Monthly Archives: July 2017

A Letter to President Donald Trump regarding Global and Cyber Security

Dear President Trump,

Hello. As President of Paramount Defenses, I pen this letter most respectfully to you, the President of our Great United States.

First off, I should mention that I write neither as a Republican, nor as a Democrat, but as a fellow patriotic American citizen and a cyber security specialist, because I care, and that my desire to do so publicly is inspired by how much you Sir share publicly, and that this most respectful letter is in light of your tweet about discussing the creation of a Cyber Security Unit with Russia.

I'll do my best to keep this VERY simple.



Top-5 Global Security Risks

As President of the United States, you're likely aware of the Top-5 risks to not just America, but to the entire world today -


1. The Risk of the Use of a WMD / Nuclear War
2. The Risk of Earth's Demise, posed by Climate Change
3. The Risk of Terrorism, posed by Terror Groups Worldwide
4. The Risk of the Decline of American Leadership in the World
5. The Risk of Swift and Colossal Damage, posed by Cyber Threats

I am by no means an expert on global security, but common sense suggest that risks 1 and 2 above would be catastrophic to all of mankind, risk 3 could pose a serious threat to life and property, and that risk 4 could increase the likelihood of risks 1, 2 & 3.

As for risk 5, I do happen to know one vital area of cyber security decently well, so I'll share just a few thoughts about it, but first, I did want to take a moment to talk about risk 4 because it potentially impacts the lives of 7,000,000,000+ people worldwide.




The Importance of American Leadership

Mr. Trump, as President of the United States, you are the most powerful and influential person in the world, and most people would take such GREAT responsibility VERY seriously, since their actions and decisions could save or destroy the world.


Sir, the elections are over. You won. You are the President of the United States, and it is time to let the talking be, and start working to make America great again. This isn't reality TV, this is real life, and its a billion times more significant and serious.

If I were the President of the United States, and I deeply cared about making America great again, I likely wouldn't have a moment to watch TV, Tweet or Golf. I'd be working harder than the hardest American to make America greater and safer.

(If I may momentarily digress. speaking of making America great again, while there likely may certainly be much to be done to restore its greatness, we owe it to our future generations to do so without polluting or endangering our precious environment.)

Today more than ever, we live in a precarious, highly-connected and inter-dependent world, and the world needs strong, mature and steady American leadership to amicably address so many important and complicated issues, such as those listed above.

Speaking of which, I'd like to share a few thoughts on risk 5, the risk of swift and colossal damage posed by Cyber Threats, but before I do so, again, I'd request you to please take a few moments to comprehend the profound importance, seriousness and significance of both, the position bestowed upon you by the American people, as well as (of) the challenges that you, Sir, today have the unique privilege and responsibility of addressing for both America and the world that America is inextricably a part of.

[ Hopefully you see that the reality is that since America is inextricably a part of the world, what happens out in the world could impact us substantially, so to make America great(er and safer) again, we must maintain American leadership in the world. ]





The Cyber Risk

Mr. President, to put it most simply, Cyber Security is the Achilles' Heel of developed nations today, because over the last few decades, our reliance on computer systems and networks has increased substantially (exponentially), and sadly within them exist many systemic and component specific deficiencies (vulnerabilities) which can be exploited to inflict colossal harm.


(This risk is actually addressable, and what the world needs is a White Knight so we have a trustworthy foundation to operate on, but and until we get there i.e. until the world has such a defensive shield in place to rely on, we all have reality to deal with.)

Consequently, today from our governments to our energy grids, from our defense systems to our transportation systems, and from our banks to our industries (i.e. a nation's business organizations), literally everything is exposed to varying levels of risk.

It is thus hardly surprising that today cyber security is one of the most important challenges the world faces, an assertion best evidenced by the fact that Russia's purported cyber interference in the 2016 American elections, remains a contentious issue.


Speaking of which, while the U.S and in fact all countries and, ideally all business organizations, should certainly bolster their cyber defenses, establishing a Cyber Security Unit with the Russians might NOT be such a good idea, as also voiced by 1, 23.

By the way, those who truly understand cyber security know that there is no such thing as an "impenetrable cyber security unit".

A quick digression. Yes, indeed the Russians are very good at cyber security and likely at hacking, and they're persistent, but they're not the only ones out there trying to hack our agencies and companies, and they don't always succeed. But, I digress.


Mr. President, you may likely already have some of the world's best inputs and advice when it comes to cyber security, so I'd just like to share paramount cyber security insight with you - Trillion-Dollar Cyber Security Insight for President Donald Trump.


Mr. President, as I put my pen down, I'll only add that of the risks listed above, in the near-term, the Cyber Risk may be 2nd only to the Nuclear Risk, because its realistic probability of occurrence is substantially higher, and its potential for damage, colossal.


Mr. Trump, you have a historic opportunity to SERVE the American People, and define your legacy - its yours to embrace or squander.

Respectfully,
Sanjay.

Introducing Linux Support for FakeNet-NG: FLARE’s Next Generation Dynamic Network Analysis Tool

Introduction

In 2016, FLARE introduced FakeNet-NG, an open-source network analysis tool written in Python. FakeNet-NG allows security analysts to observe and interact with network applications using standard or custom protocols on a single Windows host, which is especially useful for malware analysis and reverse engineering. Since FakeNet-NG’s release, FLARE has added support for additional protocols. FakeNet-NG now has out-of-the-box support for DNS, HTTP (including BITS), FTP, TFTP, IRC, SMTP, POP, TCP, and UDP as well as SSL.

Building on this work, FLARE has now brought FakeNet-NG to Linux. This allows analysts to perform basic dynamic analysis either on a single Linux host or using a separate, dedicated machine in the same way as INetSim. INetSim has made amazing contributions to the productivity of the security community and is still the tool of choice for many analysts. Now, FakeNet-NG gives analysts a cross-platform tool for malware analysis that can directly integrate with all the great Python-based infosec tools that continually emerge in the field.

Getting and Installing FakeNet-NG on Linux

If you are running REMnux, then good news: REMnux now comes with FakeNet-NG installed, and existing users can get it by running the update-remnux command.

For other Linux distributions, setting up and using FakeNet-NG will require the Python pip package manager, the net-tools package, and the development files for OpenSSL, libffi, and libnetfilterqueue. Here is how to quickly obtain the appropriate prerequisites for a few common Linux distributions:

  • Debian and Ubuntu: sudo apt-get install python-pip python-dev libssl-dev libffi-dev libnetfilter-queue-dev net-tools
  • Fedora 25 and CentOS 7: 
    • yum -y update;
    • yum -y install epel-release; # <-- If CentOS
    • yum -y install redhat-rpm-config; # <-- If Fedora
    • yum -y groupinstall 'Development Tools'; yum -y install python-pip python-devel openssl-devel libffi-devel libnetfilter_queue-devel net-tools

Once you have the prerequisites, you can download the latest version of FakeNet-NG and install it using setup.py install.

A Tale of Two Modes

On Linux, FakeNet-NG can be deployed in MultiHost mode on a separate host dedicated to network simulation, or in the experimental SingleHost mode for analyzing software locally. Windows only supports SingleHost mode. FakeNet-NG is configured by default to run in NetworkMode: Auto, which will automatically select SingleHost mode on Windows or MultiHost mode on Linux. Table 1 lists the currently supported NetworkMode settings by operating system.

 

SingleHost

MultiHost

Windows

Default (Auto)

Unsupported

Linux

Experimental

Default (Auto)

Table 1: FakeNet-NG NetworkMode support per platform

FakeNet-NG’s support for SingleHost mode on Linux currently has limitations.

First, FakeNet-NG does not yet support conditional redirection of specific processes, hosts, or ports on Linux. This means that settings like ProcessWhiteList will not work as expected. We plan to add support for these settings in a later release. In the meantime, SingleHost mode supports redirecting all Internet-bound traffic to local listeners, which is the main use case for malware analysts.

Second, the python-netfilterqueue library is hard-coded to handle datagrams of no more than 4,012 octets in length. Loopback interfaces are commonly configured with high maximum transmittal unit (MTU) settings that allow certain applications to exceed this hard-coded limit, resulting in unanticipated network behavior. An example of a network application that may exhibit issues due to this would be a large file transfer via FTP. A workaround is to recompile python-netfilterqueue with a larger buffer size or to decrease the MTU for the loopback interface (i.e. lo) to 4,012 or less.

Configuring FakeNet-NG on Linux

In addition to the new NetworkMode setting, Linux support for FakeNet-NG introduces the following Linux-specific configuration items:

  • LinuxRedirectNonlocal: For MultiHost mode, this setting specifies a comma-delimited list of network interfaces for which to redirect all traffic to the local host so that FakeNet-NG can reply to it. The setting in FakeNet-NG’s default configuration is *, which configures FakeNet-NG to redirect on all interfaces.
  • LinuxFlushIptables: Deletes all iptables rules before adding rules for FakeNet-NG. The original rules are restored as part of FakeNet-NG’s shutdown sequence which is triggered when you hit Ctrl+C. This reduces the likelihood of conflicting, erroneous, or duplicate rules in the event of unexpected termination, and is enabled in FakeNet-NG’s default configuration.
  • LinuxFlushDnsCommand: Specifies the command to flush the DNS resolver cache. When using FakeNet-NG in SingleHost mode on Linux, this ensures that name resolution requests are forwarded to a DNS service such as the FakeNet-NG DNS listener instead of using cached answers. The setting is not applicable on all distributions of Linux, but is populated by default with the correct command for Ubuntu Linux. Refer to your distribution’s documentation for the proper command for this behavior.

Starting FakeNet-NG on Linux

Before using FakeNet-NG, also be sure to disable any services that may bind to ports corresponding to the FakeNet-NG listeners you plan to use. An example is Ubuntu’s use of a local dnsmasq service. You can use netstat to find such services and should refer to your Linux distribution’s documentation to determine how to disable them.

You can start FakeNet-NG by invoking fakenet with root privileges, as shown in Figure 1.


Figure 1: Starting FakeNet-NG on Linux

You can alter FakeNet-NG’s configuration by either directly editing the file displayed in the first line of FakeNet-NG’s output, or by creating a copy and specifying its location with the -c command-line option.

Conclusion

FakeNet-NG now brings the convenience of a modern, Python-based, malware-oriented network simulation tool to Linux, supporting the full complement of listeners that are available on FakeNet-NG for Windows. Users of REMnux can make use of FakeNet-NG already, while users of other Linux distributions can download and install it using standard package management tools.