Wednesday, September 28, 2011

Chinese Espionage in Five Minutes

This evening I watched last week's episode of This Week in Defense News with Vago Muradian. Vago's last guest was David Wise, author of Tiger Trap. If you want to learn as much as possible about Chinese espionage in a five minute interview, I recommend watching History of China spying on U.S.. I hope this book encourages attention at the highest levels of the US government and industry.

Sunday, September 25, 2011

Review of Robust Control System Networks Posted just posted my five star review of Robust Control System Networks by Ralph Langner. From the review:

I am not an industrial control systems expert, but I have plenty of experience with IT security. I read Robust Control System Networks (RCSN) to learn how an ICS expert like Ralph Langner think about security in his arena. I was not disappointed, and you won't be if you keep an open mind and remember IT security folks aren't the target audience. After reading RCSN I have a greater appreciation for the problems affecting the ICS world and how that community should address the fragility of its environment.

Impressions: The Art of Software Security Testing

I'll be honest -- on the same trip on which I took The Art of Software Security Assessment, I took The Art of Software Security Testing (TAOSST) by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede Dustin. After working with TAOSSO, I'm afraid TAOSST didn't have much of a chance.

TAOSST is a much shorter book, with more screen captures and less content. My impressions of TAOSST is that it is a good introduction to "identifying software security flaws" (as indicated by the subtitle), but if you want to truly learn how to accomplish that task you should read TAOSSA.

Impressions: The Art of Software Security Assessment

I recently took The Art of Software Security Assessment (TAOSSA) with me on a flight across the US and part of the Pacific. This massive book by Mark Dowd, John McDonald, and Justin Schuh is unlike anything I've read before. If I had read the whole book I would have written a five star review. However, since I only read certain parts of interest to me, I'm sharing these impressions of the book.

One of my favorite aspects of TAOSSA is the demonstration of software vulnerabilities by showing snippets of actual software familiar to many readers. These examples are sort of like behind-the-scenes looks at individual CVEs, where the authors show what's really happening and why it matters.

In some cases these examples show the development of code over time, and the flaws that developers introduce when trying to fix old vulnerabilities. For example, pages 250-3 show the progression of problems with the Antisniff tool. We read about trouble with versions 1.0, 1.1, 1.1.1, and 1.1.2, each trying to fix a bug caused by the previous change.

Another amazing aspect of TAOSSA is its coverage of subtle differences between different Unix-like systems, e.g. FreeBSD, NetBSD, OpenBSD, Solaris, and Linux. I really appreciated such careful attention to detail.

Probably the strongest aspect of TAOSSA was the overall methodology, which I define as 1) show how the technology works; 2) show vulnerabilities in code; 3) show how to fix the code (usually all with real examples).

My only criticism is more philosophical, because the authors recycle the flawed Microsoft "threat modeling" paradigm. This approach results in weird sentences like "threat identification is the process of determining an application's security exposure based on your knowledge of the system" (p 59). Fortunately the authors use the proper term "attack trees" rather than "threat trees," presumably because they recognize that Bruce Schneier was right when he promoted the "attack tree" approach!

Overall, the book is very well written, with great consistency despite three authors and hundreds of pages. If you can find a software developer who honestly read the entire TAOSSA and integrated its wisdom into his or her coding, hire that person!

Sunday, September 18, 2011

Impressions: Tiger Trap

I just finished reading Tiger Trap by David Wise. I read the whole book (so my "impressions" label isn't really accurate, because I use that for books I didn't fully read). I don't feel like writing an entire review but I wanted to capture a few thoughts.

First, if you know nothing about Chinese espionage against the United States, read Tiger Trap. I didn't think Tiger Trap was the easiest book to read about the subject, but I haven't seen any other source cover so much history in one volume.

Second, it seems the Chinese prefer to use human resources to steal classified information, mainly because accessing classified networks is tougher than accessing unclassified networks. Still, there are plenty of cases where humans physically stole unclassified but sensitive information. Most of these predate the Web however.

Third, the Chinese like to "get good people to do bad things," as I Tweeted last week (citing page 16). In other words, China appeals to its overseas ethnic community to steal information because China "is a poor country," and it "needs to develop." (Oddly enough I have read these exact words in articles by various people who brush off reports of espionage.) While some spies act out of greed or revenge or a need to feel important, it seems plenty of other spies think they are really doing the right thing, leveling the playing field, or even helping both sides!

If anyone can provide the names of other resources describing Chinese espionage, I would appreciate the comment.

Friday, September 16, 2011

Bejtlich Cited in Chinese Article on APT

I found it ironic to see the names Richard Bejtlich and MANDIANT appearing in the article How to reduce the losses caused by APT attack? The reason this is funny is that the article appears in a Chinese-language story, published by a site operating in Beijing!

You can read the Google Translation if you can't read the original.

According to Tianji Media Group:

Established in January 1997, ChinaByte was the first IT news website in China.

So, welcome to the APT coverage!

Tuesday, September 13, 2011

Classic Chinese Defensive Propaganda

Thanks to the sharp eye of a colleague from a mailing list, I learned of the article Is China Really Cyberdragon? in the English-language China Daily newspaper. The article is by Tang Lan, deputy director of the Institute of Information and Social Development Studies, China Institutes of Contemporary International Relations (a state-directed research institute). His writing displays all of the class elements of what I call Chinese defensive propaganda, in this case specifically addressing APT intrusions.

I'll cite a few examples so you know what I mean.

Hacking poses a threat to both China and Western countries and politicizing the problem will be detrimental to all.

The beginning of the article introduces the reader to the concept that China is just as much a victim of hacking as the West. This is the first invocation of "the victim card," which is a constant aspect of Chinese self-identity and international relations.

Tang Lan then dismisses accusations that the Chinese hack Western organizations, naming a few companies specifically. Then we read:

This is not the first time China has been the victim of such accusations. In fact, it was also accused of having instigated several previous systemic long-term intrusions, namely Operation Titan Rain, Night Dragon and Operation Aurora.

Again we see the victim card, using the actual word "victim." I think this section is counter-productive, because it reminds the reader that the Chinese have been publicly active against Western targets since 2003 (i.e., the mention of Titan Rain).

Western governments and media would have people believe that China has become a "cyberdragon", able to infiltrate the computer systems of countries and companies seemingly at will.

It may be tough for the author to appreciate this statement, but it's fairly true.

Besides, it is simply untrue to say that China is not a victim of cyber attacks. China was hit by nearly 493,000 cyber attacks last year, about half of which originated from foreign countries, including 14.7 percent from the US and 8 percent from India, according to a report issued on Tuesday by the Computer Network Emergency Response Technical Team / Coordination Center of China (CNCERT/CC), the country's primary computer security monitoring network.

Notice the third use of the victim card. More interestingly, who said "China is not a victim of cyber attacks?" Tang Lan introduces a red herring (pun intended) to divert our attention, and then uses statistics from CNCERT to show an argument (made by no one) is false.

Hacking poses a great threat to both China and Western countries and should be considered a common enemy. It is irresponsible to accuse any other country without ample evidence, and politicizing the problem will only prove detrimental to the interests of all.

As a responsible country, China has long held the principle of strengthening supervision of the Internet, and encourages all countries to cooperate for the common good.

We also hope other countries can hear China's voice, and understand China's efforts in defending the security of all.

In this amusing conclusion to the article, there are three points. First, we have a fourth invocation of the victim card. Second, we read of "irresponsible" and "responsible" countries. The US is "irresponsible" because its private, non-state-owned security firms are pointing the finger at China. China is "responsible" because it promotes "supervision of the Internet" (obviously via the Great Firewall of China). Third, China is supposedly encouraging "all countries to cooperate for the common good" and "defending the security of all." How is that happening, exactly?

I thought it was telling that someone in the Party decided to commission a response via an institutional speaker. The double-speak in the article shows China craves being seen as "responsible," which gives the West a strategy for diplomatic pressure against APT intrusions. I also expect to see the victim strategy used by China as a constant justification for whatever activity they pursue.

On a slightly humorous note, one of the responses to this article that I read on a mailing list asked the following question:

Given that the Chinese PLA assaults Chinese Web sites from compromised IP addresses in the United States (reported in Slip-Up in Chinese Military TV Show Reveals More Than Intended), what would the statistics look like if they removed all their self-inflicted attacks?

Monday, September 05, 2011

Government Takeover of Compromised Digital Infrastructure Provider

The latest twist in the compromise of DigiNotar's certificate operations is amazing. The Associated Press reports:

DigiNotar acknowledged it had been hacked in July, though it didn't disclose it at the time. It insisted as late as Tuesday that its certificates for government sites had not been compromised.

But Donner said a review by an external security company had found DigiNotar's government certificates were in fact compromised, and the government is now taking control of the company's operations. The government also is trying to shift over to other companies that act as digital notaries, he said.

As you can see I highlighted two points.

Regarding the first, it took external analysis of the event to determine the true facts of the case. For me this is a step closer to requiring third party review of security posture, and by that I don't mean "are you vulnerable?" I mean instead "are you compromised?"

Regarding the second, I can't remember a time where a government assumed control of a private company in order to implement digital security measures. (Can anyone recall a similar event at another time?) This could be a wake-up call to governments that one of the foundations of digital security is a commercial arrangement whereby the fall of any of 600 or more certificate authorities puts the entire system in danger.

Saturday, September 03, 2011

Watch National Geographic Channel's The Liquid Bomb Plot

Over the last week I've been watching a new National Geographic Channel documentary titled The Liquid Bomb Plot. It explains how British intelligence detected and thwarted an AQ operation to destroy at least seven aircraft flying from the UK to the US in August 2006. The show is excellent and features first-hand accounts, including key US personnel like Secretary Chertoff and General Hayden.

I recommend watching this show because it demonstrates the tensions between the law enforcement and intelligence communities. The content also touches on the question of whether counter-AQ operations are legal affairs or military affairs.

After the show you will be less likely to doubt the value of US and UK intelligence operations (and those of our allies), even after the demise of UBL.

Furthermore, you can probably imagine how this sort of intel-centric operation is similar to the new sorts of wars we're fighting else -- i.e., in the digital domain.