyber attacks, we are not the only ones dealing with this issue. India is now pointing the finger at China, claiming they have systematically launched a series of attacks on sensitive information systems and networks of Indian agencies. India rapidly responded and now has cyber-security forces down to the division-level to guard against cyber wars. But is that really enough given China’s stated ambitions?

China’s Cyber Warfare Doctrine is designed to achieve global “electronic dominance” by 2050 which would include the capability of disruption of the information infrastructure of their enemies. This doctrine includes strategies that would disrupt financial markets, military and civilian communications capabilities as well as other parts of the enemy’s critical infrastructure prior to the initiation of traditional military operations. With all the attacks that have been attributed to China, there has to be significant intelligence out there about techniques, cyber weapons and strategies that have been used in these cyber assaults. The proliferation of China’s cyber capabilities will be the topic of a Congressional hearing in DC on May 20th. This hearing will examine “China’s Proliferation Practices and the Development of its Cyber and Space Warfare Capabilities.”

Military and intelligence sources have known that Chinese cyber forces have developed these detailed plans for cyber attacks against the United States and others. It is believed that the plans for such an attack were drawn under the direction of the People’s Liberation Army (PLA).

China has a significant cyber weapons and intelligence infrastructure in place today. What is alarming is not only do they have the intent, but they have the money. Beijing has the world’s second or third largest defense budget depending on where you look for the numbers. Their military budget has been on the rise at 10 percent or more a year for over a decade. This, as well as the attacks, are evidenced by their cyber operational ability to scan, acquire nodes for their growing botnet as well as the continued sophisticated assaults on defense information systems in the US, Germany, UK and India. In addition, in April 2007, Sami Saydjari, who has worked on cyber defense systems for the Pentagon since the 1980s, told Congress: “The situation is grave, with nation-states such as China developing serious offensive capabilities.”

Recent attacks on the United States and India have brought this threat to the forefront. While diplomatic efforts to address these attacks have been initiated, virtually no progress has been made, according to individuals close to the issue. The following information has been provided by Spy-Ops and represents their assessment of China’s current cyber capabilities.

China People’s Liberation Army (PLA)
Military Budget: $62 Billion USD
Global Rating in Cyber Capabilities: Number Two
Cyber Warfare Budget: $55 Million USD
Offensive Cyber Capabilities: 4.2 (1 = Low, 3 = Moderate and 5 = Significant)

Cyber Weapons Arsenal:
In Order of Threat — Large, advanced BotNet for DDos and espionage
Electromagnetic pulse weapons (non-nuclear)
Compromised counterfeit computer hardware
Compromised computer peripheral devices
Compromised counterfeit computer software
Zero-day exploitation development framework
Advanced dynamic exploitation capabilities
Wireless data communications jammers
Computer viruses and worms
Cyber data collection exploits
Computer and networks reconnaissance tools
Embedded Trojan time bombs (suspected)
Compromised microprocessors & other chips (suspected)
Cyber Weapons Capabilities Rating: Advanced
Cyber force Size: 10,000 +
Broadband Connections: More than 55 million
China’s Hacker Community: Honker Union, Red Hackers Alliance (The 5th largest hacking organization in the world.)
China’s Software Industry: In Q1 2007, the software industry RMB 96.7 billion with a year-on-year increase of 26.9%.

In Q1 2008, China recorded RMB 144.36 billion in software industry sales revenue, up sharply year-on-year.

From all this information one can only conclude that China has the intent and technological capabilities necessary to carry out a cyber attack anywhere in the world at any time. Nations around the world can no longer ignore the advanced threat that China’s cyber warfare capabilities may have today and the ones they aspire to have in the near future. Just recently Belgian justice minister, Jo Vandeurzen, claimed that attacks against the Belgian Federal Government originated from China and are most likely sanctioned by Beijing. The Belgian minister of foreign affairs, Karel De Gucht, told their parliament that his ministry is the subject of cyber-espionage by Chinese cyber agents. This is just the tip of the iceberg. Spy-Ops believes that an estimated 140 countries will be working on their cyber weapons by the end of 2008 and that in the next five years we will see countries and extremist groups jockeying for cyber supremacy.

[From China's Cyber Forces]

The F-117 Nighthawk — the U.S. Air Force’s greatly touted stealth attack aircraft — is gone. At least, we think it’s gone — can one really be certain with a stealth airplane? The aircraft, which won combat honors during operations over Panama, Serbia, and Iraq, was officially retired in late April after a 27-year service life.

“It was a mistake to retire them,” said Dr. Richard Hallion, former historian of the Air Force and special assistant to that service’s secretary. Hallion explained to this writer that the large number of F-16 and F-15 fighter-type aircraft flown by the Air Force are not stealthy and the number of F-22 Raptors, which do have stealth characteristics, are too few in number to meet the U.S. need for low-observable strike aircraft.

Cited by the Air Force as the world’s first operational aircraft designed to exploit low observable — stealth — technology, the F-117A entered service in 1982. Through 1990 Lockheed built 59 aircraft at a Burbank facility.

The F-117 first flew in combat during the U.S. invasion of Panama in 1989 that led to the capture of dictator Manuel Noriega. F-117s were also flown in the air campaign over Serbia in 1999, and were among the first aircraft to strike targets in the Persian Gulf War in 1991 and in the invasion of Iraq in 2003.

One F-117 was shot down by Serbian anti-aircraft fire on 27 March 1999. Serbian forces launched Soviet-provided “Neva-M” missiles (NATO designation SA-3 Goa) to down the F-117A serial number 82-806. The pilot ejected after the aircraft was struck and was subsequently rescued by Allied forces.

According to then-NATO commander General Wesley Clark and other NATO officials, Serbian air defenses found that they could detect F-117s with their radars operating on unusually long wavelengths. This made the aircraft visible by radars for short times.

The wreckage of the F-117 was not immediately bombed due to possible media fallout from news footage showing civilians around the wreckage. The Serbs were believed to have invited Russian personnel to inspect the remains, inevitably compromising the U.S. stealth technology.

Some of the wreckage is reportedly on display at the Museum of Yugoslav Aviation close to Belgrade’s Nikola Tesla Airport.

During the 1991 air campaign against Iraq, the F-117 was the only coalition aircraft to fly over Baghdad. (The Navy’s ship-launched Tomahawk cruise missiles also “flew” over Saddam’s capital city.)

F-117s flew combat missions only at night, hence their name Nighthawk.

The F-117 was born at the Lockheed “Skunk Works” in Burbank, California, the same design facility that produced the ultra-secret U-2 and SR-71 spyplanes. A production decision was made in 1978 and the first flight was made on 18 June 1981. The single-seat F-117’s low-observable characteristics were derived from both its bat-like shape, with twin turbofan engines “buried” in the “boxy” fuselage. Capable of in-flight refueling, in 1992 F-117s flew non-stop from Holloman Air Force Base in New Mexico, to Kuwait, a flight of approximately 18-1/2 hours — a record for single-seat fighters that still stands.

Although designated as a “fighter,” the F-117 had no air-to-air capabilities. It was an attack aircraft that could carry some 4,000 pounds of bombs or missiles in an internal weapons bay.

The first F-117s were retired in December 2006. The surviving aircraft will be stored in hangars at a secret location in Nevada. Their special storage is based on retaining the secrecy of their special features rather than any consideration of someday reactivating the planes.

[From The F-117 Nighthawk is Gone. . . We Think!]

OpenSolaris: Excellent OS but is the license holding it back?
[From OpenSolaris Just Wants to be Free]