Wednesday, August 23, 2017

The Cyber Coup

Twitter posts are now official government statements - and this introduces interesting follow-on systemic weaknesses to cyber warfare. Do you think we can defend the Twitter infrastructure against a Nation-State? Or even an interested non-nation state player? Is that now the NSA's problem?

Because if not, the payload looks something like this:





UNGGE and Tallinn 2.0 Revisited

https://amp.theguardian.com/world/2017/aug/23/un-cyberwarfare-negotiations-collapsed-in-june-it-emerges

https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3024405 (Paper from Mike Schmitt and Liis Vihul on this)

So I want to bring us back to social insects and point out that basically everything we know always turns out to be wrong, but in a weird way. For example, I was taught growing up via whatever biology classes and nature shows I watched, that the bees have a queen, and the queen lays all the eggs and the workers do her bidding via chemical cues or whatever because they are so closely related to her.

But what turns out to be true is a thousand times more complex, because workers can also lay eggs, and often choose to as a strategy. And that means that the simple model in my head of how a nest works is all off-kilter - tons of energy in the nest has to be dedicated to maintaining order. That brings us to their paper:

This right here is where Mike Schmitt and Liis Vihul go wrong... 

Ok, so the paper is very much a last stand defense for the Tallinn process and the rest of the work that Mike and crew have put into stretching the Barney costume of normal international law over the mastodon that is the cyber domain. Look, I've met Mike Schmitt and he has an IQ of something like 250, but he's dead wrong on this whole thing and it's getting painfully obvious to the whole community.

The place he goes most awry is in the paragraph highlighted above: He thinks states have territory and that territory extends into cyberspace, which it just doesn't. I get the that the implications of that are complicated and quite scary, but he runs straight off a philosophical cliff when he says that any "physical change" including replacing hard drives is going to trespass sovereignty. The real world has the FBI conducting operations all over the world because we don't know where something is once it hits the Tor network, and frankly we don't care. We are going to ./ and let the courts sort them out.

Everyone reading this blog could build scenario after scenario that challenges his arguments around the applicability of various aspects of international law in cyberspace based on his initial fallacy, but until we gather a group of people around and have some sort of intervention ceremony with him it's going to be impossible for him to internalize it.

I don't think he can read Tallinn 2.0 and notice that his bevy of "Experts" have created a document that reads EXACTLY LIKE THE TALMUD, with everyone agreeing on some things, disagreeing on some other things, and making exactly zero sense the whole time when applied to modern cyber operations. This is the kind of thinking that lets them draw nonsensical derivations about there being some sort of physical-component line you could draw between "violates sovereignty" and "PERFECTLY OK" as if Stuxnet never happened.

The authors also warn of any further operations saying that if they get caught:

"This could lead to further “Westphalianization” of the internet, as well as increased data localization, which runs counter to the long-term U.S. policy objective of the free flow of information." 

I'm pretty sure that's already happened. Did we write this paper in a time machine, perhaps?


Tuesday, August 8, 2017

Strategic Plateaus in the Cyber domain

One thing I think that surprises many people who don't play video games is how similar the strategies for them all are. It's as if Chess and Checkers and Go all had the same basic gameplay.

In most online shooters, you have characters with a high "skill ceiling" that require precise aim and maneuvering, and others which have the ability to soak up damage or cause area effects or heal their friends, which generally require more positioning and strategy understanding.

And as new characters are introduced to a game, or existing characters are tweaked, you change the strategies that works the best overall.



In Overwatch, the most popular game among hackers right now, you have "Dive Comp" and "Deathball Comp". These represent "Fast, deadly characters and chaotic rampage" vs "Healthy armored characters and slow advance". If you're going with the right team composition and strategy you can overcome even very serious disadvantages with your "mechanics" (shooting skill, reaction times, etc.) . I.E. your team gains an asymmetric advantage until the other teams copy you and catch up.

Which technique works best is generally called "The current meta" and trickles down from the pro-players to the very lowest ranks of Overwatch (where nobody should honestly care, but they still really do). New meta shifts in Overwatch, despite the continual changes introduced by every patch, are extremely rare, perhaps once a year! The game designers say this is because people are bad at finding and testing new strategies, essentially. It is a rare skill. You almost have to be pretty good at any new strategy to know if it even really works. I call this a strategic plateau, because it LOOKS like the meta is still one way, but it's really another way, yet to be discovered until someone gets good  enough at some new way of operating.

And yet, the cyber domain is even more choppy than any computer game could ever be. Things change at a tremendous rate, and people generally look at the "Cyber Meta" as a static thing! Either we are in the "Botnet Meta" or the "Worm Meta". We either do "Client side attacks" or we do "SQLi attacks". So many people think the cyber meta is what the West Coast's VC funded machine tells them it is at RSA or in Wired Magazine!

Getting this right is a big bet - some might point to recent events by saying it is a bet of global importance. Investment in a high end "Man on the Side" technology stack can run you into the billions. You'd better hope the meta doesn't change until your investment pays off. And what are the strategic differences between TAO-style organizations and the Russian/Chinese way? It's possible to LOSE if you don't understand and adapt to the current up-to-date Meta of the domain you are in, no matter what your other advantages are.

Grugq has a whole talk on this, but everyone is going to divide it differently in their head and be really crazy about it, the way people are when I use Torbjorn on attack. Also, why isn't "Kaspersky" in my spreadsheet yet! :) Also: Do you have a similar spreadsheet? IF SO SHARE.

No matter how you define the "Deathball" or "Dive Comp" of the cyber domain you also need to analyze in depth how modern changes in the landscape effect them and make them stronger and weaker. "Bitcoin and Wikileaks as a service" may have replaced "Russian Intel" as a threat against giant teams of operators, for example. Endpoint defenses and malware analysis and correlation may have advanced to the point where Remote Worms have become much stronger in the meta.

But the real fun is in thinking up new comps to run - before QUANTUMINSERT was done, someone had to imagine it fully fledged in their heads. Before the Russians could run a destructive worm from a tiny contractor team that hit up an accounting firm, someone already had a certainty in their mind that knew it would work. And so that's the real question I'm asking everyone here. What's the next meta? What does your dark shadow tell you?



Monday, August 7, 2017

DDIRSA posts about VEP

Former DDIRNSA (who just retired) posted this today, and it accurately reflects his feelings on the VEP debate, I assume.

https://www.lawfareblog.com/no-us-government-should-not-disclose-all-vulnerabilities-its-possession

There's nothing in there that would surprise someone who regularly reads this blog though - essentially he does not hold any water with the argument that we should be giving up all our vulnerabilities to vendors.

Likewise, he appears to be miffed that people are blaming WannaCry/NotPetya on the NSA, as you might expect.

Oh, also I want to mention the things he didn't say would be good compromises, which tend to be offered as "halfway points" from people who have never been in this business. He didn't say "Let's only keep 0day for a few months" or "Let's only keep certain kinds of 0day - the not important ones". All those ideas are terrible, and get offered again and again by various policy arms as if they are going to magically get better over time.


Saturday, August 5, 2017

The Killswitch story feels like bullshit

If you haven't watched the INFILTRATE keynote from Stephen Watt here then you need to do that, especially if you are a lawyer who specializes in cyber law. INFILTRATE is where you hear about issues that effect the community in the future, and you should register now! :)


But let me float my and others initial feeling when MalwareTech got arrested: The "killswitch" story was clearly bullshit. What I think happened is that MalwareTech had something to do with Wannacry, and he knew about the killswitch, and when Wannacry started getting huge and causing massive amounts of damage (say, to the NHS of his own country) he freaked out and "found the killswitch". This is why he was so upset to be outed by the media.

Being afraid to take the limelight is not a typical "White Hat" behavior, to say the least.

That said, we need to acknowledge the strategic impact law enforcement operations as a whole have on national security cyber capabilities, and how the lighter and friendlier approach of many European nations avoids the issues we are having here in the States.

Pretty much every infosec professional (yes, even the ones in the IC!) knows people who have been indicted for computer crimes now. And in most of those cases, the prosecution has (as in the video above) operated in what is essentially an unfair, merciless way, even for very minor crimes. This has massive strategic implications when you consider that the US Secret Service and FBI often compete with Mandiant for the handling of computer intrusions, and the people making the decisions about which information to share with Law Enforcement have an extremely negative opinion of it.

In other words: Law Enforcement needs to treat hacker cases as if they are the LAPD prosecuting a famous actor in LA. Or at least, that's the smartest thing to do strategically, and something the US does a lot worse than many of our allies.

Wednesday, August 2, 2017

0days: Testing, and Timing

Perfect timing is everything...
So there's another reason why nation states use 0days: Testing. Testing on exploits is particularly hard. All software is hard, but exploits are "things that are not supposed to work" by definition. This means not only are you testing them against a few VMs you have laying around but also against, say, every version of AVG's free virus protection you have ever seen, on every version of Windows possible, with every possible configuration.

As you can imagine, that problem is "exponential" in the way that computer scientists use the term when they mean "a complete freakin' nightmare". Of course, the only REAL test is whether they "work in the wild". This is a whole different level of "working" and "works in the wild" is labeled on many exploits to say 'yes, this one is at that next level of quality'.

And some exploits, even very good exploits, like ETERNALBLUE appears to be, fail the testing. (According to reporting, it was known as "ETERNAL BLUESCREEN" since it often crashed targets.)

When exploits fail the testing phase, you don't give up on them. You pass them off to different exploitation teams for more analysis, you wait for the code in the target process to change (which is often successful). You wait for another bug to be found to combine with this bug. Persistence, which is a key metric of your operational success, is not just about the hacking part, in other words.

And even if your exploit is PERFECT you still have many things to do before you can use it. It needs to be integrated into your toolset. People need to be trained on it. Targets need to be collected and triaged. Operational security notes need to be written. What do you do when the exploit fails? Does it leave logs? How do you clean those up? How do I tune my defenses to detect if the Russians are already using this vulnerability (and have therefor tuned their OWN defenses to detect it?)

All of these things take time and we could, in some cases, be talking several years. Your average penetration testing gig is maybe two weeks long. These processes are similar, but not the same. So be careful extrapolating operational work from penetration testing too much. The Grugq has a good presentation you can read on this evolution here.

Needless to say, attacking with vulnerabilities which already are well known has negative impact on your OPSEC. But it also may mean the targets you most care about (which have an average patch testing cycle of 14 days), may become out of your reach.

Tuesday, August 1, 2017

Do you need 0days? What about oxygen?

I always enjoy it when people say that you don't need 0days to gather cyber intelligence as a nation state, such as in today's SearchSecurity article about the BlackHat discussion on the VEP.

Technically, you don't need covert intelligence at all. Open Source information can be just as good in many cases. But then, there are also cases (and I'm struggling to avoid bombast here) where covert collection is desired. And from a military standpoint, there are many cases where hidden pre-placement on an enemy network is desired.


The answer to "Do you need 0days" is "Yes."

Intelligence and military work is quite different from penetration testing work. This should go without saying, but let's delve a bit into the "how" to see why exactly 0days are so useful.

First of all, in penetration testing you rarely sit on a target network for months or years collecting data like you do in intelligence. And you rarely need that data to be "untampered with". I.E. We don't want our signals intelligence collection to be double-agents feeding us false data. Implants in general have received a lot less attention in the public penetration testing sphere than in the intelligence sphere. FLAME is still generations ahead of what a typical penetration testing company would use. I say this, because our "Somewhat similar to FLAME" framework INNUENDO is in that market space, and the people who buy it are typically large banks looking to emulate nation state threats, not small and midsize penetration testing companies.

The thing is this: Using a non-0day exploit means IDS systems can silently catch you, and then burn and turn your implant network against you. This is a non-trivial risk. Human lives are OFTEN ON THE LINE and when they are not, billion dollar SIGINT programs are.

In intelligence, you need to overcome every network visibility and management tool the defender has, and the defender only has to detect you once. Also in many cases you simply cannot fail when doing intelligence operations in the cyber domain. In penetration testing you can get away with writing a report that says "You have no unpatched vulnerabilities on your system." This is, most of the time, what the customer really wants!

In intelligence work you have a much higher bar. Get in, get out, be undetected, for years at a time, and the consequences for failure are unimaginable. This is where 0days fit in, as part of a mature intelligence capability that takes into account the real risk structure of the world of mirrors.




Monday, July 31, 2017

Rebecca Slayton can write and has a cool name


This is a really great paper you can read here. Highly recommend it for its much more in-depth analysis of how offense is probably expensive. At the end, she goes into a cost/benefit of both offense and defense of Stuxnet - which in my opinion is the weakest part of the paper. You can't say vulnerabilities cost 0 dollars if they came from internal sources. And you can't just "average" the two possibilities you have and come up with a guess for how much something was.

I mean, the whole paper suffers a bit from that: If you're not intimately familiar with putting together offensive programs, there are many many moving pieces you don't account for in your spreadsheet. That's something you learn when running any business really. On the other hand, she's not on Twitter, so maybe she DOES have experience in fedworld and just doesn't want to go into depth?

Also, there's no discussion of opportunity costs. And a delay of three months on releasing a product, equally true for web applications and nuclear bombs, can be infinitely expensive.

But aside from that, this is the kind of work the policy world needs to start doing. Five stars, would read again.

I mean, the simpler way of saying this is the NSA mantra, which is that whoever knows the network better, controls it. And defenders obviously have a home-field advantage... :)

Quotas as a Cyber Norm

Originally I chose this picture as a way of illustrating perspective around different problems we have. But now I want a giant scorpion pet! So win-win!

Part of the security community's issue with the VEP is that it addresses a tiny problem that Microsoft has blown all out of proportion for no reason, and distracts attention from the really major and direct policy problems in cyber namely:

Vulnerabilities have many natural limits - like giant scorpions needing oxygen. If nothing else, it costs money to find them and test and exploit them, even assuming they are infinite in supply, which I assure you they are not. Likewise, vulnerabilities can be mitigated by a company with a good software development practice - there is a way for them to handle that kind of risk. A backdoored cryptographic standard or supply chain attack cannot be mitigated, other than by investing a lot of money in tamper proof bags, which is probably an unreasonable thing to ask Cisco to do. 

Deep down, forcing the bureaucracy to prioritize on actions that have no "cost" to them but high risk for an American company makes a lot more sense than something like the VEP, which imposes a prioritization calculus on something that is already high cost to the government.

Essentially what I'm asking for here is this: Limit the number of times a year we intercept a package from a vendor for backdooring. Maybe even publish that number? We could do this only for certain countries, perhaps? There are so many options, and all of them are better than "We do whatever we want to the supply chain and let the US companies bear those risks."

Likewise, do we have a policy on asking US companies to send backdoored updates to customers? Is it "Whenever it's important as we secretly define it?"

Imagine if China said, "Look, we backdoor two Huawei routers a year for intelligence purposes." Is that an OK norm to set?


Friday, July 28, 2017

A partial retraction of the Belfer paper

https://www.lawfareblog.com/what-you-see-what-you-get-revisions-our-paper-estimating-vulnerability-rediscovery

"Did not ever look at the data - hope the other two data sources are ok?"

As a scientist, I had the same reaction to the Belfer VEP paper that a climate scientist would when confronting a new "science" paper telling me the Earth was going into an ice age. So you can imagine my "surprise" when it got partially retracted a few days after being published in response to me having a few spare hours the afternoon the day after it was originally released.

Look, on the face of it, this paper's remaining numbers cannot be right. There are going to be obvious confounding variables and glaring statistical flaws in any version of this document that claims 15% of all bugs collide between two independent bug finders within the conditions this paper uses. They haven't released the new paper and data yet, so we will have to wait to find out what they are. But if you're in the mood for a Michael Bay movie-style trailer, I will say this: The answer is fuzzers, fuzzers, and more fuzzers. A better title for this paper would have been "Modern fuzzers are very complex and have a weird effect on bug tracking systems and also we have some unsubstantiated opinions on the VEP".

The only way to study these sorts of things is to get truly intimate with the data. This requires YEARS OF WORK reading reports daily about vulnerabilities and also experience writing and using exploits. Nobody in policy-land with a political science or international relations background wants to hear that. It sounds like something a total jerk would say. I get that and for sure Ari Schwartz gets that. But also I get that this is not a simple field where we can label a few things with a pocket-sized methodology and expect real data, the way this paper tried to.

An example of how not being connected to the bugs goes horribly wrong has been published on this blog previously, when a different Befler "researcher" (Mailyn Fiddler) had to correct her post on Stuxnet and bug collisions TWICE IN A ROW because she didn't have any of the understanding of the bugs themselves necessary to know when her thesis was obviously wrong.

As in the case of the current paper, she eventually claimed her "conclusion didn't change" just because the data changed drastically. That's a telling statement that divides evidence-based policy creation from ideological nonsense. Just as an ideological point of reference, Bruce Schneier, one of the current paper's authors, also was one of the people to work with the Guardian on the Snowden Archive.

The perfect paper on bug collision would probably find that the issue is multi-dimensional, and hardly a linear question of a "percentage". And any real effort to determine how this policy works against our real adversaries would be TOP SECRET CODEWORD at a minimum.




Friday, July 21, 2017

Something is very wrong with the Belfer bug rediscovery paper

This is what the paper says about its Chromium data:
Chrome: The Chrome dataset is scraped from bugs collected for Chromium, an open source software project whose code constitutes most the Chrome browser. 20 On top of Chromium, Google adds a few additional features, such as a PDF viewer, but there is substantial overlap, so we treat this as essentially identical to Chrome.21 Chrome presented a similar problem to Firefox, so to record only vulnerabilities with a reasonable likelihood of public discovery, we limited our collection to bugs labeled as high or critical severity from the Chromium bug tracker. This portion of the dataset comprises 3,397 vulnerability records of which there are 468 records with duplicates. For Chrome, we coded a vulnerability record as a duplicate if it had been merged with another, where merges were noted in the comments associated with each vulnerability record, or marked as a Duplicate in the Status field.

The problem with this methodology is simply that "merges" do not indicate rediscovery in the database. The vast majority of the findings relied upon for the paper are false positives.



To look at this, I went through their spreadsheet and collected out those mentioned 468 records. Then I examined them on the Chromium bug tracking system. The vast majority of them were "self-duplicates" from the automated fuzzing and crash detection systems.
I'm a Unix hacker so I converted it to CSV and wrote a Python script to look at the data. Happy to share scripts/data.

Looking at just the ones that have a CVE or got a reward makes more sense. There's probably only 45 true positives in this data set (i.e. the ones with CVE numbers). That's 1.3% which agrees with the numbers from the much cleaner OpenSSL Bug Database (2.4%) from this paper.



---
Notes:
Example false positives in their data set:

  • This one has a CVE, but doesn't appear to be a true positive other than people noticed things crashed in many different ways from one root cause.
  • Here someone at Google manually found something that clusterfuzz also found.
  • Here is another clear false positive. Here's another. Literally I just take any one of them, and then look at it.
  • Interesting one from Skylined, but also a false positive I think.



Thursday, July 20, 2017

Decoding Kasperksy



http://fortune.com/2017/07/16/kaspersky-russia-us/

Although various internet blowhards are hard at work asking for "More information to be released" regarding why the US is throwing Kaspersky under the bus, that's never going to happen. It's honestly easiest to get in the press by pretending to be in disbelief as to what the United States is doing in situations like this.

I say pretend because, it's really pretty clear what the US is saying. They are saying, through leaks and not-so-subtle hints, that Kasperksy was involved in Russian operations. It's not about "being close to the Kremlin" or historical ties between Eugene Kaspersky and the FSB or some kind of DDoS prevention software. Those are not actionable in the way this has been messaged at the highest levels. It's not some sort of nebulous "Russian Software" risk. It's about a line being crossed operationally.

The only question is whether you believe Eugene Kaspersky, who denies anything untoward, or the US Intelligence Community, which has used its strongest language and spokespeople as part of this effort and has no plans to release evidence.

And, in this particular case, the UK intel team (which has no doubt seen the evidence) is backing the US up, which is worth noting, and they are doing it in their customary subtle but unmistakable way, by saying at no point was Kaspersky software ever certified by their NCSC.

The question for security consultants, such as Immunity, is how do we advise our US-based clients - and looking at the evidence, you would have to advise them to stop using Kaspersky software. Perhaps your clients are better off with VenusTech?

I'm pretty sure this AV company is deceased!

Bugmusment 2017


The Paper itself:


Commentary:
Note that the paper in the selected area would be TS/SCI for both us and China. :)

(To be honest, I don't think it even does this)



Cannot be true.

Ok, so I can see how it went. After the Rand paper on 0day collisions came out, existing paper writers in the process of trying to point out how evil it was the Government knew about 0day were a bit up a creek without a paddle or even a boat of any kind.

Because here's the thing: The Rand paper's data agrees with every vulnerability researcher's "gut feeling" on 0day collision. You won't take a 5% over a year number to a penetration testing company and have them say, "NO WAY THAT IS MUCH TOO LOW!"

But if you were to take a 20% number to them, they would probably think something was wrong with your data. Which is exactly what I thought.

So I went to the data! Because UNLIKE the Rand paper, you can check out their GitHub, which is how all science should work. The only problem is, when you dig into the data, it does not say what the paper says it does!

Here is the data! https://github.com/mase-gh/Vulnerability-Rediscovery

From what I can tell, the Chromium data is from fuzzers, which naturally collide a lot. Especially when in most cases I can click on the rediscovery is from the exact same fuzzer, just hitting the same bug over and over in slightly different ways. The Android data I examined manually had almost all collisions from various libstagefright media parsing bugs, which are from fuzzers. A few seemed to be errors. In some cases, a CVE covers more than one bug, which makes it LOOK like they are collisions when they are not. This is a CVE issue more than anything else, but it skews the results significantly.

Ok, so to sum up:
The data I've looked at manually does not look like it supports the paper. This kind of research is hard specifically because manual analysis of this level of data is time consuming and requires subject matter experts.

It would be worth going in depth into the leaked exploits from ShadowBrokers etc. to see if they support any of the figures used in any of the papers on these subjects. I mean, it's hard not to note that Bruce Scheier has access to the Snowden files. Maybe there are some statistics about exploits in there that the rest of us haven't seen and he's trying to hint at?

This was the paragraph in the paper that worried me the most. There is NO ABILITY TO SCIENTIFICALLY HAVE ANY LEVEL OF PRECISION AS CLAIMED HERE.

Wednesday, July 19, 2017

An important note about 0days

https://twitter.com/ErrataRob/status/886942470113808384

For some reason the idea that patches == exploits and therefor any VEP-like program that releases patches is basically also trickling out exploits is hard to understand if you haven't done it.



Also, here's a very useful quick note from the head of Project Zero:


Issues with "Indiscriminate Attacks" in the Cyber Domain

c.f.: https://www.cyberscoop.com/petya-malmare-war-crime-tallinn-manual/ 

The fundamental nature of targeting in the cyber domain is very different from conventional military standards. In particular, with enough recon, you can say to a high degree "Even though I released a worm that will destroy every computer it touches, I don't think it will kill anyone or cause permanent loss of function for vital infrastructure."

For example, if I have SIGINT captures that say that the major hospitals have decent backup and recovery plans, and the country itself has put their power companies on notice to be able to handle computer failures, I may have an understanding of my worm's projected effects that nobody else does or can.

Clearly another historical exception is if my destructive payload is only applicable to certain very specific SCADA configurations. Yes, there are going to be some companies that interact poorly with my exploits and rootkit, and will have some temporary damage. But we've all decided that even a worm that wipes every computer is not "destroying vital infrastructure" unless it is targeted specifically at vital infrastructure and in a way that causes permanent damage. Sony Pictures and Saudi Aramco do still exist, after all, and they are not "hardened targets".

The main issue is this: You cannot know, from the worm or public information, what my targeting information has told me and you cannot even begin to ask until you understand the code. Analyzing Stuxnet took MONTHS OF HARD WORK. And almost certainly,  this analysis was only successful because of leprechaun-like luck, and there are still many parts of it which are not well understood.

So combine both an inability to determine after-the-fact if a worm or other tool was released with a minimal chance for death or injury because you don't know my targeting parameters with the technical difficulty of examining my code itself for "intent" to put International Law frameworks on a Tokyo-level shaky foundation. Of course, the added complication is that all of cyber goes over civilian infrastructure - which moots that angle as a differentiating legal analysis.

Many of the big governmental processes try to find a way to attach "intent" to code, and fall on their face. The Wassenaar Arrangement's cyber regs is one of them. In general, this is a problem International Law and Policy students will say is in every domain, but in Cyber, it's a dominant disruptive force. 

In other words, we cannot say that NotPetya was an "indiscriminate weapon". 

Monday, July 17, 2017

The Multi-Stakeholder Approach


I was struck listening to this policy panel as it weaved and dodged to avoid really confronting the hard questions it raised.

Asking for lexicons is weak sauce.
True enough.
He wants to have separate conversations on everything because that seems simpler. But it's a mirage - everything is connected. This is the kind of policy plan that works fine until any rubber has to hit any road whatsoever.
Jane Holl Lute never has anything interesting to say on Cyber. Here's a review of her BlackHat Keynote: click. It's pretty telling about the policy community that she still gets on these panels.
 
Ok, here are some of the hard questions that got left on the cutting room floor:

What can we do about having the information security community not trust the USG when it comes to what we say? 

What are the values of the information security community, and what would it mean to respect them in a multi-stakeholder environment on the Internet? 

What are we going to do if we can't detangle all these issues?



Wednesday, July 12, 2017

What Kaspersky Means for Cyber Policy

Context: https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-lab-has-been-working-with-russian-intelligence

Kaspersky has officially and unofficially denied any wrongdoing of any kind. But on the other hand, the recent actions by the US Government have not been subtle. The question is whether you believe McCain and Rubio and the IC over Eugene Kaspersky. It is clear from public reports that there is damning, but classified evidence which the US has no intention of releasing.

And there will be impact from the ban: While it's true that government agencies are "free" to still buy Kaspersky products, its unlikely any agency will do so, other than as a migration plan onto a GSA approved product.

If you've been to any US conference recently you've seen the sad sad Huawei booth, run by a "reseller" who would just as soon have the Huawei name removed from his equipment lines and unread brochures. This is what awaits Kaspersky in the US market, and there does not seem to be a way to fight it.

While this action only directly affects US Agencies (further bans may follow in legislation), it would be difficult to be a US Bank (aka, Critical Infrastructure) and continue using their software, and this could have widespread repercussions (as almost all banks are tightly connected and that is a huge market to lose for Kaspersky). Likewise, cyber insurance plans may require migrating off Kaspersky as a "known risk".

Examining what Kaspersky could have done to generate this reaction, you also have to note there are no mitigating factors available for recourse. The offer of looking at the source code means nothing since Kaspersky's AV is by definition a self-updating rootkit. So let's go over the kinds of things it  could have been:

  • Hack Back assistance (aka, "Active Countermeasures", as hinted at in the Bloomberg Report)
  • HUMINT cooperation (i.e. especially at their yearly Security Analyst Conference)
  • Influence operations (aka, ThreatPost, which is an interesting side venture for an AV)

The USG has not said what Kaspersky did that was so bad. What we've said is one clear thing: There is a line. Don't cross it.

As most of my friends say: It's about time.


Monday, July 10, 2017

Mass Surveillance and Targeted Hacking are the Same Thing


So I recommend you give the Morgan MARQUIS-BOIRE T2 Keynote a watch. It takes him a while to really get started but he gets rolling about 20 minutes in.

I think there is one really good quick note from the talk: Targeted and Mass Surveillance are the same thing. This is annoying, because ideologically the entire community wants to draw lines around one or the other. I.E. Targeted Good, Mass Bad.

But the reason you do targeted is to enable mass, and the reason you do mass is to enable targeted. And both are conjoined with "Software Backdoors implanted in the supply chain" in a way that is inextricable. Those of us in the 90's hacker scene used to say that the best way to crack a password was to just grep through your lists of that person's passwords. I.E We always had a million things hacked that we maintained the way a cartoon rabbit maintains their carrot patch, and that's how we did targeted attacks.

So whatever policy decisions you're going to make have to take this into account, and I think that's where the truly hard part starts.

Sunday, July 9, 2017

MAP(Distributed Systems Are Scary)

Everything in this paragraph is wrong in an interesting way but we're going to focus on the DNS thing today.

So I went back over the Lawfareblog post on the GGE failure and I wanted to point something very specific out: The Global Domain Name System is not something we should save. Also, the last thing we want the GGE doing is negotiating on the "proliferation of cyber tools", but thankfully that is a story for another day (never).

When I went to university for Computer Science I only had to have a B average to keep my NSA scholarship. And RPI didn't have any notion of prerequisites other than a giant pile of cash in the form of tuition, which the NSA was paying for me. So Freshman year I started signing up for random grad-level classes. These have a different grading system: A (You did ok)  B (You understand it but your labs might not have worked at all). C (You didn't do well at all) 

The only grad-level class I got a C in was Computer Security. 

One of the advanced classes I signed up for was parallel programming, which back then was done on IBM RS6000s running a special C compiler and some sort of mainframe timeshare architecture. They'd done a ton of effort to make it seem like you were programming in normal C with just a special macro API, but memory accesses could sometimes be network calls and every program was really running on a thousand cores and you couldn't really predict when things would happen and because the compiler chain was "Next Gen" (aka, buggy as shit) you didn't get useful error messages - just like programming on Google's API today!

It was an early weird machine. You either got it or you didn't. And a lot of the other students refused to let go of the idea that you could control the order of everything. In their end, their programs, which looked right, just didn't work or worked as slow as a dead moose, and they had no way to figure out why. They had learned to program in C, but they had never learned to program.

Last Thursday I was in DC at a trendy bar with some people who have a lot more experience at policy. And one of them (who I will only name as a "Senior Government Official", because he is, and because being called that will annoy him) at one point exasperatedly said "We should just ban taking money out of Bitcoin." He may have said "We should ban putting money INTO bitcoin." I can't remember. The cocktails at this place are so good the bartenders wear overalls and fake black-rimmed eyeglasses. I was pretty toasted, in other words, so I didn't press him on this, even though I should have.

I've been to a ton of policy meetings, both in the US and abroad, where high level government officials have wanted a "driver's license for the Internet" or "Let's ban exploit trade" or "Let's just ban bitcoin". These are all the kind of ideas that result from not understanding the weird distributed machine that is Internet Society.

Yes, as a protocol DNS is a rotten eyeball on the end of a stick poked deep into a lake full of hungry piranhas. But the correct solution is to MOVE AWAY FROM DNS. It is not to try to get everyone to agree not to attack it. 

DNS is not important in any real sense. If it went away, we could create another IP to name system that would work fine, and be more secure and not have, say, Unicode issues, and scalability issues and literally every other issue. We don't move away simply because governments (and the companies that run DNS) love DNS. They love it centrally controlled and they love how much money they can make selling it and managing it.

Nobody technical would have suggested this brain-dead idea of agreeing not to attack DNS. What's next, no attacking FTP servers? All ICMP packets must be faithfully transmitted! They would have then sent around the "evil bit" RFC as a laugh and moved on with their lives.

I'll admit to not being at the meeting, and not knowing the details of the proposal. But I'm confident it was the kind of silly every technical person in this business would have stopped if they had the chance. This says something else about why the GGE failed...




Friday, July 7, 2017

Reflections on the GGE "failure"

Surprise

Despite years of discussion and study, some participants continue to contend that is it premature to make such a determination and, in fact, seem to want to walk back progress made in previous GGE reports. I am coming to the unfortunate conclusion that those who are unwilling to affirm the applicability of these international legal rules and principles believe their States are free to act in or through cyberspace to achieve their political ends with no limits or constraints on their actions. That is a dangerous and unsupportable view, and it is one that I unequivocally reject. - Michele G. Markoff, Deputy Coordinator for Cyber Issues 


The key thing to understand about the State Department team negotiating this is they appear to be SURPRISED that things fell apart. But it was entirely predictable, at least to the five people who read this blog.

The factors that weigh like a millstone around the neck of our cyber diplomacy efforts, including our efforts in the UN, and NATO, and bilaterally, are all quite loud.

Internal Incohesion


The United States and every other country have many competing views internally and no way of solving any of the equities issues. The "Kaspersky" example is the most recent example of this. Assume Kaspersky did something equally bad as Huawei and ZTE - but something you can't prove without killing a source, which you are unwilling to do. Likewise, are we willing to say that whatever we are accusing Kasperksy of, in secret, we don't do ourselves? 

The Kaspersky dilemma continues even beyond that: We can either fail to act on whatever they did, which means we have no deterrence on anything ever (our current position), or we can unilaterally act without public justification, which acknowledges a completely balkanized internet forever. 

As many people have pointed out, information security rules that governments enforce (i.e. no crypto we can't crack, we must see your source code, etc.) are essentially massively powerful trade barriers.

On every issue, we, and every other country, are split. 

Misunderstanding around the Role of Non-Nation-States


Google and Microsoft have been most vocal about needing a new position when it comes to how technology companies are treated. But Twitter is also engaged in a lawsuit against the US Government. And the entire information security community is still extremely hostile to any implementation of the Wassenaar Arrangements cyber tools agenda (negotiated by Michele Markoff, I think!).

The big danger is this: When the information security community and big companies are resisting government efforts in one area, it poisons all other areas of communication. We are trying to drag these companies and their associated technical community along a road like a recalcitrant horse and we are surprised we are not making headway. It means when we have our IC make claims about attribution of cyber attacks, it is met with a standard of disbelief. 

Likewise, we still, for whatever reason, feel we have an edge when it comes to many areas where we (the USG) do not. Google attributed the WannaCry attacks to NK weeks before the IC was able to publish their document on it. DHS's "indicators of compromise" on recent malware (including the Russian DNC malware) has been amateur-grade.

On many of these issues, nation-states are no longer speaking with a voice of authority and we have failed to recognize this.

The equities issues are also ruinous, and we have yet to have a public policy on even the most obvious and easy ones: 


  • Yes/No/Sometimes: The United States should be able to go to a small US-based accounting software firm and say "We would like you to attach the following trojan to your next software update for this customer". 
  • Yes/No/Sometimes: The US should interdict a shipment of Cisco routers to add hardware to it. 

So many articles full of hyperbole have been written about the exploits the ShadowBrokers stole from the USG (allegedly) that even when we get the equities issues right, it looks wrong. Microsoft is without any reasonable argument on vulnerabilities equities, but that doesn't mean every part of every company's threat model has to include the US Government.

Attempt at "Large Principle Agreement" without Understanding the Tech

The aim of modern cyber norms is to be able to literally codify your agreements. Cyber decisions get made by autonomous code and need to be stated in that level of clarity. What this means is that if the standard database of "IP"->"Country" mapping (Maxminds) says you are in Iran, then you are in Iran!

If you try to do what the GGE did, you get exactly what happened at GGE - people are happy to agree on a large sweeping statement but only one where they define every word in it differently than you do and then later take it back.

You will often see claims of "Let's not attack critical infrastructure" and "Let's not attack CERTs" are examples of norms - but imagine how you would code those in real life! You can't! The Tallinn documents are also full of nonsensical items like "Cyber boobie traps" and other ports from previous domains which cannot be represented as code, and hence are obviously not going to stand up over time. 

What this points to is that we should be building our cyber norms process out of technical standards, with a thin layer of policy, not massive policy documents with a technology afterthought. 

Summary 

If you and your wife disagree on the definition of the term "cheating" then you're both happy to agree that cheating is bad. But if you then later go on to try to define the term in such a way that it doesn't apply to cigar related events and in a sense gerrymanders your activities as "OK" retroactively, your wife is going to pull out of the whole agreement and it's not confusing or surprising why. That's what happened at the GGE and in all of our cyber norms efforts. 

Wednesday, July 5, 2017

It Was Always Worms (in my heart!)

A New Age

1990s-2001: Worms (Code Red, etc.)
2002: Bill Gates Trustworthy Computing Email
2005-2015: Botnets and "APT" and Phishing <--THE ANOMALY DECADE.
2016: Advanced Persistent Worms! Worms everywhere! Internet of Worms!
2018: Defensive worms as policy teams catch up, in my optimistic worldview.

I'll be honest: Stuxnet and Flame and Duqu and the other tools (built during the anomaly decade) were worms, at their heart. All top-line nation-state tools are capable of autonomous operation. This means the state of play on the internet can change rapidly, with changing intent, rather than a massive five year wait as people do development and testing on new toolchains.

But all our defenses and policy regulations and laws and language have been built around botnets. The very idea of what attribution really means, or Wassenaar's cyber controls, or how we handle vulnerability disclosure as a nation-state are just some examples of this. But in the long run, both defense and offense will be using forms of self-replicant programs we don't have any kind of conceptual legal language to describe.

Part of the problem is that computer worms are not worms. Technically they are more like social insects building complex covert networks and distributed data structures on stolen computation. Worms are connected creatures - they are literally a tube from mouth to anus! Worms have a brain for command and control. This is how Metasploit works, basically.

Ants don't have and don't need a C2 and are much closer in terms of a model for what we will see on computer networks.

Trendlines

The key thing to realize is this: Smaller players are inevitably getting into the cyberwar game. That means more worms. Why? Because the less resources you have, the better a worm fits your strategic equation. If you're trying to replicate the QUANTUM infrastructure, but you're Finland, you are crazy.  This applies equally to small countries, and to non-nation-state players.

Likewise, the better defenses are at catching intrusions, the more worms you're going to have. Right now, vulnerabilities never ever get caught. But modern defenses have changed that. Here's Microsoft catching an A-grade team they call PLATINUM. Kaspersky also has been excellent at catching non-Russian A-Grade teams! :)

Exploits are going to start getting caught, which means they will be created and used very differently from the last ten years. Our policy teams are not ready for this change. Worms are an attacker's answers to the race of getting something done before getting caught by endpoint defenses and advanced analytics. And counter-worms are the obvious defensive answer for cleaning up unmanaged systems.

Fallacy: Some Bugs are Wormable vs Some Are Not Wormable

I'd like to take a moment to talk about this, because the policy world has this conception that some bugs are wormable, and should therefor go through the VEP process for disclosure, and other bugs are not, and are therefor less dangerous. It's super wrong. All bugs can be part of a worm. Modern worms are cross platform and can use XSS vulns and buffer overflows and logic bugs and stolen passwords and timing attacks all at once and get their information from all sorts of sources and spit out versions of themselves that have only some of their logic and auto-remove themselves from machines they don't need and frankly, act more and more like ants.

But many policy proposals try to draw a line between different kinds of vulnerabilities that is not there in practice by saying "These vulnerabilities are safe to have and use, and these are not". No such line exists in practice.

Policy Implications of the New Age of Worms

There are so many. I just want people to admit this is the age we are in and that our policy teams have all been trained on the Age of APT, which is now over. Let's start there. :)

Monday, July 3, 2017

Export Control, AI, and Ice Giants

If you look at "Export Control" in the face of the Internet, the change in our societies and nation-states, and the rise of 3d Printing, you have to ask yourself: Is this still a thing?

Most of the policy world turns up its nose at the idea that control regimes can fail at all. Their mantra is that "it worked for nuclear, it'll work for anything". That's the "Frost Giants" argument applied to control regimes in the sense of "We did export control, and we're not dead, so this stuff must work!"



And I haven't read a ton of papers or books recently who have even admitted that control regimes CAN FAIL. But recently I ordered a sample from a 3d printer of their new carbon fiber technique. They will send it to you for free and if you've only experienced the consumer 3d printer technology (which is basically a glue gun controlled by a computer) then it's worth doing.

The newer 3d printers can create basically anything. Guns are the obvious thing (and are mostly made of plastic anyways), but any kind of machined parts are clearly next. What does that mean for trademarks and copyrights, which are themselves a complex world-spanning control regime? Are we about to get "Napstered" in physical goods? Or rather, not "if" but "how soon" on that. Did it already happen and we didn't notice?

If we're going to look at failures, then missile control is an obvious one. This podcast (click here now!) from Arms Control Wonk (which is a GREAT policy podcast) demonstrates a few things towards the end:

  • How reluctant people are to THINK about control regime failure
  • How broken the missile control regimes are in some very complex and interesting ways. When inertial controls become good enough and cheap enough that missiles that previously were only good for nuclear warheads become "artillery" basically, for example.
Acknowledging that export control needs to change fundamentally is going to be a big step. And if I had my way (who knows, I might!) we would build in sunsets to most export control, and have a timeline of around one to five years for most of these controls, and just control a ton less categories and maybe make them work with the rest of our policy. 


AI as a case example


Take a quick gander at these graphics or click this link to see directly - dotted red line is "as good as a human":
The basic sum of this story is anything you can teach a human to recognize, you can do better in the cloud and then eventually on your phone.
The Immunity analysis has always been that there are about five computers in the world, and they all have names. Google, Alexa, Cortana, Siri, Baidu, etc. Our export control regimes are still trying to control the speed of CPUs, which is insane since Moore's law is dead and every chip company is working real hard on heat control now and chips don't even run at one speed anymore and if you ran all the parts in your laptop's CPU at top speed it would melt like cheese on a Philly sandwich.

But there are no computers by our definition in Europe or Russia - they are the third world in the information age. Which at least in the case of Europe is not something they are used to or enjoy thinking about

Read it and weep.
Looking at (and emulating) China's plan may be a good first step. But what are they really doing? 
  1. Funding scientific research in the area of Deep Learning
  2. Funding companies (big and small) doing operational experiments in AI
  3. Creating an AI National Lab 
  4. Making it impossible for foreign AI companies to compete in China (aka, Google)
  5. "Rapidly Gathering Foreign AI talent" and encouraging foreign companies to put research centers in China
  6. Analyzing how Government policies need to change in order to accept AI. MAKING SOCIETY FIT TECHNOLOGY instead of MAKING TECHNOLOGY FIT SOCIETY. Such an under-looked and important part of the Chinese Government's genius on this kind of issue.
  7. Probably a whole ton of really covert stuff!
Right now, the policy arms of the United States are still wrapped up in Encryption and backdoors on phones and "Going Dark" and the Europeans are in an even sillier space, trying to ban "intrusion software". These debates are colossally stupid. It's arguing over the temperature of the tea served on board an old wooden sailboat while next door the dry dock is putting together an Aegis Cruiser! 

AI is the whole pie. It's what game changing looks like when your imagination allows itself to believe in game changing events. It's as life altering to a nation-state as pregnancy is to a marriage. We can't afford to fail, as a society, but we may have to throw out everything we know about control regimes to succeed.

---
More:



Monday, June 26, 2017

CyberScoop: Why a global cybersecurity Geneva convention is not going to happen

Originally published on CyberScoop, this is just an archived version for the timeline!

Why a global cybersecurity Geneva convention is not going to happen


Microsoft President and Chief Legal Officer Brad Smith has been pounding the pavement all year asking for a " Cyber Geneva Convention" in the face of threats facing his employer's software and the greater global Internet at large.

It's a pipe dream and I'll tell you why.
Any global effort works best when there are clear answers. There is a clean line between “nuclear war” and “not nuclear war.” The cyber domain is different. While there is some consensus within Microsoft driven by business concerns and hyped as social concerns, there is none within or between global governments. We don’t even know the trade-offs that would be implied by many of the things Microsoft is asking for - a barrier on the trade of “cyber weapons” resulted in massive outcry when it was codified in the Wassenaar Arms Control Arrangement last year, some of which came from the very same people at Microsoft who rightfully realized it would severely slow progress on defensive technology as well.

To put it more clearly, the problem is a fractal. The U.S. Government cannot agree on any one cyber issue, but if you drill down neither can the DoD, and if you go deeper, even the NSA cannot agree with itself on these issues. No matter how far down the chain you go, there are competing initiatives and both sides are right in their own way. This is why we both fund efforts to stand up and break down Tor. When Hillary Clinton was Secretary of State, she gave a speech advocating a censorship-free Internet while also trying to prosecute Julian Assange. Every aspect of the cyber problem is linked and multifaceted, and we come down on both sides of the argument every time.

What Microsoft is driving at is a world where all hacking is off limits for governments forever, and vulnerability research would be strictly controlled in order to prevent it from "getting into the wrong hands." Even if Smith and Microsoft are successful in that endeavor, it would only result in empty words rather than a more secure global society. Aside from the obvious fact that Governments are unlikely to give up the ability to perform cyber operations, and that the lines in cyber are more blurry than a toddler’s finger painting this is the wrong fight for Microsoft to be fighting.
In order to understand why a "global cyber Geneva Convention" would miss the mark, let's look at Microsoft's possible motivations and how we got to this point overall.
The nightmare scenario Microsoft is trying to protect itself from has nothing to do with the Shadow Brokers' EQUATIONBLUE exploit, which was fed into the WannaCry ransomware worm. Keep in mind, every worthy SIGINT team around the world could use their own internal exploits to release two WannaCry-level worms a month in perpetuity until Microsoft could no longer sell their OS.
Beyond that Microsoft has to wonder if the Shadow Brokers has the capability to access internal Microsoft information. The group could leak that information, which would possibly include the giant volumes of vulnerability information in the Microsoft Bug Database, dwarfing anything an intelligence agency had found and exploited.
So while it may be Russia's GRU or some other elite nation-state hacking group, Microsoft — like every other company on the planet — lives at the will of the highly talented and well-financed digital spy apparatus. That's a level of risk that Microsoft would like to wipe off the balance sheet. It is telling that the United States Government cannot protect American businesses from even the smallest, weakest countries, in cyberspace, as Sony Pictures Entertainment demonstrated clearly, partially through policy paralysis.
So for Microsoft to push for a "global cyber Geneva Convention" is a selfish distraction from where governments should be concentrating when it comes to establishing future norms in cyberspace. While Microsoft's efforts here are largely focused on preventing  the release or use of software vulnerabilities, our real strategic issues have little to do with software bugs.
One such vulnerable area is cyber economic espionage. What changed with the Chinese-U.S. agreement is not what organizations were targeted or what information was taken from those targets. What changed — in theory at least — is what the Chinese do with that information on their end. Do they give it to competitors of U.S. companies, or do they use it only for strategic intelligence needs, as we hope they do under threat of massive sanctions? In other words, we have no way to police their behavior on this issue by looking at our own systems and networks. This is the kind of international regulation that is essentially on the honor system.
Supply chain attacks are even more dangerous for Microsoft’s businesses. All you have to do is look at Cisco and what they have learned from their routers being trojaned before being delivered to customers. This is an area where Chinese companies also struggle - take Huawei as the prime example, but Anti-Virus company Kaspersky is now fighting for its life in this space as well.
Those two examples of massive policy adjustments waiting to happen just scratch the surface. We haven't even discussed the chaos around cryptographic backdoors, customer data warrants, custom software versions like the "Red Flag" OS Microsoft was forced to build in China, Internet censorship, software export control and data localization.
These topics demonstrate the difficulty of any international agreement that focuses on norms that are very important to our industry, especially in an environment where almost all the real data is cloaked under high levels of classification. But the bigger issue with a "digital Geneva Convention" is that the focus is on vulnerabilities and "hacking" instead of the much bigger questions surrounding the circulatory barrier between private and public interests. You either deal with all of the issues in this area, or none, as they are all interlinked.
While the U.S. government has been quite open about its efforts to help the private sector wherever possible, (VEP, ICOnTheRecord, self-limiting how long we store traffic from foreigners, sanctions efforts, etc.), there's no sign that the world is ready to follow our lead. Shadow Brokers is widely assumed to be a Russian-led effort, yet other governments have been quite aggressive in bypassing any and all norms in the cyber area - even the much touted United Nations and NATO agreements have been about "broad principles," which are unenforceable in any practical way.
Ideally, a "Cyber Geneva Convention" would result in a sustainable global framework that handles these strategic issues. How vulnerabilities are handled is both too small an issue in comparison and unlikely to be followed by the majority of the world's governing bodies. This week, as we face down Russian efforts to attack power plants, recognized norms seem as far away as humans on Mars, no matter how nice they would be for Microsoft’s shareholders.
The painful truth that we would learn from any honest discussion around limits around cyber offensive capabilities is not that the world's governments disagree with each other, but that every government disagrees internally. This is as true in Germany and China, as it is in the U.S. It is also true that corporations’ place in our world and our how our wars are conducted has changed, and that has come with how the internet has changed in how humans organize.

Microsoft has always been a leader when it comes to information security, and this is as true with the legal issues surrounding them as it is technologically. A Global Cyber Geneva Convention is never going to happen, and we should not treat the idea as if it was a realistic way forward until we, internally, can agree on a single and coherent position.