Security: Dissecting the Hacked

There's a lot of hoopla in the news about Sony but I've read nothing that tells you or I whether we've been hacked too, or what we should do to avoid this kind of mess at our jobs or in our lives.  Are we or our company doomed to Sony's fate?  A human-like diagnosis and treatment is in order.

The Sony hack can be traced back to how it all started, technically speaking; but you'll find details scattered around the Net and few journalists connecting the dots in a meaningful way.  Technologists like myself don't (yet) know the "Who Done It" but we (mostly) know the "How They Done It".  I'll trace back from knowns towards probable causes with as much non-technical jargon as humanly possible for a technical dissection.  And the conclusion I reach is a very human treatment.

Test Positive: Wiper diseases

First off, there's tests for computer diseases much like human diseases.  On Dec 2nd, a Flash was leaked that Reuters picked up that said the FBI had analyzed the Sony hack.  The FBI send these Flash notices to technical teams within organizations and companies about their analysis of cybercrime, usually taken from actual samples.  You can compare these Flashes to health notices sent out by the CDC to prevent outbreaks of malicious software (malware) but the difference is the FBI doesn't disclose their analysis to the public.  (I think Flashes should be disclosed to secure a healthy computing society so I've no problem linking to the leak.)  This Flash attributed the Sony hack to a well known class of computer "diseases" called wipers.  These Wiper diseases -- including Destover, Wiper, Shamoon -- quietly and quickly usurp control of your computer and can delete all its data, according Symantec's synopsis (a cyber security specialist).  A decent analogy to human disease would be an extremely fast-acting Parkinsons disease because the user loses normal functioning of the computer and may eventually lose all memory.  Previous analysis of the Wiper disease by McAfee, another cyber security specialist, imply that these particular "diseases" enable cybercriminals to hold computer data for ransom because, if the victim doesn't comply with their demands then, the criminals will either steal or erase valuable data.  Some call this concept ransomeware.  The Destover disease even enables the cybercriminal to send messages to you via the ill-fated computer, which could be like the threatening emails that Sony employees have received from cybercriminals.  Simply put, Sony's computers came down with a disease that enables ransom and terror like we are hearing about in the news.

Infection: Dropper Trojans

Next up: let's find out how Sony's computers were infected by this wiper disease.  Similar to human infections, computers can develop diseases after being compromised.  Much like a cut in your skin could fester if left untreated, a computer's firewall would have a "hole" that needs plugging.  Whether the Sony hack involved firewalls or not, there needs to be a way in.  One wiper "disease" called Destover, for example, was traced back to an infection via a particular family of Trojans.  Trojans are another variety of malicious software that, just like their name implies, masquerade as legitimate software.  This family of Trojans, often called Dropper Trojans, open up a means for a cybercriminal to remotely control the computer and "drop" an infectious malware into the victim computer.  Symantec specifically linked the Destover disease to one such Dropper Trojan.  Once infected, the ill-fated computer can spread the disease to trusted computers at an alarmingly virulent rate:

"The dropper was distributed to systems across the victim organizations, and within minutes of execution the [computer data] were wiped." Dissecting Operation Troy by McAfee.  

From initial infection to full blown disease happens in a matter of minutes.  Sony's computers were infected by such a Trojan (or several Trojans) that dropped a Wiper disease quickly across its computer network and allowed cybercriminals to remotely steal Sony's data, including scandalous emails that the news has picked up.

Communicability: Spear Phisphing

Now that the infectiousness of the computer disease is identified, there comes the subject that causes panic in human health: communicability.  For IT, the question becomes: why is my computer infected?!  In Sony's case, these Dropper Trojans are not omnipotent and aren't usually able to exploit a computer themselves.  Like all sleeping monsters, Trojans are dormant in the wild.  When McAfee analyzed a Wiper disease that spread from these Trojans, they found evidence that users had been duped into trusting the malware by a technique called "spear phishing".  Spear phishing means like it sounds: a cybercriminal went fishing and speared a user -- virtually speaking, of course.  This technique targets VIPs, in this case someone like a Sony IT guy or Sony exec, and seduces people into downloading malicious software or revealing secure, technological information.  One of these targeted VIPs almost always needs to click something that awakens the monster, just like Troy opened its gates to the Greek's trojan horse.

TrendMicro, another computer security specialist, researched trends in spear phisphing and found two critical methods used against VIPs: 1) email, and 2) attachments.  That paper is poignant about the human factor in enabling cybercriminals:

Pre-infiltration reconnaissance is more generally associated with the human aspect.  In this stage, attackers profile their human targets to gain initial entry to a target network. ...  Social networking sites, corporate and academic publications, and organizations’ sites allow miscreants to harvest relevant information on their targets for various social engineering schemes.

Essentially cybercriminals spy on you through seemingly innocent sources, like your Facebook profile and your company's Contact webpage.  They send you an email that pops into your Inbox as an innocuous message from your company's IT department, or your Bank, or even a friend!  The Trojan is actually that email's attachment or the link in that email.  TrendMicro elaborates:

In a spear-phishing attack, a target recipient is lured to either download a seemingly harmless file attachment or to click a link. ... We found that the most commonly used and shared file types in organizations (e.g., .XLS, .PDF, .DOC, .DOCX, and .HWP) accounted for 70% of the total number of spear-phishing email attachments.

Sony incriminated its own email as the culprit of spear phishing when the company prevented employees from opening their corporate Inboxes after the hack.  Their reaction was a poor attempt at quarantining the outbreak.  More than likely, a Sony employee had opened an email that looked like every other message they had received, clicked on an attached Word Doc, and went about their day at work -- while a Trojan infected their work laptop and the disease spread to the rest of Sony's computer network.

UPDATE: after my original posting, Wired Magazine published a similar article that also suspects the Sony hack originated from phishing and also identified the Destover malware from a biopsy of sorts performed by an independent security analyst.

Vaccination?!  Don't Know; Don't Open 

Everyday we open email, download documents, and go about our business without (knowingly) harming anything.  Cybercriminals are using habitual, human behavior against us.  Just like in medicine, there is no magic pill.  There is no vaccination for spear phishing.  Popular anti-virus software can act like a decent immune system and detect these Trojans and prevent a computer disease from spreading.  The computer security speciality companies who I've cited here -- TrendMicro, McAfee, and Symantec -- sell anti-virus programs that detect the Dropper Trojans but so does Microsoft's own, free malware detector.  Recall, however, that the Dropper Trojan's infection festers into a full blown Wiper disease in a matter of minutes so, unlike human disease progression, there can be no delay in anti-virus response.  And even though the current Wiper diseases only infect Windows computers, Mac and Linux consumers are not always immune, nor are smartphones.  Computer diseases mutate just like human ones.  Anti-virus software makers bring an invaluable resource to the table by constantly releasing antidotes but the myriad of mutations known in just the Dropper family of Trojans is disconcerting.

The Sony hack is still an open case that's being investigated and popular news is hyping up the "Who Done It?" part.  The technological, "How They Done It" story is far more empowering.  Given the leaked FBI Flash and this preliminary dissection of Sony's hack, the first line of defense in our hands -- literally the mouse in your hand.  We prevent computers that we touch from being hacked by our own due diligence.  Our tact while using computers can make the cybercriminal's spear a blunt, impotent weapon when they go phishing for us.  We stop hacks by securing our online privacy and taking responsibility for the integrity of technology, like deleting unexpected emails and closing suspicious looking websites.  The motto "Don't know; don't open" is about as blunt as you can get.

We should be asking ourselves questions like, "Did John say he was going to send me a doc?  Why is he using a different email address?!  I'll chat him."

Security: IT's Chronic Disease

Technology has a chronic disease.  If IT were a patient, it would be covered in lesions and leaking out of every orifice.  This disease is how your credit cards are stolen, your private pictures are proliferated, your favorite website taken down -- by hackers using malicious software (malware) that's crippled IT.  These tidbits aren't newsworthy if you're a cynic because they've been plaguing us for decades.  I'm an optimistic technologist who thinks being more forthcoming the diagnosis and treatment of IT security will reveal -- not a cure -- a healthier.

Immune System

Technologists do have systems for diagnosing and treating software "diseases" at a global scale.  I'm not talking about installing anti-virus on your laptop.  I mean something on par with the WHO or CDC for computers.  There are technical institutions that take the lead in identifying, squelching, fixing, and tracking software vulnerabilities.  The most notable institutions are the MITRE quasi-government corporation and the SANS Institute, the infamous Open Software Foundation (OSF); yet the public's probably heard of none of these institutions.  (See IEEE resources on cybersecurity).  The public only hears about are the hacks themselves, and the typical mantra of "change your password" and "install anti-virus"!  Technologists should be our own advocates when it comes to best practices in actually securing legitimat, online use.  MITRE, for example, maintains the list of known malware but has only a limited capacity for informing the mass public about avoidance measures.  Technologists merely use their "disease coding" system (called CVE) much like doctors and insurers use to identify and catalog malware.  Technology can have more "doctors" and "vaccinations" for these malwares and we've made progress on getting cures out to prevent computer infections, such as integrating automated update and patching solutions.  The biggest producers of consumer software -- Microsoft, Apple, and Google -- (can) push these vaccinations to our laptops, smartphones, and tablets.

What technologists do not have is a computer immune system.  This is a critical need because anything online is under constant attack.  Securing technology has shifted from reactive to proactive because of the increased risks with the Internet of Things (IoT).  We seldom implement automated security systems that are on par with our more robust, biological immune systems.  Technologists might install some "skin" in the form of a firewall that protects the outer shell of technology, and we probably install a baby's "newborn white cells" in the form of immature anti-virus scanners, and hopefully we will throw in a basic "diary" that logs a glimpse of what computers are exposed to, but we don't implement mature, robust IT security.  This immature, computer immune bandaid is the reason websites are still hacked, your pictures stolen, and fraudulent purchases appear on your credits cards.  Technologists, however, have the potential to be more effective than human doctors in treating this disease.

Security (Mis)persception

As constant consumers of technology, we can be more informed and educated about modern IT security needs.  IT security had been, in my experience, the purview of computer networking teams instead of application or DevOps teams.  The upside to a preoccupation with network security is a relatively better defense at the lower levels of the OSI model, including the risks from physical access and operation.  The immunity gap is at the upper OSI layers where online applications sit.  I've been watching the MITRE/SANS reports on software security, in addition to the OSVDB (Open Software Vulnerability DataBase) and noticed these reports mimic some of the headlines of hacks.  Dangerous file uploads, session hijackings, SQL injection -- these headlines are in the top computer software "diseases".  OSVDB's trends upto 2014 give a quick view of vulnerabilities that mimic those listed in the MITRE/SANs report of 2011 (which itself changed little from the 2010 and 2009 reports).  This indicates to me that application vulnerabilities are a primary culprit in modern, IT insecurity.  Also, an analysis of software libraries in 2012 indicated that the increasing dependency on programming frameworks further exacerbates the "infection" beyond your own code or operating container.  When I subscribe to a security fix mailing list for one those big producers of consumer software, I notice a lot of libraries showing up that are dependencies of services and application containers.  So the elephant in the room is technologist's and consumer's (mis)perception of what is most at risk for modern technology.

I went back to the catalog of software vulnerabilities and reduced the CVE type lists to just the Top 10 "Cures" that will change our perceptions of security risks.  The list is devoid of what technologists typically discuss during security debates: denying remote access (via network firewalls), difficult passwords that rotate (via password policies), anti-virus scanning, etc.  Nada.  Instead, these vulnerabilities are found in higher layers of the OSI model, like the application itself or application server:

1. use DB frameworks and static queries, do not make direct SQL calls or dynamic queries
2. use jailboxes and programmatic interfaces, do not call the system directly
3. validate all data input and verify buffers at build time, do not assume you'll get normal stuff
4. do force document encoding and compliance, do not assume you'll get normal documents
5. use authentication and authorization frameworks including roles, do not flatten or hard code credentials
6. same as #5; mandatory access controls that deny everything by default are tedious and the most secure
7. same as #6, do not embed passwords in code or configuration
8. do use data encryption libraries, do not assume authentication or authorization will secure privacy
9. same as #3 including file MIME type too, do not assume you'll get a normal file 
10. do favor stateless sessions and verify state changes, do not trust stateful user sessions

To detect these top vulnerabilities in applications already running, proactive testing of the operating environment from which applications are running is needed.  In other words, we need more White Hats.  To prevent these vulnerabilities from appearing _before_ applications are brought online, we need due diligence during development.

Behavior Change

As I release my next application, I'm going to try a White Hat approach with due diligence.  Some tools to use during development are cross-referencing MITRE's mitigations and the above guideline Cures to see how often these vulnerabilities appear while I'm coding.  Here's the full MITRE/SANS List 2014:

Rank	Score	ID	Name
[1]	93.8	CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2]	83.3	CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
[3]	79.0	CWE-120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4]	77.7	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5]	76.9	CWE-306	Missing Authentication for Critical Function
[6]	76.8	CWE-862	Missing Authorization
[7]	75.0	CWE-798	Use of Hard-coded Credentials
[8]	75.0	CWE-311	Missing Encryption of Sensitive Data
[9]	74.0	CWE-434	Unrestricted Upload of File with Dangerous Type
[10]	73.8	CWE-807	Reliance on Untrusted Inputs in a Security Decision
[11]	73.1	CWE-250	Execution with Unnecessary Privileges
[12]	70.1	CWE-352	Cross-Site Request Forgery (CSRF)
[13]	69.3	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[14]	68.5	CWE-494	Download of Code Without Integrity Check
[15]	67.8	CWE-863	Incorrect Authorization
[16]	66.0	CWE-829	Inclusion of Functionality from Untrusted Control Sphere
[17]	65.5	CWE-732	Incorrect Permission Assignment for Critical Resource
[18]	64.6	CWE-676	Use of Potentially Dangerous Function
[19]	64.1	CWE-327	Use of a Broken or Risky Cryptographic Algorithm
[20]	62.4	CWE-131	Incorrect Calculation of Buffer Size
[21]	61.5	CWE-307	Improper Restriction of Excessive Authentication Attempts
[22]	61.1	CWE-601	URL Redirection to Untrusted Site ('Open Redirect')
[23]	61.0	CWE-134	Uncontrolled Format String
[24]	60.3	CWE-190	Integer Overflow or Wraparound
[25]	59.9	CWE-759	Use of a One-Way Hash without a Salt

Deltas: Documenting Small, Frequent Changes

I remembered how to effectively make multiple, technical changes that can conflate a fix.  The sequence is: make a small change, test the expected result, troubleshoot an (unexpected) failed change, retest (possibly by reverting), document what worked, and extract a working template.  These steps require:

1. knowledge of the system or application
2. quick and dirty testing environment
3. easy documentation system
4. version control system

In today's case, I knew JBoss/Wildfly (but didn't recall all its dependencies and states), I was connected remotely to a test environment in AWS, I was writing notes and steps in a Confluence Wiki page, and I committed working versions to Git.  It was critical that I could test changes quickly from anywhere and share those changes with coworkers.  These tools and this sequence enabled me to power through several changes in a few hours so I'll keep using them.

IoT: Time Wasters

I've always been curious about where my time went.  The old school way was to keep a journal with time entries but I'm too lazy.  I never balanced my checkbook because it was tedious watching my Mom writing stuff at the cash register and go back home to add it all up.  Mint keeps my accounts balanced for me automatically.  Lifehacker has a few ideas and technology to help with account for time.  I opted for the technological solution called Chronos.  It's a mobile app that spies on me.  Yes a hacker or stalker would love getting their hands on the data but I'm finding it more and more valuable to let technology figure out things for me :)

http://www.getchronos.com/

Integration: Your News

I used to read digital news from feeds and folks used to write blogs but those means of disseminating information have changed a lot in the past few years.  Blogs have been reduced to very private affairs or marketing clickbait.  Neither use is bad but I'm looking for localized and personalized digital news.  News that matters to me when I walk down the street.  Tweets and similar, brief updates are the norm now and I wanted to get a handle on personalizing any source of relevant news.  In comes http://paper.li/.  Paper is nothing more than a news source aggregator with a twist.  It combines the old school feeds like Google's Reader with the new snippets from Twitter -- yet it also filters and trends.  Plus it's online interface and freemium model make getting setup a breeze.  My only feature request is an "Offline mode" like other news readers but otherwise Paper is great.  I can read news that really matters to me and get the rest from the old TV.

And despite last year's hoopla that NBC had killed EveryBlock, their feeds are still very active in my hood. :)

Security: Old Crypto

I'm rather disappointed with progress in crypto technology -- or rather the lack of progress -- and am looking for a turnkey solution. 

The other day I burned cycles attempting (and failing) to secure my personal files that are stored in Cloud.  There are several Cloud storage providers but none empower consumers to prevent snooping, at least not beyond internal "policies".  My thinking is to encrypt files up in Cloud because one, basic purpose of cryptography technology is to ensure privacy.  Well encryption/decryption technology is still not turnkey.  

A decade ago there were add-ons for PCs to make eMail secure, like PGP, since those technologies were by nature public, yet now we entrust more public resources with private data spread across multiple personal devices.  The exposure of private data to the public is growing but its not the time to become a recluse. We need a turnkey solution that enables crypto processes across all personal devices and public resources. 

I tried Boxcryptor and bumped into many hurdles to a seamless experience.  One hurdle was tracing a sluggish browsing experience back to Boxcryptor's Chrome extension.  The extension enables web access to any of the Cloud platforms -- but sucked up 30-40% processing time.  Disabling the extension dropped my CPU usage down to 2-3%.  So I'm open to alternatives.

Security: Validating Your Nightmare

When I take a trip on the Way, Way Back Machine, one tool that impressed me was validation of old school websites.  It was the W3C validator that gave me a point of reference to make improvements and ensure browser support.  The differentiator for this tool was the full weight of the Consortium behind it -- the institution that standardizes many web technologies -- and of course the tool was free.  This tool is still maintained though I seldom see new, hip "web designers" putting it on their pages.

Fast forward to the 21st century and there's a new(er) tool for security that I just bumped into.  CIS-CAT is a security validation tool that is backed by the Center for Information Security (CIS).  CIS gets a stamp from other organizations, like famous mainstay The SANS Institute.  Sadly their automated validator requires buying a hefty membership.  Evidently CIS hasn't gotten on board the Freemium bandwagon!

To their credit, CIS does release both the audit checklists and technical steps for verifying security compliance.  They call these security documents "Benchmarks" and these are *far* more valuable to the techie than abstract drivel that's usually posted online. I just downloaded a few CIS Benchmarks based on platform for free and am thinking it will be trivial to script these.

BTW: this Blogger page fails 4 W3C compliance checks :)

Cloud: Developing *in* the Cloud, for the Cloud

You can develop from (most) any, connected device because of the infamous Cloud.  I bumped into Cloud9 while learning Ruby on Rails because this stellar teacher recommended avoiding the age old pitfalls of setting up development environments on every workstation, laptop, or tablet that you touch.  This IDE is impressive for almost perfecting a browser based interface that mimics local and it's simplicity.  Working with it reminds me of a simplistic Eclipse that I don't have to reverse engineer.  The features are just icing on the cake:

• old-school editor emulators (like vim and emacs)
• hosted repo integration, including the always awesome Git
• programming hints for lots of languages
• real-time collaboration
• cloud deployment of runtimes

Nothing is perfect so this has flaws.  There's no concept of an Offline Mode for when you get inspiration in the middle of a "vacation" on a camping trip.  I don't think that's a big flaw; because when I'm really vacationing, why bring a laptop?!  Given the ubiquity of public Wifi, hot spots, and even tethering, the ability to code on all of my devices from almost anywhere outweighs the biggest drawback.

You'll be coding in 5 minutes.   https://c9.io/  Oh, and the Ruby on Rails guide I'm stepping through is Michael Hartl's stellar book.

Google Freebie: PageSpeed

Google knows we've all shook a fist waiting for an awfully sluggish webpage to load in our browser despite a fast connection.  They've got this cool, free extension to Chrome called PageSpeed for web designers and developers.  The extension is a handy tool for easily fixing sluggishness that we've all encountered.

PageSpeed pointed against some webpage I loaded:

The extension is on the Google Store and details are at Google Developer's Speed site.

Google Analytics will track real time data of client requests against a website, given that their analytics are embedded.