Monthly Archives: July 2017

TOPransom: From eMail Attachment to Powning the Attacker’s Database

Hi folks, today I want to share a quick but intensive experience in fighting cybercrime. I wish you would appreciate the entire process from getting an email attachment to powning the ransom server trying to stop the infection and to alert everybody about the found threats. As a second step I would try to identify the attacker in order to give additional information to law enforcements, those actions would not be published. 

But, let's start by having a little bit of context:

During the past few days a colleague of mine (MarcoT.) gave me an interesting eMail attachment called: 71878378709_708463.zip (sha256:fdd1da3bdd8f37dcc04353913b5b580dadda94ba).
By unzipping the attachment, it was interesting to see a single .vbs file. By double clicking a .vbs file the victim would run it through microsoft wscript.exe which fires up the infection process. The eMail belongs to a more complex spamming set spread over USA and coming few days ago to Europe as well.

The visual basic script was obfuscated, as you may appreciate from the following image, but the used obfuscation technique was quite weak to reverse. In fact only one round of packing was adopted and after few substitutions "clear text strings" were observable.

Obfuscated Dropper

Interesting techniques were introduced in this dropper. First of all a lot of junk code (apparently good code) was added in order to make reverse engineering process much harder. Very interesting the choice of such a code apparently taken from real droppers but not linked to the analized one. Another interesting adopted technique was on the "User-Agent" settings, which happened to be the key-factor to download the real payload.  The dropper per-se is not interesting anymore. It basically uses a romantic WScript.Shell to execute a 'MZ' file once downloaded from compromised websites (IoC later on). The Dropped file is returned directly into the HTTP response body and saved with a static name in temporary user folder: saToHxy.exe. The dropper file renamed VB objects and VB functions to make everything a little harder.

Saving Dropper into user temporary file with static name

As today the dropping URLs are the following ones:
  • castillodepalazuelos.es/rf734rgf?
  • 2010.sggt-wh.de/rf734rgf?
  • actt.gr/rf734rgf?
As mentioned a romantic Shell.Run would execute the dropped payload. The Payload (sha356:6a51d0cd9ea189babad031864217ddd3a7ddba84) looks like a one-stager payload. No heavy encryption nor multi staging delivery is involved, clear and intuitive user functions within enabled debugging headers.


No Packing found

Firing up IDA and reversing the sample showed up small encoded payload through XOR and some anti debugging tricks such as the timing control and performance monitoring as follows:


Anti-Debugging tricks: Timing and Performante control
Following on the analysis it becomes clear the spread use of Secure Handler Exception Chain exploiting technique. By triggering exceptions the attacker calls modified exception handler functions able to decode the payload and to allocate it directly on the new memory pages, ending up on "call eax" section. The following image shows the decoding loop.

Decoding Loop on 0x3001220
Following a piece of decoded memory area (configuration file), decoded by 0x03001220.

Decoded Memory Area
Dynamic Analysis took out the evidence of a Ransomware payload. In fact following on the decoded payload by getting far on memory site the analyst could observe the ransom HTML page (next image). I would prefer to show out a rendered "ransom request page" rather than a junk of hexadecimal bytes. (sha256: cdb3fef976270ab235db623d6a4a97ea93c41dd1) The ransom page looks looks like the following image.

Ransom Request Rendered File
I will call this Ransomware the "TOPransom" since the funny and evident mistake the attacker made in writing the ransom request file in where he suggested to download the TOP Browser rather then the TOR Browser :D (LOL). The TOPransom encrypts files and changes the file extensions with a alphanumeric extension, usually made of 3 characters (why "usually" ? Because looking at the attacker's db it looks like that, but I didn't find evidence on that). The modified extension is used as a hidden parameter in the ransom page. The following image shows some hidden features used by the attacker to bring informations to the control server.

POST request to buy the decrypter
Particularly interesting (at least in my persona point o view) the hidden input type called "FB" which looks like piggy backing two informations to the command and control (ransom server) such as: the extension and some hexadecimal content included in a crafted tag called "pre". By clicking on "Yes I want to buy" the victim POST such a data and are prompted to the following page asking for 0.18 BTC in order to get files back.

Request for ransom
 The FB hidden value "made me curious". By changing the first value (the one before the statement "pre") you would appreciate different BTC wallets with different asking prices. The following image shows the different results.

Request for ransom 2

This makes the system vulnerable to "balance enumeration" and to "denial of resources". In fact by enumerating the attacker wallet space I will perform a duplice action: if the wallet exists I'll take its balance, if the wallet does not exists the backend will create a new wallet, filling up the attacker reserved space for wallet creation. This action could block the new wallet creation ergo new infections.  So lets' write a simple dirty python script to force new wallet creation and money mapping.


Forcing New Wallets to limitate further infections (please do not consider this script as production ready script. Do not consider it as best implementation for such a goal)


Following on the analysis by playing a little bit further with that parameter (FB) I figured out it was vulnerable to SQL Injection. What a nice surprise !! The vulnerable parameter was the crafted tag called "pre" which vulnerable to code injection, which triggered SQLinjections.

SQLi on C&C server !

So let's try to pown the Attacker ! As first sight you may observe a MySQL error with not a latin characters. Google Translator says it is a Russian language ! Now we know that the attacker belongs, with high probability, to the Russian community. By investigating a little bit harder on the DB, only TOR availability and super slow, I found the botids and the relatives tasks. Please have a look to incremental ids and try to immagine how big was that network.

Bot Ids and relative locations

Another interesting topic was to investigate which were the system users(a.k.a the attackers). In other words the users of such a ransomware-as-a-service-platform" which happened to be the real attackers. Since It looks like a "Ransomware as a service" platform figuring out how many dollars the attackers were able to gain over time its my next goal. The following obfuscated image shows some of the found usernames, passwords (chipertext) and wallets the attackers used to gain profit.

Attackers Username, Passwords and Wallets
My attention ended up on that guy: god.true@xmpp.jp
That guy is related to the following private wallet: 1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N


As you might guess there are two main wallet types:
- Public wallets which store the victim's money. They are the public available wallets, everybody got infected must now them in order to pay the ransom.
- Private wallets which are the "real ones" belonging to attackers.  Private wallets got money from public wallet once reached the end of the attack. Platform charges are applied during that transaction.

Having the private wallet means to have the possibility to track down transactions history. Transactions history is a great source to figure out if that guy made more illegal activity over the past months. Following the go.true@xmpp.jp 's private wallet. We may observe interesting transactions as showed in the following image


Transaction From   1P3t56jg5RQSkFDWkDK3xBj9JPtXhSwc3N

That wallet which is DB-related to god.true@xmpp.jp, made huge amount of transactions back on 2017-04-23 and 2017-04-20 by moving out from its wallet 81,87 BTC harvested by many small and similar transactions! If we include the harvested BTC from this attack which currently have balance 13 BTC,  he or she is close to 100 BTC transactions. How about 2017-04 (do you remember any famous attack on that time ? :P) With high probability the attacker looks like abusing illegal activities (such as ransomware activities) more then once a time, this boy/girl -- with a high probability -- is a recurring attacker. By investigating a little bit more on that email address it's easy to find heavy relations between got.true@xmpp.jp and https://vlmi.su/ which is a Russian based Market Place where attackers buy and sell attacking tools, information and experiences.

After few more crafted SQL queries I was able to extract the "inst" talbe. Fields names are the following ones:

ID, IP, FB, OS, TIMED, TIMEIN. COUNTRY, BRWSER

Yes come one ! This table records the infected clients, let's see if we can do something to help them ! 
A simple DB count showed me more 2k infections so far. Not bad for being a plain new ransomware  as a service. The Targets look like being very spread all over the world. So far it's possible to extract the following country distribution.

TOPransom Victims Distribution

I will not disclosure IP addresses in order to guarantee victims privacy. Another interesting data comes from the victim browser distribution (another parameter collected by the attacker). Curiously the most used browser on windows devices is Chrome as the following image shows. [remember] The infection vector wasn't through web browser but through wscript.exe which opens .vbs by double click on it. [/remember]

TOPransomware victims browser distribution


On this post I've been describing the activity that took me from an email attachment to drop the entire attacker's database on a Ransomware as a Service platform that I called TOPransom. I've being trying to enumerate attacker's income and to mitigate the spreading vector by filling up wallets creation per user by writing a quick and durty python script.

Following IoC for your detection systems. Have fun !


IoC (summing up):
  • dropper .vba (sha256:fdd1da3bdd8f37dcc04353913b5b580dadda94ba)
  • saToHxy.exe (sha256:6a51d0cd9ea189babad031864217ddd3a7ddba84)
  • castillodepalazuelos.es/rf734rgf?
  • 2010.sggt-wh.de/rf734rgf?
  • actt.gr/rf734rgf?
  • https://n224ezvhg4sgyamb.onion.link/efwdaq.php
  • RECOVER-FILES-html (sha256: cdb3fef976270ab235db623d6a4a97ea93c41dd1)
  • Bot location: http://oeirasdigital.pt
  • Bot Location: http://jflo.ca/
  • TOP Browser

10 emerging ICS and IIoT cybersecurity companies to watch

The cybersecurity market has spawned a cottage industry of new industrial control systems (ICS) and industrial Internet of Things (IIoT) companies over the past few years.

These pure-plays focus primarily or exclusively on cyber-defending power grids, nuclear power plants, Supervisory Control and Data Acquisition (SCADA) systems, operational technology (OT) infrastructures, and industries covering chemicals, manufacturing, oil and gas, pharmaceuticals, power, and utilities.

The Cybersecurity Business Report presents a short list of 10 hot and emerging OT security vendors and solution providers. They bring cutting-edge technologies, and they're gaining attention as the next-generation security companies focused on the industrial side of "Things."

To read this article in full, please click here

CAN Bus Standard Vulnerability

NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard with proof-of-concept (PoC) exploit code affecting CAN Bus, a broadcast based network standard. According to the public report, which was coordinated with ICS-CERT prior to its public release, researchers Andrea Palanca, Eric Evenchick, Federico Maggi, and Stefano Zanero identified a vulnerability exploiting a weakness in the CAN protocol that allows an attacker to perform a denial-of-service (DoS) attack.

From Chrysaor to Lipizzan: Blocking a new targeted spyware family



Android Security is always developing new ways of using data to find and block potentially harmful apps (PHAs) from getting onto your devices. Earlier this year, we announced we had blocked Chrysaor targeted spyware, believed to be written by NSO Group, a cyber arms company. In the course of our Chrysaor investigation, we used similar techniques to discover a new and unrelated family of spyware called Lipizzan. Lipizzan’s code contains references to a cyber arms company, Equus Technologies.

Lipizzan is a multi-stage spyware product capable of monitoring and exfiltrating a user’s email, SMS messages, location, voice calls, and media. We have found 20 Lipizzan apps distributed in a targeted fashion to fewer than 100 devices in total and have blocked the developers and apps from the Android ecosystem. Google Play Protect has notified all affected devices and removed the Lipizzan apps.

We’ve enhanced Google Play Protect’s capabilities to detect the targeted spyware used here and will continue to use this framework to block more targeted spyware. To learn more about the methods Google uses to find targeted mobile spyware like Chrysaor and Lipizzan, attend our BlackHat talk, Fighting Targeted Malware in the Mobile Ecosystem.

How does Lipizzan work?

Getting on a target device

Lipizzan was a sophisticated two stage spyware tool. The first stage found by Google Play Protect was distributed through several channels, including Google Play, and typically impersonated an innocuous-sounding app such as a "Backup” or “Cleaner” app. Upon installation, Lipizzan would download and load a second "license verification" stage, which would survey the infected device and validate certain abort criteria. If given the all-clear, the second stage would then root the device with known exploits and begin to exfiltrate device data to a Command & Control server.

Once implanted on a target device

The Lipizzan second stage was capable of performing and exfiltrating the results of the following tasks:

  • Call recording
  • VOIP recording
  • Recording from the device microphone
  • Location monitoring
  • Taking screenshots
  • Taking photos with the device camera(s)
  • Fetching device information and files
  • Fetching user information (contacts, call logs, SMS, application-specific data)


The PHA had specific routines to retrieve data from each of the following apps:

  • Gmail
  • Hangouts
  • KakaoTalk
  • LinkedIn
  • Messenger
  • Skype
  • Snapchat
  • StockEmail
  • Telegram
  • Threema
  • Viber
  • Whatsapp

We saw all of this behavior on a standalone stage 2 app, com.android.mediaserver (not related to Android MediaServer). This app shared a signing certificate with one of the stage 1 applications, com.app.instantbackup, indicating the same author wrote the two. We could use the following code snippet from the 2nd stage (com.android.mediaserver) to draw ties to the stage 1 applications.



Morphing first stage

After we blocked the first set of apps on Google Play, new apps were uploaded with a similar format but had a couple of differences.

The apps changed from ‘backup’ apps to looking like a “cleaner”, “notepad”, “sound recorder”, and “alarm manager” app. The new apps were uploaded within a week of the takedown, showing that the authors have a method of easily changing the branding of the implant apps.
The app changed from downloading an unencrypted stage 2 to including stage 2 as an encrypted blob. The new stage 1 would only decrypt and load the 2nd stage if it received an intent with an AES key and IV.

Despite changing the type of app and the method to download stage 2, we were able to catch the new implant apps soon after upload.

How many devices were affected?

There were fewer than 100 devices that checked into Google Play Protect with the apps listed below. That means the family affected only 0.000007% of Android devices. Since we identified Lipizzan, Google Play Protect removed Lipizzan from affected devices and actively blocks installs on new devices.

What can you do to protect yourself?




  • Ensure you are opted into Google Play Protect
  • Exclusively use the Google Play store. The chance you will install a PHA is much lower on Google Play than using other install mechanisms.
  • Keep “unknown sources” disabled while not using it.
  • Keep your phone patched to the latest Android security update.


List of samples

1st stage



Newer version 


Standalone 2nd stage



FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed!

UPDATE (April 26, 2018): The web installer method to deploy FLARE VM is now deprecated. Please refer to the README on the FLARE VM GitHub for the most up-to-date installation instructions.

As a reverse engineer on the FLARE Team I rely on a customized Virtual Machine (VM) to perform malware analysis. The Virtual Machine is a Windows installation with numerous tweaks and tools to aid my analysis. Unfortunately trying to maintain a custom VM like this is very laborious: tools frequently get out of date and it is hard to change or add new things. There is also a constant fear that if the VM gets corrupted it would be super tedious to replicate all of the settings and tools that I’ve built up over the years. To address this and many related challenges, I have developed a standardized (but easily customizable) Windows-based security distribution called FLARE VM.

FLARE VM is a freely available and open sourced Windows-based security distribution designed for reverse engineers, malware analysts, incident responders, forensicators, and penetration testers. Inspired by open-source Linux-based security distributions like Kali Linux, REMnux and others, FLARE VM delivers a fully configured platform with a comprehensive collection of Windows security tools such as debuggers, disassemblers, decompilers, static and dynamic analysis utilities, network analysis and manipulation, web assessment, exploitation, vulnerability assessment applications, and many others.

The distribution also includes the FLARE team’s public malware analysis tools such as FLOSS and FakeNet-NG.

How To Get It

You are expected to have an existing installation of Windows 7 or above. This allows you to choose the exact Windows version, patch level, architecture and virtualization environment yourself.

Once you have that available, you can quickly deploy the FLARE VM environment by visiting the following URL in Internet Explorer (other browsers are not going to work):

http://boxstarter.org/package/url? https://raw.githubusercontent.com/fireeye/flare-vm/master/flarevm_malware.ps1

After you navigate to the above URL in the Internet Explorer, you will be presented with a Boxstarter WebLauncher dialog. Select Run to continue the installation as illustrated in Figure 1.


Figure 1: FLARE VM Installation

Following successful installation of Boxstarter WebLauncher, you will be presented with a console window and one more prompt to enter your Windows password as shown in Figure 2. Your Windows password is necessary to restart the machine several times during the installation without prompting you to login every time.


Figure 2: Boxstarter Password Prompt

The rest of the process is fully automated, so prepare yourself a cup of coffee or tea. Depending on your connection speed, the initial installation takes about 30-40 minutes. Your machine will also reboot several times due to the numerous software installation’s requirements. During the deployment process, you will see installation logs of a number of packages.

Once the installation is complete, it is highly recommended to switch the Virtual Machine networking settings to Host-Only mode so that malware samples would not accidentally connect to the Internet or local network. Also, take a fresh virtual machine snapshot so this clean state is saved! The final FLARE VM installation should look like Figure 3.


Figure 3: FLARE VM installation

NOTE: If you encounter a large number of error messages, try to simply restart the installation. All of the existing packages will be preserved and new packages will be installed.

Getting Started

The VM configuration and the included tools were either developed or carefully selected by the members of the FLARE team who have been reverse engineering malware, analyzing exploits and vulnerabilities, and teaching malware analysis classes for over a decade. All of the tools are organized in the directory structure shown in Figure 4.

Figure 4: FLARE VM Tools

While we attempt to make the tools available as a shortcut in the FLARE folder, there are several available from command-line only. Please see the online documentation at http://flarevm.info for the most up to date list.

Sample Analysis

In order to best illustrate how FLARE VM can assist in malware analysis tasks let’s perform a basic analysis on one of the samples we use in our Malware Analysis Crash Course.

First, let’s obtain some basic indicators by looking at the strings in the binary. For this exercise, we are going to run FLARE’s own FLOSS tool, which is a strings utility on steroids. Visit http://flosseveryday.info for additional information about the tool. You can launch it by clicking on the FLOSS icon in the taskbar and running it against the sample as illustrated in Figure 5.


Figure 5: Running FLOSS

Unfortunately, looking over the resulting strings in Figure 6 only one string really stands out and it is not clear how it is used.


Figure 6: Strings Analysis

Let’s dig a bit more into the binary by opening up CFF Explorer in order to analyze sample’s imports, resources, and PE header structure. CFF Explorer and a number of other utilities are available in the FLARE folder that can be accessed from the Desktop or the Start menu as illustrated in Figure 7.


Figure 7: Opening Utilities

While analyzing the PE header, there were several indicators that the binary contains a resource object with an additional payload. For example, the Import Address Table contained relevant Windows API calls such as LoadResource, FindResource and finally WinExec. Unfortunately, as you can see in Figure 8 the embedded payload “BIN” contains junk so it is likely encrypted.


Figure 8: PE Resource

At this point, we could continue the static analysis or we could “cheat” a bit by switching over to basic dynamic analysis techniques. Let’s attempt to quickly gather basic indicators by using another FLARE tool called FakeNet-NG. FakeNet-NG is a dynamic network emulation tool which tricks malware into revealing its network functionality by presenting it with fake services such as DNS, HTTP, FTP, IRC and many others. Please visit http://fakenet.info for additional information about the tool.

Also, let’s launch Procmon from Sysinternals Suite in order to monitor all of the File, Registry and Windows API activity as well. You can find both of these frequently used tools in the taskbar illustrated in Figure 9.


Figure 9: Dynamic Analysis

After executing the sample with Administrator privileges, we quickly find excellent network- and host–based indicators. Figure 10 shows FakeNet-NG responding to malware’s attempt to communicate with evil.mandiant.com using HTTP protocol. Here we capture useful indicators such as a complete HTTP header, URL and a potentially unique User-Agent string. Also, notice that FakeNet-NG is capable of identifying the exact process communicating which is level1_payload.exe. This process name corresponds to the unique string that we have identified in the static analysis, but couldn’t understand how it was used.

Figure 10: FakeNet-NG

Comparing our findings with the output of Procmon in Figure 11, we can confirm that the malware is indeed responsible for creating level1_payload.exe executable in the system32 folder.


Figure 11: Procmon

As part of the malware analysis process, we could continue digging deeper by loading the sample in a disassembler and performing further analysis inside a debugger. However, I would not want to spoil this fun for our Malware Analysis Crash Course students by sharing all the answers here. That said all of the relevant tools to perform such analysis are already included in the distribution such as IDA Pro and Binary Ninja disassemblers, a nice collection of debuggers and several plugins, and many others to make your reverse engineering tasks as convenient as possible.

Have It Your Way

FLARE VM is a constantly growing and changing project. While we try to cover as many use-case scenarios as possible it is simply impossible due to the nature of the project. Luckily, FLARE VM is extremely easy to customize because it was built on top of the Chocolatey project. Chocolatey is a Windows-based package management system with thousands of packages. You can find the list here: https://chocolatey.org/packages. In addition to the public Chocolatey repository, FLARE VM uses our own FLARE repository which constantly growing and currently contains about 40 packages.

What all this means is that if you want to quickly add some package, let’s say Firefox, you no longer have to navigate to the software developer’s website. Simply open up a console and type in the command in Figure 12 to automatically download and install any package:


Figure 12: Installing packages

In a few short moments, Firefox icon is going to appear on your Desktop with no user interaction necessary.

Staying up to date

As I’ve mentioned in the beginning, one of the hardest challenges of unmanaged Virtual Machine is trying to keep all the tools up to date. FLARE VM solves this problem. You can completely update the entire system by simply running the command in Figure 13.


Figure 13: Staying up to date

If any of the installed packages have newer versions, they will be automatically downloaded and installed.

NOTE: Don’t forget to take another clean snapshot of an updated system and set networking back to Host-Only.

Conclusion

I hope you enjoy this new free tool and will adopt it as another trusted resource to perform reverse engineering and malware analysis tasks. Next time you need to set up a new malware analysis environment, try out FLARE VM!

In these few pages, we could only scratch the surface of everything that FLARE VM is capable of; however, feel free to leave your comments, tool requests, and bugs on our Github issues page here: https://github.com/fireeye/flare-vm or http://flarevm.info/.

STOP FAKE NEWS – PAUSE, EVALUATE and FORWARD


The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.
It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

 As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

Creation of fake news is extremely simple. Listed below are six commonly used methods

·         Individuals concoct their own stories

·         Marketers release competitive advertisements based on unproven data

·         Groups with vested interests manipulate the volume and narrative of news.

·         Photographs are morphed

·         Old photographs are used to depict recent events

·         Real photographs are used to defame

Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.
Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News
Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

Red team versus blue team: How to run an effective simulation

The military does it. The Government Accountability Office does it. So does the National Security Agency. The concept has made its way into the corporate world, too: war-gaming the security infrastructure.

Red team-blue team exercises take their name from their military antecedents. The idea is simple: One group of security pros — a red team — attacks something, and an opposing group — the blue team — defends it. Originally, the exercises were used by the military to test force-readiness. They have also been used to test physical security of sensitive sites like nuclear facilities and the Department of Energy's National Laboratories and Technology Centers. In the '90s, experts began using red team-blue team exercises to test information security systems.

To read this article in full, please click here

Hacking the Universe with Quantum Encraption

Ladies and Gentlemen of the Quantum Physics Community:

  I want you to make a Pseudorandom Number Generator!

  And why not!  I’m just a crypto nerd working on computers, I only get a few discrete bits and a handful of mathematical operations.  You have such an enormous bag of tricks to work with!  You’ve got a continuous domain, trigonometry, complex numbers, eigenvectors…you could make a PRNG for the universe!  Can you imagine it?  Your code could be locally hidden in every electron, proton, fermion, boson in creation.

  Don’t screw it up, though.  I can’t possibly guess what chaos would (or would fail to) erupt, if multiple instances of a PRNG shared a particular seed, and emitted identical randomness in different places far, far away.  Who knows what paradoxes might form, what trouble you might find yourself entangled with, what weak interactions might expose your weak non-linearity.  Might be worth simulating all this, just to be sure.

  After all, we wouldn’t want anyone saying, “Not even God can get crypto right”.

—–

  Cryptographically Secure Pseudorandom Number Generators are interesting.  Given a relatively small amount of data (just 128 bits is fine) they generate an effectively unlimited stream of bits completely indistinguishable from the ephemeral quantum noise of the Universe.  The output is as deterministic as the digits of pi, but no degree of scientific analysis, no amount of sample data will ever allow a model to form for what bits will come next.

  In a way, CSPRNGs represent the most practical demonstration of Godel’s First Incompleteness Theorem, which states that for a sufficiently complex system, there can be things that are true about it that can never be proven within the rules of that system.  Science is literally the art of compressing vast amounts of experimentally derived output on the nature of things, to a beautiful series of rules that explains it.  But as much as we can model things from their output with math, math can create things we can never model.  There can be a thing that is true — there are hidden variables in every CSPRNG — but we would never know.

  And so an interesting question emerges.  If a CSPRNG is indistinguishable from the quantum noise of the Universe, how would we know if the quantum noise of the universe was not itself a CSPRNG?  There’s an infinite number of ways to construct a Random Number Generator, what if Nature tried its luck and made one more?  Would we know?

  Would it be any good?

   I have no idea.  I’m just a crypto nerd.  So I thought I’d look into what my “nerds from another herd”, Quantum Physicists, had discovered.

—–

  Like most outsiders diving into this particular realm of science, I immediately proceeded to misunderstand what Quantum Physics had to say.  I thought Bell’s Theorem ruled out anything with secret patterns:

“No physical theory of local hidden variables can ever reproduce all the predictions of quantum mechanics.”  

  I thought that was pretty strange.  Cryptography is the industrial use of chaotic systems with hidden variables.  I had read this to mean, if there were ever local hidden variables in the random data that quantum mechanics consumed, the predictions would be detectably different from experimental evidence.

  Quantum Physics is cool, it’s not that cool.  I have a giant set of toys for encrypting hidden variables in a completely opaque datastream, what, I just take my bits, put them into a Quantum Physics simulation, and see results that differ from experimental evidence?  The non-existence of a detection algorithm distinguishing encrypted datastreams from pure quantum entropy, generic across all formulations and levels of complexity, might very well be the safest conjecture in the history of mathematics.  If such a thing existed, it wouldn’t be one million rounds of AES we’d doubt, it’d be the universe.

  Besides, there’s plenty of quantum mechanical simulations on the Internet, using JavaScript’s Math.Random.  That’s not exactly a Geiger counter sitting next to a lump of Plutonium.  This math needs uniform distributions, it does not at all require unpredictable ones.

  But of course I completely misunderstood Bell.  He based his theorem on what are now called Bell Inequalities.  They describe systems that are in this very weird state known as entanglement, where two particles both have random states relative to the universe, but opposite states relative to eachother.  It’s something of a bit repeat; an attacker who knows a certain “random” value is 1 knows that another “random” value is 0.  But it’s not quite so simple.  The classical interpretation of entanglement often demonstrated in relation to the loss of a shoe (something I’m familiar with, long story).  You lose one shoe, the other one is generally identical.

  But Bell inequalities, extravagantly demonstrated for decades, demonstrate that’s just not how things work down there because the Universe likes to be weird.  Systems at that scale don’t have a ground truth, as much as a range of possible truths.  Those two particles that have been entangled, it’s not their truth that is opposite, it’s their ranges.  Normal cryptanalysis isn’t really set up to understand that — we work in binaries, 1’s and 0’s.  We certainly don’t have detectors that can be smoothly rotated from “detects 1’s” to “detects 0’s”, and if we did we would assume as they rotated there would be a linear drop in 1’s detected matching a linear increase in 0’s.

  When we actually do the work, though, we never see linear relationships.  We always see curves, cos^2 in nature, demonstrating that the classical interpretation is wrong.  There are always two probability distributions intersecting.

—–

  Here’s the thing, and I could be wrong, but maybe I’ll inspire something right.  Bell Inequalities prove a central thesis of quantum mechanics — that reality is probabilistic — but Bell’s Theorem speaks about all of quantum mechanics.  There’s a lot of weird stuff in there!  Intersecting probability distributions is required, the explanations that have been made for them are not necessarily necessary.

  More to the point, I sort of wonder if people think it’s “local hidden variables” XOR “quantum mechanics” — if you have one, you can’t have the other.  Is that true, though?  You can certainly explain at least Bell Inequalities trivially, if the crystal that is emitting entangled particles emits equal and opposite polarizations, on average.  In other words, there’s a probability distribution for each photon’s polarization, and it’s locally probed at the location of the crystal, twice.

  I know, it would seem to violate conservation of angular momentum.  But, c’mon.  There’s lots of spare energy around.  It’s a crystal, they’re weird, they can get a tiny bit colder.  And “Nuh-uh-uh, Isaac Newton!  For every action, there is an equal and opposite probability distribution of a reaction!” is really high up on the index of Shit Quantum Physicists Say.

Perhaps more likely, of course, is that there’s enough hidden state to bias the probability distribution of a reaction, or is able to fully describe the set of allowable output behaviors for any remote unknown input.  Quantum Physics biases random variables.  It can bias them more.  What happens to any system with a dependency on random variables that suddenly aren’t?  Possibly the same thing that happens to everything else.

  Look.  No question quantum mechanics is accurate, it’s predictive of large chunks of the underlying technology the Information Age is built on.  The experiment is always right, you’re just not always sure what it’s right about.  But to explain the demonstrable truths of probability distribution intersection, Quantum Physicists have had to go to some pretty astonishing lengths.  They’ve had to bend on the absolute speed limit of the universe, because related reactions were clearly happening in multiple places in a manner that would require superluminal (non-)communication.

  I guess I just want to ask, what would happen if there’s just a terrible RNG down there — non-linear to all normal analysis, but repeat its seed in multiple particles and all hell breaks loose?  No really, what would happen?

   Because that is the common bug in all PRNGs, cryptographically secure and otherwise.  Quantum mechanics describes how the fundamental unstructured randomness of the universe is shaped and structured into probability distributions.  PRNGs do the opposite — they take structure, any structure, even fully random bits limited only by their finite number — and make them an effectively unbound stream indistinguishable from what the Universe has to offer.

  The common PRNG bug is that if the internal state is repeated, if the exact bits show up in the same places and the emission counter (like the digit of pi requested) is identical, you get repeated output.

  I’m not saying quantum entanglement demonstrates bad crypto.  I wouldn’t know.  Would you?

  Because here’s the thing.  I like quantum physics.  I also like relativity.  The two fields are both strongly supported by the evidence, but they don’t exactly agree with one another.  Relativity requires nothing to happen faster than the speed of light; Quantum Physics kind of needs its math to work instantaneously throughout the universe.  A sort of detente has been established between the two successful domains, called the No Communication theorem.  As long as only the underlying infrastructure of quantum mechanics needs to go faster than light, and no information from higher layers can be transmitted, it’s OK.

   It’s a decent hack, not dissimilar to how security policies never seem to apply to security systems.  But how could that even work?  Do particles (or waves, or whatever) have IP addresses?  Do they broadcast messages throughout the universe, and check all received messages for their identifier?  Are there routers to reduce noise?  Do they maintain some sort of line of sight at least?  At minimum, there’s some local hidden variable even in any non-local theory, because the system has to decide who to non-locally communicate with.  Why not encode a LUT (Look Up Table) or a function that generates the required probability distributions for all possible future interactions, thus saving the horrifying complexity of all particles with network connections to all other particles?

  Look, one can simulate weak random number generators in each quantum element, and please do, but I think non-locality must depend on some entirely alien substrate, simulating our universe with a speed of light but choosing only to use that capacity for its own uses.  The speed of light itself is a giant amount of complexity if instantaneous communication is available too.

  Spooky action at a distance, time travel, many worlds theories, simulators from an alien dimension…these all make for rousing episodes of Star Trek, but cryptography is a thing we actually see in the world on a regular basis.  Bad cryptography, even more so.

—-

  I mentioned earlier, at the limit, math may model the universe, but our ability to extract that math ultimately depends on our ability to comprehend the patterns in the universe’s output.  Math is under no constraint to grant us analyzable output.

  Is the universe under any constraint to give us the amount of computation necessary to construct cryptographic functions?  That, I think, is a great question.

  At the extreme, the RSA asymmetric cipher can be interpreted symmetrically as F(p,q)==n, with p and q being large prime numbers and F being nothing more than multiply.  But that would require the universe to support math on numbers hundreds of digits long.  There’s a lot of room at the bottom but even I’m not sure there’s that much.  There’s obviously some mathematical capacity, though, or else there’d be nothing (and no one) to model.

  It actually doesn’t take that much to create a bounded function that resists (if not perfectly) even the most highly informed degree of relinearizing statistical work, cryptanalysis.  This is XTEA:

/* take 64 bits of data in v[0] and v[1] and 128 bits of key[0] - key[3] */

void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4]) {
    unsigned int i;
    uint32_t v0=v[0], v1=v[1], sum=0, delta=0x9E3779B9;
    for (i=0; i < num_rounds; i++) {
        v0 += (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
        sum += delta;
        v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum>>11) & 3]);
    }
    v[0]=v0; v[1]=v1;
}

  (One construction for PRNGs, not the best, is to simply encrypt 1,2,3… with a secret key.  The output bits are your digits, and like all PRNGs, if the counter and key repeat, so does the output.)

  The operations we see here are:

  1. The use of a constant.  There are certainly constants of the universe available at 32 bits of detail.
  2. Addition.  No problem.
  3. Bit shifts.  So that’s two things — multiplication or division by a power of two, and quantization loss of some amount of data.  I think you’ve got that, it is called quantum mechanics after all.
  4. XOR and AND.  This is tricky.  Not because you don’t have exclusion available — it’s not called Pauli’s Let’s Have A Party principle — but because these operations depend on a sequence of comparisons across power of two measurement agents, and then combining the result.  Really easy on a chip, do you have that kind of magic in your bag of tricks?  I don’t know, but I don’t think so.

  There is a fifth operation that is implicit, because this is happening in code.  All of this is happening within a bitvector 32 bits wide, or GF(2^32), or % 2**32, depending on which community you call home.  Basically, all summation will loop around.  It’s OK, given the proper key material there’s absolutely an inverse function that will loop backwards over all these transformations and restore the original state (hint, hint).

  Modular arithmetic is the math of clocks, so of course you’d expect it to exist somewhere in a world filled with things that orbit and spin.  But, in practical terms, it does have a giant discontinuity as we approach 1 and reset to 0.  I’m sure that does happen — you either do have escape velocity and fly off into the sunset, or you don’t, crash back to earth, and *ahem* substantially increase your entropy — but modular arithmetic seems to mostly express at the quantum scale trigonometrically.  Sine waves can possibly be thought of as a “smoothed” mod, that exchanges sharp edges for nice, easy curves.

  Would trig be an improvement to cryptography?  Probably not! It would probably become way easier to break!  While the universe is under no constraint to give you analyzable results, it’s also under no constraint not to.  Crypto is hard even if you’re trying to get it right; randomly throwing junk together will (for once) not actually give you random results.

  And not having XOR or AND is something notable (a problem if you’re trying to hide the grand secrets of the universe, a wonderful thing if you’re trying to expose them).  We have lots of functions made out of multiply, add, and mod.  They are beloved by developers for the speed at which they execute.  Hackers like ‘em too, they can be predicted and exploited for remote denial of service attacks.  A really simple function comes from the legendary Dan Bernstein:

unsigned djb_hash(void *key, int len)
{
    unsigned char *p = key;
    unsigned h = 0;
    int i;

    for (i = 0; i < len; i++)
    {
        h = 33 * h + p[i];
    }

    return h;
}

  You can see the evolution of these functions at http://www.eternallyconfuzzled.com/tuts//jsw_tut_hashing.aspx , what should be clear is that there are many ways to compress a wide distribution into a small one, with various degrees of uniformity and predictability.

  Of course, Quantum Physicists actually know what tools they have to model the Universe at this scale, and their toolkit is vast and weird.  A very simple compression function though might be called Roulette — take the sine of a value with a large normal or Poisson distribution, and emit the result.  The output will be mostly (but not quite actually) uniform.

  Now, such a terrible RNG would be vulnerable to all sorts of “chosen plaintext” or “related key” attacks.  And while humans have learned to keep the function static and only have dynamic keys if we want consistent behavior, wouldn’t it be tragic if two RNGs shipped with identical inputs, one with a RNG configured for sine waves, the other configured for cosine?  And then the results were measured against one another?  Can you imagine the unintuitive inequalities that might form?

  Truly, it would be the original sin.

—–

  I admit it.  I’m having fun with this (clearly).  Hopefully I’m not being too annoying.  Really, finally diving into the crazy quantum realm has been incredibly entertaining.  Have you ever heard of Young’s experiment?  It was something like 1801, and he took a pinhole of sunlight coming through a wall and split the light coming out of it with a note card.  Boom!  Interference pattern!  Proved the existence of some sort of wave nature for light, with paper, a hole, and the helpful cooperation of a nearby stellar object.  You don’t always need a particle accelerator to learn something about the Universe..

  You might wonder why I thought it’d be interesting to look at all this stuff.  I blame Nadia Heninger.  She and her friends discovered that about (actually, at least) one in two hundred private cryptographic keys were actually shared between systems on the Internet, and were thus easily computed.  Random number generation had been shown to have not much more than two nines of reliability in a critical situation.  A lot of architectures for better RNG had been rejected, because people were holding out for hardware.  Now, of course, we actually do have decent fast RNG in hardware, based on actual quantum noise.  Sometimes people are even willing to trust it.

  Remember, you can’t differentiate the universe from hidden variable math, just on output alone.

  So I was curious what the de minimus quantum RNG might look like.  Originally I wanted to exploit the fact that LEDs don’t just emit light, they generate electricity when illuminated.  That shouldn’t be too surprising, they’re literally photodiodes.  Not very good ones, but that’s kind of the charm here.  I haven’t gotten that working yet, but what has worked is:

  1. An arduino
  2. A capacitor
  3. There is no 3

  It’s a 1 Farad, 5V capacitor.  It takes entire seconds to charge up.  I basically give it power until 1.1V, and let it drain to 1.0V.  Then I measure, with my nifty 10 bit ADC, just how much voltage there is per small number of microseconds.

  Most, maybe all TRNGs, come down to measuring a slow clock with a fast clock.  Humans are pretty good at keeping rhythm at the scale of tens of milliseconds.  Measure us to the nanosecond, and that’s just not what our meat circuits can do consistently.

   How much measurement is enough?  10 bits of resolution to model the behavior of trillions of electrons doesn’t seem like much.  There’s structure in the data of course, but I only need to think I have about 128 bits before I can do what you do, and seed a CSPRNG with the quantum bits.  It’ll prevent any analysis of the output that might be, you know, correlated with temperature or power line conditions or whatnot.

  And that’s the thing with so-called True RNGs, or TRNGs.  Quantum Physics shapes the fundamental entropy of the universe, whether you like it or not, and acts as sort of a gateway filter to the data you are most confident lacks any predictable structure, and adds predictable structure.  So whenever we build a TRNG, we always overcollect, and very rarely directly expose.  The great thing about TRNGs is — who knows what junk is in there?  The terrifying thing about TRNGs is, not you either.

  In researching this post, I found the most entertaining paper:  Precise Monte Carlo Simulation of Single Photon Detectors (https://arxiv.org/pdf/1411.3663.pdf).  It had this quote:

Using a simple but very demanding example of random number generation via detection of Poissonian photons exiting a beam splitter, we present a Monte Carlo simulation that faithfully reproduces the serial autocorrelation of random bits as a function of detection frequency over four orders of magnitude of the incident photon flux.

  See, here is where quantum nerds and crypto nerds diverge.

  Quantum nerds:  “Yeah, detectors suck sometimes, universe is fuzzy whatcha gonna do”

  Crypto nerds:  “SERIAL AUTOCORRELATION?!  THAT MEANS YOUR RANDOM BITS ARE NOT RANDOM”

  Both are wrong, both are right, damn superposition.  It might be interesting to investigate further.

—–

  You may have noticed throughout this post that I use the phrase randomness, instead of entropy.  That is because entropy is a term that cryptographers borrowed from physicists.  For us, entropy is just an abstract measure of how much we’d have to work if we threw up our hands on the whole cryptanalysis enterprise and just tried every possibility.  For experimental physicists, entropy is something of a thing, a condition, that you can remove from a system like coal on a cart powered by a laser beam.

  Maybe we should do that.  Let me explain.  There is a pattern, when we’re attacking things, that the closer you get to the metal the more degrees of freedom you have to mess with its normal operations.  One really brutal trick involves bypassing a cryptographic check, by letting it proceed as expected in hardware, and then just not providing enough electrons to the processor at the very moment it needs to report the failure.  You control the power, you control the universe.

   Experimental physicists control a lot of this particular universe.  You know what sort of cryptographic attack we very rarely get to do?  A chosen key attack.

  Maybe we should strip as much entropy from a quantum system as physically possible, and see just how random things are inside the probability distributions that erupt upon stimulation.  I don’t think we’ll see any distributional deviations from quantum mechanics, but we might see motifs (to borrow a phrase from bioinformatics) — sequences of precise results that we’ve seen before.  Course grain identity, fine grain repeats.

  Worth taking a look.  Obviously, I don’t need to tell physicists how to remove entropy from their system.  But it might be worth mentioning, if you make things whose size isn’t specified to matter, a multiple of prime integer relationships to a size that is known to be available to the system, you might see unexpected peaks as integer relationships in unknown equations expose as sharing factors with your experimental setup.  I’m not quite sure you’ll find anything, and you’ll have to introduce some slop (and compensate for things like signals propagating at different speeds as photons in free space or electronic vibrations within objects) maybe, if this isn’t already common exploratory experimental process, you’ll find something cool.

   I know, I’m using the standard hacker attack patterns where they kind of don’t belong.  Quantum Physics has been making some inroads into crypto though, and the results have been interesting.  If you think input validation is hard now, imagine if packet inspection was made illegal by the laws of the Universe.  There was actually this great presentation at CCC a few years ago that achieved 100% key recovery on common quantum cryptographic systems — check it out.

   So maybe there’s some links between our two worlds, and you’ll grant me some leeway to speculate wildly (if you’ve read this far, I’m hoping you already have).  Let’s imagine for a moment, that in the organization I’ll someday run with a small army dedicated to fixing the Internet, I’ve got a couple of punk experimentalist grad students who know their way around an optics table and still have two eyes.  What would I suggest they do?

  I see lots of experiments providing positive confirmation of quantum mechanics, which is to be expected because the math works.  But you know, I’d try something else.  A lot of the cooler results from Quantum Physics show up in the two slit experiment, where coherent light is shined through two slits and interferes as waves on its way to a detector.  It’s amazing, particularly since it shows up even when there’s only one photon, or one electron, going through the slits.  There’s nothing else to interfere with!  Very cool.

  There’s a lot of work going on in showing interference patterns in larger and larger things.  We don’t quite know why the behaviors correctly predicted by Quantum Physics don’t show up in, like, baseballs.  The line has to be somewhere, we don’t know why or where.  That’s interesting work!  I might do something else, though.

  There exists an implemented behavior:  An interference pattern.  It is fragile, it only shows up in particular conditions.  I would see what breaks that fragile behavior, that shouldn’t.  The truth about hacking is that as creative as it is, it is the easy part.  There is no human being on the planet that can assemble a can of Coca-Cola, top to bottom.  Almost any person can destroy a can though, along with most of the animal kingdom and several natural processes.

  So yes.  I’m suggesting fuzzing quantum physics.  For those who don’t know, a lot of systems will break if you just throw enough crap at the wall.  Eventually you’ll hit some gap between the model a developer had in his mind for what his software did, and what behaviors he actually shipped.

  Fuzzing can be completely random, and find lots of problems.  But one of the things we’ve discovered over the years is that understanding what signals a system is used to processing, and composing them in ways a system is not used to processing, exposes all sorts of failure conditions.  For example, I once fuzzed a particular web browser.  Those things are huge!  All sorts of weird parsers, that can be connected in almost but not quite arbitrary ways.  I would create these complex trees of random objects, would move elements from one branch to another, would delete a parent while working on a child, and all the while, I’d stress the memory manager to make sure the moment something was apparently unneeded, it would be destroyed.

  I tell you, I’d come to work the next day and it’d be like Christmas.  I wonder what broke today!  Just because it can compose harmlessly, does not at all mean it will.  Shared substrates like the universe of gunk lashing a web browser together never entirely implement their specifications perfectly.  The map is not the territory, and models are always incomplete.

  Here’s the thing.  We had full debuggers set up for our fuzzers.  We would always know exactly what caused a particular crash.  We don’t have debuggers for reality at the quantum scale, though wow, I wish we did.  Time travel debugging would be awesome.  

  I want to be cautious here, but I think this is important to say.  Without a debugger, many crashes look identical.  You would not believe the number of completely different things that can cause a web browser to give up the ghost.  Same crash experience every time, though.  Waves, even interference waves, are actually a really generic failure mode.  The same slits that will pass photons, will also pass air molecules, will also pass water molecules.  Stick enough people in a stadium and give them enough beer and you can even make waves out of people.

  They’re not the same waves, they don’t have the same properties, that’s part of the charm of Quantum Physics.  Systems at different scales do behave differently.  The macro can be identical, the micro can be way, way different.

  Interference is fairly intuitive for multi-particle systems.  Alright, photons spin through space, have constructive and destructive modes when interacting in bulk, sure.  It happens in single photon and electron systems too, though.  And as much as I dislike non-locality, the experiment is always right.  These systems behave as if they know all the paths they could take, and choose one.

  This does not necessarily need to be happening for the same reasons in single photon systems, as it is in long streams of related particles.  It might be!  But, it’s important to realize, there won’t just be waves from light, air, and water.  Those waves will have similarities, because while the mechanisms are completely different, the ratios that drive them remain identical (to the accuracy of each regime).

  Bug collisions are extremely annoying.

  I know I’m speaking a bit out of turn.  It’s OK.  I’m OK with being wrong, I just generally try to not be, you know.  Not even wrong.  What’s so impressive about superposition is that the particle behaves in a manner that belies knowledge it should not have.  No cryptographic interpretation of the results of Quantum Physics can explain that; you cannot operate on data you do not have.  Pilot wave theory is a deterministic conception of quantum physics, not incompatible at all with this cryptographic conjecture, but it too has given up on locality.  You need to have an input, to account for it in your output.

  But the knowledge of the second slit is not necessarily absent from the universe as perceived by the single photon.  Single photon systems aren’t.  It’s not like they’re flying through an infinitely dark vacuum.  There’s black body radiation everywhere, bouncing off the assembly, interfering through the slits, making a mess of things.  I know photons aren’t supposed to feel the force of others at different wavelengths, but we’re talking about the impact on just one.  Last I heard, there’s a tensor field of forces everything has to go through, maybe it’s got a shadow.  And the information required is some factor of the ratio between slits, nothing else.  It’s not nothing but it’s a single value.

  The single particle also needs to pass through the slits.  You know, there are vibratory modes.  Every laser assembly I see isolates the laser from the world.  But you can’t stop the two slits from buzzing, especially when they’re being hit by all those photons that don’t miss the assembly.  Matter is held together by electromagnetic attraction; a single photon versus a giant hunk of mass has more of an energy differential than myself and Earth.  There doesn’t need to be much signal transfer there, to create waves.  There just needs to be transfer of the slit distance.

Might be interesting to smoothly scale your photon count from single photon in the entire assembly (not just reaching the photodetector), through blindingly bright, and look for discontinuities.  Especially if you’re using weak interactions to be trajectory aware.

  In general, change things that shouldn’t matter.  There are many other things that have knowledge of the second photon path.  Reduce the signal so that there’s nothing to work on, or introduce large amounts of noise so it doesn’t matter that the data is there.  Make things hot, or cold.  Introduce asymmetric geometries, make a photon entering the left slit see a different (irrelevant) reality than the photon entering the right.  As in, there are three slits, nothing will even reach the middle slit because it’s going to be blocked by a mirror routing it to the right slit, but the vibratory mode between left and middle is different than that for middle and right.  Or at least use different shapes between the slits, so that the vibratory paths are longer than crow flies distance.  Add notch filters and optical diodes where they shouldn’t do anything.  Mirrors and retroreflectors too.  Use weird materials — ferromagnetic, maybe, or anti-ferromagnetic.  Bismuth needs its day in the sun.  Alter density, I’m sure somebody’s got some depleted uranium around, gravity’s curvature of space might not be so irrelevant.  Slits are great, they’re actually not made out of anything!  You know what might be a great thing to make two slits out of?  Three photodetectors!  Actually, cell phones have gotten chip sensors to be more sensitive than the human eye, which in the right conditions is itself a single photon detector.  I wonder just what a Sony ISX-017 (“Starvis”) can do.

You know what’s not necessarily taking nanoseconds to happen?  Magnetization!  It can occur in femtoseconds and block an electron from the right slit while the left slit is truly none the wiser.  Remember, you need to try each mechanism separately, because the failure mode of anything is an interference pattern.

   Just mess with it!  Professors, tell your undergrads, screw things up.  Don’t set anything on fire.  You might not even have to tell them that.

  And then you go set something on fire, and route your lasers through it.  Bonus points if they’re flaming hoops.  You’ve earned it.

  I’ll be perfectly honest.  If any of this works, nobody would be more surprised than me.  But who knows, maybe this will be like that time somebody suggested we just send an atomic clock into space to unambiguously detect time dilation from relativity.  A hacker can dream!  I don’t want to pretend to be telling anyone how the universe works, because how the heck would I know.  But maybe I can ask a few questions.  Perhaps, strictly speaking, this is a disproof of Bell’s Theorem that is not superdeterminism.  Technically a theory does not need to be correct to violate his particular formulation.  It might actually be the case that this… Quantum Encraption is a local hidden variable theory that explains all the results of quantum mechanics.

–Dan

P.S. This approach absolutely does not predict a deterministic universe.  Laser beams eventually decohere, just not immediately.  Systems can absolutely have a mix of entropy sources, some good, some not.  It takes very, very little actual universal entropy to create completely unpredictable chaos, and that’s kind of the point.  The math still works just as predictably even with no actual randomness at all.  Only if all entropy sources were deterministic at all scales could the universe be as well.  And even then, the interaction of even extremely weak cryptosystems is itself strongly unpredictable over the scale of, I don’t know, billions of state exchanges.  MD5 is weak, a billion rounds of MD5 is not.  So there would be no way to predict or influence the state of the universe even given perfect determinism without just outright running the system.

[edit]P.P.S. “There is no outcome in quantum mechanics that cannot be handled by encraption, because if there was, you could communicate with it.”  I’m not sure that’s correct but you know what passes the no communication theory really easily?  No communication.  Also, please, feel free to mail me privately at dan@doxpara.com or comment below.

CRASHOVERRIDE Malware

CRASHOVERRIDE, aka, Industroyer, is the fourth family of malware publically identified as targeting industrial control systems (ICS). It uses a modular design, with payloads that target several industrial communication protocols and are capable of directly controlling switches and circuit breakers. Additional modules include a data-wiping component and a module capable of causing a denial of service (DoS) to Siemens SIPROTEC devices.

The big secret behind Google Play Protect on Android

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.




Looking for love on Matrimonial Sites! Watch out for the Fraudsters

On Oct 2014, I wrote a blog titled “Conmen use fake matrimonial profiles to scam prospective grooms seeking arranged marriages” warning cyber citizens on matrimonial scams. Unfortunately, since then it appears that these scams have become common and lucrative.

These scams earned between 4 lakhs to 1.2 crore rupees (6000 – 200000 USD). Victims were women in their 30’s who had posted their profiles on matrimonial portals. They were emotionally blinded and trusted the online relationship.

The scams used in reported cases in The Times of India, July 20, 2017, were custom harassment, gift clearance or urgent need of money due to a financial or medical emergency.

 31 year old nurse
Conned to accept a parcel that apparently was to contain 15000 GBP ( approx. 12 lakhs)
Paid Rs 4.2 Lakhs ( 6000 USD) to a fake courier company
40 year woman
Conned to bail her suitor out of a sticky payment at the  customs
Paid 74 lakhs (11000 USD) into several accounts
Young Woman
Conned to bail out her UK based suitor as custom officials had caught him carrying a lot of pounds
Paid Rs 4.8 Lakhs (7000 USD)
35 year old woman
Conned into supporting an allegedly US based suitor out of his financial difficulties
Paid Rs 1.2 Crore  (184000 USD)
40 year old woman
Conned into bailing out her UK suitor due to a sticky payment at customs
Paid Rs 4.65 Lakhs (7000 USD)

There will be a large number of unreported scams as they involve threats of defamation using explicit photos or video’s shared during the relationship.

I would again remind cybercitizens, that conmen actively target you, use social engineering techniques to gain your trust, and know how to hide themselves on the Internet. These conmen are often difficult to trace or it is simply too expensive to do so.


My recommendation is to use common sense when in an untrusted and unverified relationship. Any request for money should sound a loud buzzer in your brain. Do not also share content of sexual nature which could later be used against you.

Final removal of trust in WoSign and StartCom Certificates



As previously announced, Chrome has been in the process of removing trust from certificates issued by the CA WoSign and its subsidiary StartCom, as a result of several incidents not in keeping with the high standards expected of CAs.

We started the phase out in Chrome 56 by only trusting certificates issued prior to October 21st 2016, and subsequently restricted trust to a set of whitelisted hostnames based on the Alexa Top 1M. We have been reducing the size of the whitelist over the course of several Chrome releases.

Beginning with Chrome 61, the whitelist will be removed, resulting in full distrust of the existing WoSign and StartCom root certificates and all certificates they have issued.

Based on the Chromium Development Calendar, this change is visible in the Chrome Dev channel now, the Chrome Beta channel around late July 2017, and will be released to Stable around mid September 2017.

Sites still using StartCom or WoSign-issued certificates should consider replacing these certificates as a matter of urgency to minimize disruption for Chrome users.

Disgruntled Driver asks Share Ride Cab Company OLA to Pay Ransom for Kidnapped Passenger

A doctor called a shared ride cab to drive him to the private hospital where he worked. The shared ride arrived on time, but instead of taking the doctor to his destination, the driver threatened the doctor and kidnapped him.  The OLA cab driver, in turn posted a ransom request of Rs 5 Crore (750,000 USD) to the shared ride company, even calling up the hospital were the doctor worked to pressurize the company into paying. The Delhi police, were successful after a 13 day chase to free the doctor unharmed and nab the kidnapper.

The motive for the kidnapping was to teach the shared ride company a lesson as they were miffed due to alleged nonpayment of incentives.

The incident simply highlights the damage disgruntled employees can cause, many a times due to uncontrolled emotions. While the kidnapping seems to be one of a kind, incidents caused by employees in the workplace is quite common. In the early days, it used to be sabotage of plan and machinery, but in a digital world it is the theft of IP, data or even online defamation of the company and its personnel.

Necurs oddity II: avto111222@bigmir.net

Yesterday I saw a series spam emails from Necurs apparently attempting to collect replies to super.testtesttest2018@yahoo.com. Although that campaign is continuing today, a new spam run with similar characteristics has started this morning. For example: From:    jKX Soto [ingmanz@redacted]Reply-To:    jKX Soto [avto111222@bigmir.net]Date:    19 July 2017 at 06:43Subject:    CQJPhDYNOXTC

Cisco Unified Communications Manager 11.5(1.12000.1) Cross Site Scripting Bypass a restriction or similar Vulnerability

A cross-site scripting (XSS) filter bypass vulnerability in the web-based management interface of Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to mount XSS attacks against a user of an affected device. More Information: CSCvb97237. Known Affected Releases: 11.0(1.10000.10) 11.5(1.10000.6). Known Fixed Releases: 11.5(1.12029.1) 11.5(1.12900.11) 12.0(0.98000.369) 12.0(0.98000.370) 12.0(0.98000.398) 12.0(0.98000.457).

Unix: How random is random?

On Unix systems, random numbers are generated in a number of ways and random data can serve many purposes. From simple commands to fairly complex processes, the question “How random is random?” is worth asking.

EZ random numbers

If all you need is a casual list of random numbers, the RANDOM variable is an easy choice. Type "echo $RANDOM" and you'll get a number between 0 and 32,767 (the largest number that two bytes can hold).

$ echo $RANDOM
29366

Of course, this process is actually providing a "pseudo-random" number. As anyone who thinks about random numbers very often might tell you, numbers generated by a program have a limitation. Programs follow carefully crafted steps, and those steps aren’t even close to being truly random. You can increase the randomness of RANDOM's value by seeding it (i.e., setting the variable to some initial value). Some just use the current process ID (via $$) for that. Note that for any particular starting point, the subsequent values that $RANDOM provides are quite predictable.

To read this article in full, please click here

Twelve Commandments that will never fail to Keep You Cyber Safe Online

As the digital world explodes with a variety of new online services, cyber threats have become more ingenuous, dangerous, and spawned multiple variants and types. As each new threat makes the headline, the accompanying set of threat specific security recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change frequently.

There are twelve foundational security practices that will help keep you and your family safe. Practicing them will harden your defenses against cybercrime and also reduce the negative effects of social media use.

1)    Thou shalt not use a device with pirated software
Pirated software is not patched as it is unlicensed. Unpatched software have security vulnerabilities which can be easily exploited to steal data and credentials

2)    Thou shalt not use a device which is not set for automatic updates of Operating System patches
Automatic patching for personal devices is the best way to ensure that the latest security patches are applied and security loopholes closed before cybercriminals can get to them

3)    Thou shalt not use a device without updated antimalware (antivirus) software installed
Antimalware software reduces the probability of a malware infection (e.g. ransomware) on your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

4)    Thou shall not download pirated movies, games and other such material
Something free may turn out to be expensive, both financially and to your reputation. Malware is usually bundled with pirated content or applications

5)    Thou shall not use a site without trying to verify its authenticity
Authenticity of a site can be verified by the Lock Icon and accompanying digital certificate. While not fool proof, it reduces the possibility of spoofed lookalike sites designed to steal your credentials

6)    Thou shall not ignore inappropriate content on social networks, always report or dislike it
Inappropriate content influences the minds of our children as they stumble upon it online. Hate content in particular may induce biases which take a long time to reverse.

7)    Thou shalt not indulge or encourage cyber bullying online
A parent or teacher has the additional responsibility of guiding children on the right online behavior. You do not want your children to bully or be bullied

8)    Thou shalt not use passwords that can be easily guessed and promise to  keep the password a secret
Try to choose complex passwords, do not reuse them on multiple sites and always store them securely. The easiest way to get into your online accounts is by stealing your passwords

9)    Thou shalt not fall be tempted by fraudulent emails promising financial windfalls or miracle cures or cheap medicines
Try to check the authenticity of the email. Electronic communication is easily manipulated, as it is difficult to verify the authenticity of the sender. Scams like these can cost you money and affect your health.

10) Thou shall not forsake your responsibility of helping your older parents or young kids to be safe as they use the internet
Be a guide and easily available as both old and young learn to use the internet and face cyber risks. Being available, requires that you can be reached for instant advice on problems they encounter

11) Thou shalt never trust a stranger blindly online
Always be suspicious when dealing with online strangers. At any point during the relationship never let down your guard. The identity of an online person cannot be easily verified. It can however be easily manipulated. Online friends sometimes have the vilest of intention which can lead to all forms of blackmail, particularly if they have incriminating pictures and videos. Besides adults, young children are potential victims

12) Thou shalt not set a weak password for your mobile phone or keep it unlocked
A stolen phone with an easy to guess password or if unlocked, is a sure invitation into all your signed in accounts and personal data. A large number of phones are left unattended or lost each year.



Podcast Notes – Six Point List for Dealing with Today’s Cyber Attacks

I was recently on a podcast (to be released in the next couple of weeks) discussing current events, especially recent reports related to Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say. Towards the end of the podcast, I was asked for some closing thoughts, which I organized into a six-point list:

  1. Attacks are happening. Accept this as fact!
  2. Look internally at your People, Processes, and Technology (PPT), and assess how resilient your PPTs are against the types of attacks that are happening.
  3. Start taking steps -- or more likely, improve your current steps -- to prevent, but also to detect and respond (as prevention will only get you so far).
  4. Patch, patch, patch.
  5. Test, test, test.
  6. Finally, because it's only a matter of time, the last item is: drill baby, drill.

IDG Contributor Network: Global cyber reconnaissance against the energy sector

Media panic du jour

National media has caused quite a self-generated sensation by splashing headlines that the U.S. Nuclear Power subsector has been hacked.  Without context or understanding the media has created another “the sky is falling” cyber event.  There’s a great difference between nuclear operational networks being compromised and somebody clicking a phishing email and infecting the front office, so let’s immediately set the record straight.  It was the front office.

To read this article in full, please click here

Identifying Intrusive Mobile Apps Using Peer Group Analysis


Mobile apps entertain and assist us, make it easy to communicate with friends and family, and provide tools ranging from maps to electronic wallets. But these apps could also seek more device information than they need to do their job, such as personal data and sensor data from components, like cameras and GPS trackers.

To protect our users and help developers navigate this complex environment, Google analyzes privacy and security signals for each app in Google Play. We then compare that app to other apps with similar features, known as functional peers. Creating peer groups allows us to calibrate our estimates of users’ expectations and set adequate boundaries of behaviors that may be considered unsafe or intrusive. This process helps detect apps that collect or send sensitive data without a clear need, and makes it easier for users to find apps that provide the right functionality and respect their privacy. For example, most coloring book apps don’t need to know a user’s precise location to function and this can be established by analyzing other coloring book apps. By contrast, mapping and navigation apps need to know a user’s location, and often require GPS sensor access.

One way to create app peer groups is to create a fixed set of categories and then assign each app into one or more categories, such as tools, productivity, and games. However, fixed categories are too coarse and inflexible to capture and track the many distinctions in the rapidly changing set of mobile apps. Manual curation and maintenance of such categories is also a tedious and error-prone task.

To address this, Google developed a machine-learning algorithm for clustering mobile apps with similar capabilities. Our approach uses deep learning of vector embeddings to identify peer groups of apps with similar functionality, using app metadata, such as text descriptions, and user metrics, such as installs. Then peer groups are used to identify anomalous, potentially harmful signals related to privacy and security, from each app’s requested permissions and its observed behaviors. The correlation between different peer groups and their security signals helps different teams at Google decide which apps to promote and determine which apps deserve a more careful look by our security and privacy experts. We also use the result to help app developers improve the privacy and security of their apps.
[UNSET] (27).png
Apps are split into groups of similar functionality, and in each cluster of similar apps the established baseline is used to find anomalous privacy and security signals.

These techniques build upon earlier ideas, such as using peer groups to analyze privacy-related signals, deep learning for language models to make those peer groups better, and automated data analysis to draw conclusions.

Many teams across Google collaborated to create this algorithm and the surrounding process. Thanks to several, essential team members including Andrew Ahn, Vikas Arora, Hongji Bao, Jun Hong, Nwokedi Idika, Iulia Ion, Suman Jana, Daehwan Kim, Kenny Lim, Jiahui Liu, Sai Teja Peddinti, Sebastian Porst, Gowdy Rajappan, Aaron Rothman, Monir Sharif, Sooel Son, Michael Vrable, and Qiang Yan.

For more information on Google’s efforts to detect and fight potentially harmful apps (PHAs) on Android, see Google Android Security Team’s Classifications for Potentially Harmful Applications.
References

S. Jana, Ú. Erlingsson, I. Ion (2015). Apples and Oranges: Detecting Least-Privilege Violators with Peer Group Analysis. arXiv:1510.07308 [cs.CR].

T. Mikolov, I. Sutskever, K. Chen, G. S. Corrado, J. Dean (2013). Distributed Representations of Words and Phrases and their Compositionality. Advances in Neural Information Processing Systems 26 (NIPS 2013).

Ú. Erlingsson (2016). Data-driven software security: Models and methods. Proceedings of the 29th IEEE Computer Security Foundations Symposium (CSF'16), Lisboa, Portugal.

MS16-111 – Important: Security Update for Windows Kernel (3186973) – Version: 2.0

Severity Rating: Important
Revision Note: V2.0 (July 11, 2017): Revised Windows Affected Software and Vulnerability Severity Ratings table to include Windows 10 Version 1703 for 32-bit Systems and Windows 10 Version 1703 for x64-based Systems because they are affected by CVE-2016-3305. Microsoft recommends that customers running Windows 10 Version 1703 should install update 4025342 to be protected from this vulnerability.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application on a target system.

Cyber Lessons from the 2017 Harvey Nash / KMPG CIO Survey Report

In May this year, Harvey Nash and KPMG released their 2017 CIO Survey report. The report looks at some of the key issues on CIOs’ radar, including how CIOs are handling changing times, the need for stable IT, the strategic influence of CIOs, issues leading to costly and failed IT projects, job satisfaction, and of course, the issue of cybersecurity.

We’ll cover the highlights of the report, and take a deeper dive on how the issue of cybersecurity which features prominently in the report, and share lessons on how CIOs can improve their organization’s posture.

Top (and Bottom) Priorities for CIOs

The top four priorities listed for CIOs are
  1. The need to deliver stable IT service to the business (63%, up 21% from 2016)
  2. Increasing operational efficiencies (62%, up 7% from 2016)
  3. Improving business processes (59%, up 3% from 2016)
  4. Saving costs (54%, up 8% from 2016)
In contrast, the bottom three priorities are:
  1. Reputation management via social media (5%).
  2. Achieving sustainable/green IT (6%).
  3. Investing in social media platforms (7%).

CIO Good News

Among the list of positive news for CIOs was their self-reported increase in their strategic influence: when asked if their influence was growing, 71% of CIOs responded yes, up from 67% in 2016. Not surprisingly, 62% of CIOs now sit on the executive board, up from 57% in 2016, a number that was below the 50% mark for the decade ending in 2010. This increased visibility is also confirmed with 68% of CIOs reporting having attended a board meeting in the last quarter, a figure that goes up to 85% when considered over a 12-month window. However this picture is skewed towards the smaller organizations, where it appears that CIOs have an easier time getting access to the board (72%, versus 65% for mid-size, and only 45% for large organizations). Similarly, CIOs at smaller organizations are more likely to report directly to the CEO at 45%, versus 27% for mid-size, and 17% for large organizations.

Where a CIO sits in the organizational chart makes a difference in their perception of job satisfaction: 44% of CIOs on the executive committee reported their roles as very fulfilling, compared to 42% of CIOs reporting to CEOs, and only 38% of CIOs reporting to CFOs. On the salary front, CIOs reporting to the CEO or the board reported larger salary increases (36% for CIOs under CEOs, and 35% for CIOs on executive committee) than those under the CFO (32%).

Managing Change

Managing change comes with the territory for CIOs. When asked about how they had adapted their technology plans to deal with uncertainty, CIOs reported creating a more nimble technology platform (52%), finding a way to work with restricted budgets (49% average, but more pronounced in small organizations at 51%), and investing more in cybersecurity (45% average, but much more pronounced in mid-size and large organizations at 55% and 53% respectively) as their top three.

The Cybersecurity Issue

While cybersecurity figures in 3rd place in the aggregate picture, it is the #2 issue for both mid-size and large organizations, just behind the need for nimble IT. For mid-size organizations, nimble IT ranks in the top spot at 56% while security is just below at 55%, with a similarly close picture for large organizations with 54% for nimble IT and 53% for security. Not surprisingly, cybersecurity was a regular topic in the top five categories of topics discussed when CIOs interacted with boards, along with IT strategy, IT investments, and digital transformation.

The report introduces the cybersecurity issue thusly: “Everyone is talking about cyber security. Organizational leaders are fretting while hackers seem to be able to ghost their way effortlessly into their systems to steal emails and secrets.”
Top concerns for CIOs include organized cybercrime (71%), amateur criminals (52%), insider threats (48%), but also spammers (39%), foreign powers (28%), and competitors (19%). More worrisome, when CIOs were asked about if they were “well prepared” for detecting and responding to cyber-attacks, only 21% responded yes in 2017, compared to 22% in 2016, 23% in 2015, and 29% in 2014.

As can be expected, large organizations are more likely to report having suffered a major attack in the past two years (53%) compared to mid-size (41%) or small organizations (30%). However, the lower numbers for the smaller organizations may also be a reflection of their less mature detection and investigative capabilities.

Many CIOs are left wondering if their organizations are truly secure, or whether a false sense of security has been allowed to take hold, with potentially disastrous consequences. Bob Kalka, Vice President IBM Security Business Unit, wrote a three part series on Questions Every CIO Should Ask the Cybersecurity Leader: part 1, part 2, and part 3.

Much More in the Report

The report also points to an increasing trend where a larger share of the IT budget is controlled or managed outside of IT, 40% in 2017, up from 38% in 2016, and 34% in 2015. This trend puts increased pressure on CIOs’ ability to effectively manage the relationship with the rest of the C-suite and the board to exert influence on how that share of the budget is being spent.


Overall, the 56-page report provides a snapshot of where a CIO sits compared to their peers, as well as highlights important trends to be aware of and key areas they should be focusing on.

This post was brought to you by IBM Global Technology Services. For more content like this, visit ITBizAdvisor.com

Toolsmith #126: Adversary hunting with SOF-ELK

As we celebrate Independence Day, I'm reminded that we honor what was, of course, an armed conflict. Today's realities, when we think about conflict, are quite different than the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray.
We live in a world of asymmetrical battles, often conflicts that aren't always obvious in purpose and intent, and likely fought on multiple fronts. For one of the best reads on the topic, take the well spent time to read TJ O'Connor's The Jester Dynamic: A Lesson in Asymmetric Unmanaged Cyber Warfare. If you're reading this post, it's highly likely that your front is that of 1s and 0s, either as a blue team defender, or as a red team attacker. I live in this world every day of my life as a blue teamer at Microsoft, and as a joint forces cyber network operator. We are faced, each day, with overwhelming, excessive amounts of data, of varying quality, where the answers to questions are likely hidden, but available to those who can dig deeply enough.
New platforms continue to emerge to help us in this cause. At Microsoft we have a variety of platforms that make the process easier for us, but no less arduous, to dig through the data, and the commercial sector continues to expand its offerings. For those with limited budgets and resources, but a strong drive for discovery, that have been outstanding offerings as well. Security Onion has been forefront for years, and is under constant development and improvement in the care of Doug Burks.
Another emerging platform, to be discussed here, is SOF-ELK, part of the SANS Forensics community, created by SANS FOR572, Advanced Network Forensics and Analysis author and instructor Phil Hagen. Count SOF-ELK in the NFAT family for sure, a strong player in the Network Forensic Analysis Tool category.
SOF-ELK has a great README, don't be that person, read it. It's everything you need to get started, in one place. What!? :-)
Better yet, you can download a fully realized VM with almost no configuration requirements, so you can hit the ground running. I ran my SOF-ELK instance with VMWare Workstation 12 Pro and no issues other than needing to temporarily disable Device Guard and Credential Guard on Windows 10.
SOF-ELK offers some good test data to get you started with right out of the gate, in /home/elk_user/exercise_source_logs, including Syslog from a firewall, router, converted Windows events, a Squid proxy, and a server named muse. You can drop these on your SOF-ELK server in the /logstash/syslog/ ingestion point for syslog-formatted data. Additionally, utilize /logstash/nfarch/ for archived NetFlow output, /logstash/httpd/ for Apache logs, /logstash/passivedns/ for logs from the passivedns utility, /logstash/plaso/ for log2timeline, and  /logstash/bro/ for, yeah, you guessed it.
I mixed things up a bit and added my own Apache logs for the month of May to /logstash/httpd/. The muse log set in the exercise offering also included a DNS log (named_log), for grins I threw that in the /logstash/syslog/ as well just to see how it would play.
Run down a few data rabbit holes with me, I swear I can linger for hours on end once I latch on to something to chase. We'll begin with a couple of highlights from my Apache logs. The SOF-ELK VM comes with three pre-configured dashboards including Syslog, NetFlow, and HTTPD. You can learn more in the start page for the SOF-ELK UI, my instance is http://192.168.50.110:5601/app/kibana. There are three panels, or blocks, for each dashboard's details, at the bottom of the UI. I drilled through to the HTTPD Log Dashboard for this experiment, and immediately reset the time period for analysis (click the time marker in the upper right hand part of the UI). It defaults to the last 15 minutes, if you're reviewing older data it won't show until you adjust to match your time stamps. My data is from the month of May so I selected an absolute window from the beginning of May to its end. You can also select quick or relative time options, it's great to get comfortable here quickly and early. The resulting opening visualizations for me made me very happy, as seen in Figure 1.
Figure 1: HTTPD Log Dashboard
Nice! An event count summary, source ASNs by count (you can immediately see where I scanned myself from work), a fantastic Access Source map, a records graph by HTTP verbs, and one by response codes.
The beauty of these SOF-ELK dashboards is that they're immediately interactive and allow you to drill right in to interesting data points. The holisticinfosec.org website is intentionally flat and includes no active PHP or dynamic content. As a result, my favorite response code as a web application security tester, the 500 error, is notably missing. But, in both the timeline graphs we note a big traffic spike on 8 MAY 2017, which correlates nicely with my above mention scan from work, as noted in the ASN hit count, and seen here in Figure 2.

Figure 2: Traffic spike from scan
This visualizes well but isn't really all that interesting or uncommon, particularly given that I know I personally ran the scan, and scans from the Intarwebs are dime a dozen. What did jump out for me though, as seen back in Figure 1, was the presence of four PUT requests. That's usually a "bad thing" where some @$$h@t is trying to drop something on my server. Let's drill in a bit, shall we? After clicking the graph line with the four PUT requests, I quickly learned that two requests came from 204.12.194.234 AS32097: WholeSale Internet in Kansas City, MO and two came from 119.23.233.9 AS37963: Hangzhou Alibaba Advertising in Hangzhou, China. This is well represented in the HTTPD Access Source panel map (Figure 3).

Figure 3: Access Source
The PUT request from each included a txt file attempt, specifically dbhvf99151.txt and htjfx99555.txt, both were rejected, redirected (302), and sent to my landing page (200).
Research on the IPs found that 119.23.233.9 was on the "real time suspected malware list as detected by InterServer's intrusion systems" as seen 22 MAY, and 204.12.194.234 was found twice in the AbuseIPDB, flagged on 18 MAY 2017 for Cknife Webshell Detected. Now we're talking. It's common to attempt a remote file include attack or a PUT, with what is a web shell. I opened up SOF-ELK on that IP address and found eight total hits in my logs, all looking for common PHP opportunities with the likes of GET and POST for /plus/mytag_js.php, noted in PHP injection attack attempts.
SOF-ELK made it incredibly easy to hunt down these details, as seen in Figure 4 from the HTTPD Discovery panel.
Figure 4: Discovery
That's a groovy little hunting trip through HTTPD logs, but how about a bit of Syslog? I spotted I likely oddity that could be correlated across a number of the exercise logs, we'll see if the correlation is real. You'll notice tabs at the top of your SOF-ELK UI, we'll use Discover for this experiment. I started from the Syslog Dashboard with my time range set broadly on the last two months. 7606 records presented themselves, sliced neatly by hosts and programs, as seen in Figure 5.

Figure 5: Syslog Dashboard
Squid proxy logs showed the predominance of host entries (6778 or 57.95% of 11,696 to be specific), so I started there. Don' laugh, but I'll often do keyword queries just to see what comes up, sometimes you land a pointer to a good rabbit hole. Within the body of 6778 proxy events, I searched malware. Two hits came back for GET request via a JS redirector to bleepingcomputer.com for your basic how-to based on "random websites opening in Chrome". Ruh-roh.
Figure 6: Malware keyword
More importantly, we have an IP address to pivot on: 10.3.59.53. A search of that IP across the same 6778 Squid logs yielded 3896 entries specific to this IP, and lots to be curious about:
  • datingukrainewomen.com 
  • anastasiadate.com
  • YouTube videos for hair loss
  • crowdscience.com for "random pop-ups driving me nuts"
Do I need to build this user profile out for you, or are you with me? Proxy logs tell us so much, and are deeply worthy of your blue team efforts to collect and review.
I jumped over to the named_log from the muse host to see what else might reveal itself. Here's where I jumped to Discover, the Splunk-like query functionality inherent to SOF-ELK (and ELK implemetations). I did reductive query to see what other oddities might surface: 10.3.59.53 AND dns_query: (*.co.uk OR *.de OR *.eu OR *.info OR *.cc OR *.online OR *.website). I used these TLDs based on the premise that bots using Domain Generation Algorithms (DGA) will often use the TLDs. See The DGA of PadCrypt to learn more, as well as ISC Diary handler John Bambanek's OSINT logic. The query results were quite satisfying, 29 hits, including a number of clearly randomly generated domains. Those that were most interesting all included the .cc TLD, so I zoomed in further. Down to five hits with 10.3.59.53 AND dns_query: *.cc, as seen in Figure 7.
Figure 7:. CC TLD hits
Oh man, not good. I had a hunch now, and went back to the proxy logs with 10.3.59.53 AND squid_request:*.exe. And there you have it, ladies and gentlemen, hunch rewarded (Figure 8).

Figure 8: taxdocs.exe
It taxdocs.exe isn't malware, I'm a monkey's uncle. Unfortunately, I could find no online references to these .cc domains or the .exe sample or URL, but you get the point. Given that it's exercise data, Phil may have generated it to entice to dig deeper.
When we think about the IOC patterns for Petya, a hunt like this is pretty revealing. Petya's "initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc". This is not Petya (as far as I know) specifically but we see pattern similarities for sure, one can learn a great deal about the sheep and the wolves. Be the sheepdog!
Few tools better in the free and open source arsenal to help you train and enhance your inner digital sheepdog than SOF-ELK. "I'm a sheepdog. I live to protect the flock and confront the wolf." ~ LTC Dave Grossman, from On Combat.

Believe it or not, there's a ton more you can do with SOF-ELK, consider this a primer and a motivator.
I LOVE SOF-ELK. Phil, well done, thank you. Readers rejoice, this is really one of my favorites for toolsmith, hands down, out of the now 126 unique tools discussed over more than ten years. Download the VM, and get to work herding. :-)
Cheers...until next time.

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 2: The Land of the Cyber Startups

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is the second of three articles that I wrote following that experience;  the first article, explored the question of  “Why Israel?

[T]he prominence of Israel in the technological field and in the cyber field have made Israeli companies very, very attractive. So because we have a lot of speed chess players, because we have hundreds of startups, because we have demonstrable success in providing solutions in this rapidly changing sphere, Israel has become an attractive target for cyber security investment, and I think if I tally it roughly as we can see, in 2016 we have about 20% of the global private cyber security investment around the world.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

In a previous article, we explored some of the factors that have contributed to positioning Israel as a potential leader in the cybersecurity innovation domain. However, potential isn’t always realized, but in the case of Israel, there is strong evidence that the formula for leveraging their special mix of circumstances into cyber startups and investments is working.

Growing Alliances

One cannot hear the Prime Minister and deny that Israel is a country deliberately focused on cyber. There is a palpable deliberate effort by government sector, financial sector, industry sector, and academia to come together and collaborate. This effort is having an impact on the way the rest of the world sees Israel, as evidenced by Indian Prime Minister, Narendra Modi, who visited Israel in early July, the first visit by an Indian PM. In part thanks to its cybersecurity expertise, Israel is being courted by many countries according to its PM.

At CyberWeek, representatives from the US government were also in attendance, marking a new level of collaboration. Thomas Bossert, Assistant to the President for Homeland Security and Counterterrorism announced the creation of a bilateral cyber working group to “stop adversaries before they can get into our networks and hold bad actors accountable.” According to Reuters, the working group will focus “range of cyber issues — critical infrastructure, advanced R&D, international cooperation, and workforce.” Bossert went on to explain one of the reason for working together: "[t]he agility Israel has in developing solutions will innovate cyber defenses that we can test here and bring back to America.”

From Alliances to Startups and Vice Versa

The two high profile announcements about collaboration will likely be a boom for Israel’s continued ability to produce hundreds of cybersecurity startups. How many startups are we talking about exactly? Reuters quoted a figure of 400, while other sources put that figure closer to about 350 startups. Regardless of the exact number — as by their very nature startups come and go, sometimes in a matter of weeks or months — Israel is at the forefront of the global race to innovate in the cybersecurity space. Several (former) cybersecurity startups have now reached global name recognition; here are just a few, whose name you might recognize: IAI, Check Point, Verint, CyberArk, ECI, ByNET, CyberX, BGProtect, Clearsky, Safebreach.

The vibrant amount of activity in Israel hasn’t gone unnoticed by the global investment community and the US. A recently introduced piece of legislation, Senate bill S.719, entitled “United States-Israel Cybersecurity Cooperation Enhancement Act of 2017” introduced in March 2017 might help the US adapt Israel’s recipe for success to further energize US activity in this key sector. The bill “requires the Department of Homeland Security (DHS) to establish a grant program to support cybersecurity research and development, and the demonstration and commercialization of cybersecurity technology.” Grant eligibility requires that “a project must be a joint venture between: (1) for-profit, nonprofit, or academic entities (including U.S. national laboratories) in the United States and Israel; or (2) the governments of the United States and Israel.”

Most companies in the cybersecurity domain are enjoying great levels of attention and success. For example, Israel Aerospace Industries Ltd. (IAI), which is the country’s largest aerospace and defense company (and government-owned), recently announced that it ended 2016 with over $100 million worth of contracts in “cyber-intelligence, cyber-forensics and analysis, and cyberdefense centers.” Its President and CEO, Joseph Weiss, recently said: “[w]e consider cyber to be a strategic field of activity and a growth engine at IAI, and expect it to continue to expand significantly in the coming years” adding that “[w]e will continue to invest in cyber companies and research and development centers in order to continue to expand in this field.”

Fuel for Startups

While the Middle East is known for its fuel reserves, startups require a different kind of fuel — financial fuel. From a global cybersecurity investment perspective, PM Netanyahu during his CyberWeek address mentioned that Israel had garnered double-digits worth of private cyber security investment from around the world in 2016. Added to the generous incentives provided by the government, such as a 4% tax rate for cybersecurity startups (compared to 25% tax rate for regular businesses), as well as seed money that need only be repaid if the startup is successful, the environment is highly conducive to having academics and former military elites join with business leaders in rapidly creating startups.

Globally, investors have proven eager to invest billions of dollars into this domain. From 2012-2016, VCs reportedly invested $12.5 billion worth of seed money (in over 1,200 startups), from $1.32 billion in 2012 to $3.67 billion in 2015 (global figures). From an Israeli perspective, the country saw the creation of 65 new startups in 2016 — putting the total number of companies active in cybersecurity at 365 — and “maintained its leading position as a global center of cybersecurity innovation” according to a data by the nonprofit Start-Up Nation Central. The amount of investment flowing to Israeli startups was second only to the US, but managed to grab 15% of the global venture capital flows. The amount of capital raised by cybersecurity startups in 2016 was reported to be $581 million, up 9% from 2015.

The figures below, about the number of active Israeli cybersecurity companies and the exit deals, are produced by Start-Up Nation Finder™, a free online platform providing data and opportunities for collaboration with Israeli high-tech companies and start-ups. The tool was also used to analyze the data as part of a report by Start-up Nation Central on Israel's Cybersecurity Industry in 2016 (SNC report).


Figure 1 — Active Cybersecurity Companies in Israel (src: SNC report, used with permission)


Figure 2 — Exit Deals for Israeli Startups, 2014-2016 (src: SNC report, used with permission)

Human Capital and Academic Expertise

Although financial incentives and easy access to seed money makes for a frantic level of startup activity, it is the ability for these budding companies to tap into a well trained workforce and expertise from academia that helps buds turn into full-bloom flowers. We’ll focus on academia next, since our first article in the series already covered many aspects of Israel’s workforce.

While many countries have reasonably close ties between academia, few countries display the level of collaboration, cooperation, and freedom of movement between industry, the military, and academia as Israel. The country’s leading academic institutions, such as Tel Aviv University (TAU) and Ben-Gurion University of the Negev (BGU) are not only home to cybersecurity research centers, but figure also prominently at the center of a hive of activity around startups, applied research, and technology transfer.

One such center of activity, Beersheba (also spelled “Beer Sheva”), is located 70 miles South of Tel Aviv. Beersheba has been called the Silicon Valley of Israel, and being home to BGU, it also showcases this tight collaboration between VCs, academia, and the military as the Israeli Defense Forces move a large portion of their activities to Beersheba. A key center in Beersheba is CyberSpark, an Israeli Cyber Innovation Arena. CyberSpark describes itself as “a joint venture of the Israeli National Cyber Bureau in the Prime Minister’s Office, Beer Sheva Municipality, Ben Gurion University of the Negev and leading companies in the cybersecurity industry.” Beersheba is now home to R&D centers for many global technology firms including EMC/RSA and Lockheed-Martin (LM), and the close proximity to BGU further fuels exchanges between students, industry, and academia, as exemplified by its close work with Deutsche Telecom.

Closing Thoughts

A fellow journalist described Israel’s approach to nurturing cybersecurity startups as “a potent mix of tight government oversight and large-scale public investment in education, talent identification and development and R&D.” Other countries seem to agree, and so do international investors.

Reflecting upon my first visit to Israel just last week, I have found the country to be both an innovator and an incubator. Israeli companies seem to be able to move fast, innovate, and when things don’t go well, learn their lessons and adapt. With a strong ability to leverage expertise found in academic and military sectors, combined with a strategic directive from the government to invest in cyber — both as a matter of self-defense as well as to tap into this new burgeoning market — Israel has quickly risen to be a key player in the global cybersecurity market, and is likely to continue its leading role for decades to come.

Adobe Acrobat heap Execute Code Overflow Vulnerability

Adobe Acrobat is prone to a local code-execution vulnerability.This allows a local attacker to exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts may result in a denial-of-service condition.

How to Deploy Your Own Algo VPN Server in the DigitalOcean Cloud

When analyzing malware or performing other security research, it’s often useful to tunnel connections through a VPN in a public cloud. This approach helps conceal the analyst’s origin, contributing to OPSEC when interacting with malicious infrastructure. Moreover, by using VPN exit nodes in different cities and even countries, the researcher can explore the target from multiple geographic vantage points, which sometimes yields additional findings.

One way to accomplish this is to set up your own VPN server in a public cloud, as an alternative to relying on a commercial VPN service. The following tutorial explains how to deploy the Algo VPN software bundle on DigitalOcean (the link includes my referral code). I like using DigitalOcean for this purpose because it offers virtual private server instances for as little as $5 per month; also, I find it easier to use than AWS.

Algo VPN Overview

Algo is an open source software bundle designed for self-hosted IPSec VPN services. It was designed by the folks at Trail of Bits to be easy to deploy, rely only on modern protocols and ciphers and provide reasonable security defaults. Also, it doesn’t require dedicated VPN client software for connecting from most systems and devices, because of native IPSec support.

To understand why its creators believe Algo is a better alternative to commercial VPNs, the Streisand VPN bundle and OpenVPN, read the blog post that announced Algo’s initial release.  As outlined in the post, Algo is meant “to be easy to set up. That way, you start it when you need it, and tear it down before anyone can figure out the service you’re routing your traffic through.”

Creating a DigitalOcean Virtual Private Server

To obtain an Internet-accessible system where you’ll install Algo VPN server software, you can create a “droplet” on DigitalOcean running Ubuntu 16.04 with a few clicks.

Accepting default options for the droplet should be OK in most cases. If you’re not planning to tunnel a lot of traffic through the system, selecting the least expensive size will probably suffice. Select the geographic region where the Virtual Private Server will run based on your requirements. Assign a hostname that appeals to you.

Once the new host is active, make a note of the public IP address that DigitalOccean assigns to it and log into it using SSH. Then run the following commands inside the new virtual private server to update its OS and install Algo VPN core prerequisites:

apt-add-repository -y ppa:ansible/ansible
apt-get update -y
apt-get upgrade -y
apt-get install -y build-essential \
  libssl-dev \
  libffi-dev \
  python-dev \
  python-pip \
  python-setuptools \
  python-virtualenv

At this point you could harden the configuration of the virtual private server, but these steps are outside the scope of this guide.

Installing Algo VPN Server Software

Next, obtain the latest Algo VPN server software on the newly-setup droplet and prepare for the installation by executing the following commands:

git clone https://github.com/trailofbits/algo
cd algo
python -m virtualenv env
source env/bin/activate
python -m pip install -U pip
python -m pip install -r requirements.txt

Set up the username for the people who will be using the VPN. To accomplish this, use your favorite text editor, such as Nano or Vim to edit the config.cfg file in the ~/algo directory:

vim config.cfg

Remove the lines that represent the default users “dan” and “jack” and add your own (e.g., “john”), so that the corresponding section of the file looks like this:

users:
 - john

After saving the file and exiting the text editor, execute the following command in the ~/algo directory to install Algo software:

./algo

When prompted by the installer, select the option to install “to existing Ubuntu 16.04 server”.

When proceeding with the installer, you should be OK  in most cases by accepting default answers with a few exceptions:

  • When asked about the public IP address of the server, enter the IP address assigned to the virtual private server by DigitalOcean when you created the droplet.
  • If planning to VPN from Windows 10 or Linux desktop client systems, answer “Y” to the corresponding question.

After providing the answers, give the installer a few minutes to complete its tasks. (Be patient.) Once it finishes, you’ll see the “Congratulations!” message, stating that your Algo server is running.

Be sure to capture the “p12 and SSH keys password for new users” that the installer will display at the end as part of the congratulatory message, because you might need to use it later.

Configuring VPN Clients

Once you’ve set up the Alog VPN service, follow the instructions on the Algo website to configure your VPN client. The steps are different for each OS. Fortunately, the Algo setup process generates files that allow you to accomplish this with relative ease. It stores the files in under ~/algo/configs in a subdirectory whose name matches your server’s IP address.

For instance, to configure your iOS device, transfer your user’s Apple Profile file that has the .mobileconfig extension (e.g., john.mobileconfig) to the device, then open the file to install it. Once this is done, you can go to Settings > VPN on your iOS device to enable the VPN when you wish to use it. If at some point you wish to delete this VPN profile, go to General > Profile.

If setting up the VPN client on Windows 10, retrieve from the Algo server your user’s file with the .ps1 extension (e.g., windows_john.ps1). Then, open the Administrator shell on the Windows system and execute the following command from the folder where you’ve placed these files, adjusting the file name to match your name:

powershell -ExecutionPolicy ByPass -File windows_john.ps1 -Add

When prompted, supply the  p12 password that the Algo installer displayed at the end of the installation. This will import the appropriate certificate information and create the VPN connection entry. To connect to the VPN server, go to Settings > Network & Internet > VPN. If you wish to remove the VPN entry, use the PowerShell command above, replacing “-Add” with “-Remove”.

Additional Considerations for Algo VPN

Before relying on VPN to safeguard your interactions with malicious infrastructure, be sure to confirm that it’s concealing the necessary aspects of your origin. If it’s working properly, the remote host should see the IP address of your VPN servers, instead of the IP address of your VPN client. Similarly, your DNS traffic should be getting directed through the VPN tunnel, concealing your client’s locally-configured DNS server. One way to validate this is to use whoer.net, comparing what information the site reveals before and after you activate your VPN connection. Also, confirm that you’re not leaking your origin over IPv6; one way to do that is by connecting to ipv6leak.com.

You can turn off the virtual private server when you don’t need it. When you boot it up again, Algo VPN software will automatically launch in the background. If running the server for longer periods of time, you should implement security measures necessary appropriate for Internet-connected infrastructure.

As you use your Algo VPN server, adversaries might begin tracking the server’s IP address and eventually blacklist it. Therefore, it’s a good idea to periodically destroy this DigitalOcean droplet and create a new one from scratch. This will not only change the server’s IP address, but also ensure that you’re running the latest version of VPN software and its dependencies. Unfortunately, after you do this, you’ll need to reimport VPN client profiles to match the new server’s IP address and certificate details.

Why Your Next Cybersecurity Tool/Service Might Just Come from Israel — PART 1: Why Israel?

Note: in June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. This article is one of three that I wrote following that experience.

A few years ago I decided to establish Israel as one of the five leading cyber powers in the world and I think by all accounts, we're there. But, the jury in cyber security is always out. And it's a constant challenge.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

How does a small country — with about the same population count as Switzerland — position itself to compete in the fast-pace cybersecurity global marketplace? In this article, we’ll explore the factors that have enabled Israel to position itself as a key future player in cybersecurity. In a follow-up article, we’ll look at how Israel has leveraged that potential into action, creating a marketplace for venture capital and innovation, resulting in hundreds of security startups.

Demographics

What is immediately noticeable when arriving in Israel is the number of young people around you. Unlike many of the largest countries and economies, Israel has a young, vibrant population, with over 43% of people aged 24 or under (CIA World Factbook). The median age is 29.7, compared to 37.9 for the US, 42 for Canada, and 42.7 for the entire European Union.

Population Chart for Israel, 2016 (src: CIA World Factbook)

Having a young population not only gives it a current and future stable workforce supply, it also means that a larger percentage of the population is going to be tech-savvy, having grown up in a world in which the Internet always existed, and being very comfortable with using and understanding technology, and the Web of Trust (WoT) that binds us all.

However, by itself, having a young population doesn’t mean that a country is poised to be a global player on the cybersecurity stage. So next, we’ll explore the role the government has played in shaping this nation to be a key player in cybersecurity.

Cyber — A Government Focus & Priority

While a growing number of governments around the world are proclaiming their desire to boost their cybersecurity workforce, nowhere is it more evident than in Israel. Attend any cybersecurity conference in Israel and you’ll inevitably run into dozens of key government leaders, from multiple sectors including the economy, import/export, the military, but also education and academia. Don’t be surprised if the head of the country pops in to make a short speech about the importance of the cyber domain to Israel’s future, as Prime Minister Netanyahu did on June 26th at the start of the CyberWeek conference at Tel Aviv University:

Cyber security is serious business. It's serious business for two reasons: the first reason is that it's a serious and growing threat. And it's a growing threat everywhere because everything, every single thing is being digitized. And the distinction between hi-tech and low-tech is rapidly disappearing. And as that happens in one country after another, in one industry after another, in one critical infrastructure after another, and as we enter the world of the internet of things the need for cyber security is growing exponentially.
[...]
Our decision in this case was to create a national cyber defense authority and we are organizing them around the cyber net so that everybody has secure information between the government and the various organizations and the business organizations. We can communicate in a secure way and the parties inside the net can communicate with each other. Not only to respond to attacks but to prevent them, to prevent them by early warning, to prevent them also by guidance, by teaching a systemic doctrine to the extent that you can be systemic in this business.
PM Netanyahu at the CyberWeek conference (June 26, 2017)

A Military Affair

The government’s role in leading the effort to position Israel as a leader in this space is undeniable. However, growing a cybersecurity workforce comes much easier to Israel than to the rest of the world, due to Israel’s need to protect itself from what they call “not so friendly neighbors.”

In many developed countries, the workforce supply in the cybersecurity domain is stretched thin, often with minimal or negative unemployment rates in the field, leading to many companies poaching the best security folks from their competitors, and leaving the government sector with a near-empty pool of applicants as government salaries are much lower, often on the order of 20%, 30%, even 40% lower, and the barriers to entry much higher (i.e. advanced degrees, clean record, drug tests, etc). A 2016 Indeed article compared the salary, adjusted for cost of living differences, of an information security specialist with three years of experience in Minneapolis ($127,757) with that of someone in Arlington VA ($74,254). The numbers speak for themselves.

In Israel the cyber workforce situation is much different; the Israel Defense Forces (IDF) provide the country with a fresh, auto-renewing supply of talented youths that have often signed up for extra tours of duty in some of the elite units of the IDF (e.g. the famous unit 8200, where many of today’s cybersecurity entrepreneurs once served). According to Wikipedia, the number of people reaching military age annually (estimates for 2016) is 60,000 males and another 60,000 females. While that number is by no means large, the experience instills in the conscripts many key values that lasts for decades after they’ve left their defense units and integrated the workplace.

One of the most privileged spots in the IDF is unit 8200 which is often referred to as Israel’s equivalent to the NSA. Unit 8200 is an intelligence unit, responsible for collecting signal intelligence (SIGINT) and code decryption. Unit 8200 is just one of several sought after units in the Israeli Intelligence Corps, which is “responsible for collecting, disseminating, and publishing intelligence information for the General Staff and the political branch” and also to engage “in counter-intelligence and information security work, and presents general assessments.” Several alumni of unit 8200 “have gone on to found leading Israeli IT companies, among them CheckPoint, Imperva, Incapsula, CloudEndure, Cybereason, ICQ, LightCyber, NSO Group, Palo Alto Networks, indeni, NICE, AudioCodes, Gilat, Leadspace, EZchip, Onavo, Singular and CyberArk.”

However, unit 8200 is just one of the many valuable units where young men and women can serve, and in the process gain valuable training and experience that can be of use in the business world.

Other Factors

Of course, there are other factors at play that have helped Israel position itself as a leader in this domain, beyond the young population, beyond the deliberate focus and support of the Israeli government, and beyond the fairly unique military apparatus which provides valuable training and experience.

These other factors include cultural aspects of resilience and innovation, access to academia for subject matter expertise, economic support for investments and growth in this space, and a startup mentality highly tolerant of failures — and more importantly lessons learned — to name a few.

In Israel, all of the factors mentioned above have contributed to creating a capacity for innovation and excellence in the cybersecurity domain. Just as importantly, the political and military leadership of the country are fully cognizant of that capacity and have decided to make it a national priority. As Dr. Eviatar Matania, Head of the Israel National Cyber Directorate, put it, “cyber is like the industrial revolution… We are just at the beginning of the cyber revolution… But we are going to be a cyber nation… as cybersecurity is a necessity to prosper.”

And as they say, the rest is history.

Our second article, “The Land of the Cyber Startups,” delves into the determined ways that Israel has been encouraging the growth of its cybersecurity sector.

VirusTotal += Cylance

We welcome Cylance scanner to VirusTotal. In the words of the company:

“Cylance is the first company to apply artificial intelligence, algorithmic science and machine learning to cybersecurity to prevent the most advanced security threats in the world. Using a breakthrough predictive analysis process, CylancePROTECT® quickly and accurately identifies what is benign and what is a threat, and prevents malicious code from ever executing on a targeted system. By coupling advanced machine learning and artificial intelligence with a unique understanding of an attacker’s mentality, Cylance provides technology and services that are truly predictive and preventive against the most advanced threats.”

Cylance has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by NSS Labs, an AMTSO-member tester.

The ancient Microsoft networking protocol at the core of the latest global malware attack

Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.

This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.

To read this article in full, please click here

Former Head of Shin Bet on Current State of Cybersecurity

This article explores what the former head of Shin-Bet, Israel's internal security service (equivalent to Britain’s MI5 or the FBI in the US), thinks of the current state of cybersecurity in the world today, and what can we learn from his warnings?

In June 2017, I was invited by the Israeli Ministry of Foreign Affairs to attend the CyberWeek conference in Tel Aviv, as part of a delegation of journalists from around the globe. Among the key people we met and interviewed was Yuval Diskin, who headed Shin Bet (aka Shabak) from 2005 to 2011. Yuval is currently the Chairman of CyMotive, a company focusing on cybersecurity in the automotive industry. CyMotive was born out of a partnership with Volkswagen, which issued a press release in September 2016, touting the important role this new company would play for Volkswagen and the automotive industry:
The age of the connected car enables customers to use a variety of features inside modern vehicles. However, with increasing connectivity comes an increasing risk. Aspects such as intelligent and autonomous driving increase the number of interfaces in the vehicle and thus the risk of malicious attack.

Mr. Diskin quickly set the tone when it comes to the state of cybersecurity today, stating “attackers are very dynamic; defenders are very static, passive.” He went on to say that “interconnectivity is one of the biggest challenges” and that to prevent or detect attacks, you must extend your scope beyond the perimeter. The current approach deals with layers of defenses and incident response preparations, but both of those approaches require the organization to wait until an attacker has successfully compromised systems in order to react.

His approach? Leverage behavioral science to identify attackers, even before they’ve found you and successfully penetrated your defenses. “Behind every cyber attack, there is a human being…” he said, then explaining that the goal is to connect the dots to identify the humans behind the attacks. He coins his approach as “intelligence driven offensive defense” and warns that many organizations and leaders prefer “naive” solutions to their cybersecurity problems, alluding to the patchwork of controls that many organizations have deployed today, with 36% of banks reportedly using between 51 and 100 security tools.

“There is a real reason to be frightened by the potential of a cyber attack” he said, alluding that current activity is equivalent to child’s play (i.e. how a child explores his ability to impact the world around him, and test boundaries). So what are organizations to do? Instead of looking for new (cybersecurity) solutions he said, organizations should ensure that their cyber processes are consistent and maturing, and that the controls are effective.

So what are you waiting for? Go test your controls, before someone else does.

VirusTotal += MAX

We welcome MAX scanner to VirusTotal. This scanner was developed by Saint Security Inc, headquartered in Seoul, South Korea. In the words of the company:

“MAX is a machine learning and cloud-based next-generation antivirus engine that identifies malware with AI. MAX, as a part of the malwares.com Project launched by Saint Security in 2014, is designed to detect malware by using intelligence data from malwares.com. It identifies various malware by nature, maximizes detection rate and minimizes false-positives with multi-layer and whitelist learning. In addition, MAX detects various types of files such as Windows binary files (32bit, 64bit), Linux elf files, mobile APK files, etc.”

Saint Security has expressed its commitment to follow the recommendations of AMTSO and, in compliance with our policy, facilitates this review by SE Labs, an AMTSO-member tester.