Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Sunday, July 16, 2006

Scientifically Predicting Software Vulnerabilities

I recently came across to a research on "Modeling the Vulnerability Discovery Process" discussing :

"A few models for the vulnerability discovery process have just been published recently. Such models will allow effective resource allocation for patch development and are also needed for evaluating the risk of vulnerability exploitation. Here we examine these models for the vulnerability discovery process. The models are examined both analytically and using actual data on vulnerabilities discovered in three widely-used systems. The applicability of the proposed models and significance of the parameters involved are discussed. The limitations of the proposed models are examined and major research challenges are identified."

A handy summary of the report emphasises on how :

"The Alhazmi-Malaiya Logistic model has already seen success in its predictions:

-- In 2005, it predicted the number of vulnerabilities discovered in Windows XP would grow rapidly. It has indeed grown from 88 in January 2005 to 173 by the latest count, making the vulnerability density of XP comparable to that of earlier version of Windows.

-- The model predicted that very few new vulnerabilities will be found in Red Hat Linux 6.2, and the number has stayed unchanged at 117.

-- It predicted that the number of vulnerabilities of Windows 2000 will eventually range from 294 to 410. At that time of the prediction, the number was 172; it now is 250, and vulnerabilities are still being found."

Remember the U.S DHS's $1.24M bug hunt funding, that came up with a single X11 vulnerability? Money well spent for sure.

HD Moore who's obviously getting efficient, the potential of contests, futures market models, and my speculation on "every day there's a new 0day in the wild" ruin the effect of any model. Assuming no external factors influence the process, and the rest remain static -- while they rarely do -- it's a great initiative, still, more of a scientifically shooting into the dark one, given the great deal of uncertanties, and decentralized model of discovering, reporting, using and abusing vulnerabilities. If historical performance matters and can act as a key indicator for predicting the future, I wonder would MACs lack of vulnerabilities continue to generate hype, it's more of a "lack of incentives to find some" type of issue. Today's vibrant vulnerability research intrigue is indeed capable of ruining any model.

I also came across to a great point, indicating that :

"After the first week of flaws were released, one online miscreant from Russia shot off an e-mail to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said.
"The black hats don't like that the fact that this is public because they have been using these bugs," Moore said. "By dumping out the bugs on the community, I'm clearing the air and letting the good guys know what others are doing."

From my point of view, the existence and usefulness of Metasploit is precisely the same type of dilema whether citizens should be allowed to carry guns for self-protection or blindly rely on 500 police officers for 500,000 people. Hopefully, with initiatives like the Month of the Browser bug ones, we would inevitably break through the "yet another 0day, where's my patch dude? type of security issues to deal with. At the bottom line that's a single, efficient security researcher who's definitely working on building more awareness on what the corporate trolls are ignoring for the sake of their product portfolio diversification.

It's also interesting to mention on the emerging underground 0bay model for selling 0day vulnerabilities :

"Cyber crooks are not hesitant to make such open declarations of illicit intent because of the anonymity offered by the Internet. Some have had the gall to try and peddle their information on popular online auction sites such as eBay. Last December eBay pulled an ad that was selling vulnerability information about Microsoft's spreadsheet program Excel. That was a bold, if foolhardy, move on the part of the seller, because eBay is hardly blackmarket at all, said Ross Armstrong, senior analyst at technology consultancy firm Info-Tech Research Ltd. in London, Ont."

and its corporate form, on which Sergio Hernando was kind enough to point me to. The VulnDisco Pack Professional :

- contains more than 80 exploits
- each month about 5-10 new exploits are made available in the form of updates
- VulnDisco Pack Professional licenses are not limited to a number of seats

and you can actually see an OpenLDAP 0day exploit in action for yourself.

Metasploit image courtesy of Metasploit's blog.

Related resources and posts:
Vulnerabilities
0day
Was the WMF vulnerability purchased for $4000?!
0bay - how realistic is the market for security vulnerabilities?
Where's my 0day, please?
Delaying Yesterday's "0day" Security Vulnerability
Shaping the Market for Security Vulnerabilities Through Exploit Derivatives
Getting paid for getting hacked

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

North Korea's Cyber Warfare Unit 121

In a previous post, "Who's Who in Cyber Warfare" I commented on a very informative research on the topic, and pointed out that :

"Technology as the next Revolution in Military Affairs (RMA) was inevitable development, what's important to keep in mind is knowing who's up to what, what are the foundations of their military thinking, as well as who's copying attitude from who. Having the capacity to wage offensive and defense cyber warfare is getting more important, still, military thinkers of certain countries find network centric warfare or total renovation of C4I communications as the panacea when dealing with their about to get scraped conventional weaponry systems. Convergence represents countless opportunities for waging Cyber Warfare, offensive one as well, as I doubt there isn't a country working on defensive projects."

Recently, there's been some movement from North Korea's Cyber Warfare unit 121, one that :

"North Korea set up about eight years ago with some 1,000 personnel, said the intelligence official, who declined to be named because it was the agency's policy to remain anonymous. The North's operation, called unit 121, "has hacked into the South Korean and U.S. Defense Department" and has caused much damage in the South, the official said without elaborating."

According to numerous articles on recent "anomalies" at unclassified U.S state department systems, these might actually have to do with the group's actions itself -- quite a momentum to take advantage of, isn't it? Any country's interest in establishing cyber war forces shouldn't come as a surprise to anyone. But while North Korea is trying to balance its military powers through asymmetric and cyber warfare approaches given its outdated conventional weaponry thinking, I feel the real beast to worry about is China, who's sneakily hiding behind its currently strategic economic position. As the latest report on "Military Power of the People’s Republic of China 2006" points out :

"The People’s Liberation Army (PLA) has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks."

Taiwan is reasonably taking note on China's historical cyber warfare actions and has recently initiated its first cyber war game simulating attack from China :

"The drill, part of the island's annual major war game Hankuang No. 22, was held Wednesday and Thursday to intercept, block and counter a possible Chinese cyber attack of Taiwan's major computer network to paralyze the island's intranet operation, the Central News Agency quoted an unnamed defence source as saying."

Let's don't forget the use and abuse of island hopping points fueling further tensions in key regions and abusing the momentum itself, physically locating a network device in the future IPv6 network space is of key interest to all parties.

War room courtesy of Northrop Grumman.

Related resources:
Information Warfare
Cyber Warfare

Dancho Danchev

Friday, July 14, 2006

Spreading Psychological Imagination Streams

Wish I could reference all the copywriting materials I've ever written and got commissioned for, but I'd rather we play a "words creativity" game. There's no better personal benchmark for keeping yourself in a good shape, and most importantly, indirectly summarizing what's going on in my head at a particular moment, than of coming up with random/instant sentences out of key words I come across to while reading an article. Enjoy, and remember a key word is worth a thousand sentences!

Wordlist :
- Breed
- Cupidity
- Intermediaries
- Powerhouse
- Quadrupled
- Commodities
- Proliferation
- Liquidity
- Licensing
- The arms race
- Competitiveness

Outcome :
- The boom of the Web, and the now experienced dotcom industry, has generated a whole new breed of wannabe entrepreneurs

- From some people's point of view, cupidity is just profit-maximization

- Among Dell's most important strategic objectives were to cut the intermediaries, thereby lowering the final price of a PC and stealing market share. Trouble is, hardware turned into a commodity these days

- AOL - the Internet's powerhouse from the early days of the Web itself, got the necessary attention from both, Microsoft, and Google due to the highly competitive atmosphere the rivals created. Eyeballs converted into revenue sources

- Since the standartization of advertising creative, online ad revenues quadrupled

- Commodity markets are the true nirvana when it comes to betting and the potential to gain enormous returns in a short period of time

- The proliferation of false statements by the Senator, has resulted in decline in our sales due to privacy concerns

- Achieving liquidity should be issue number one for a less capital goods intensive organization

- Licensing not only cuts R&D costs, it also provides a company with the ability to gain competitive advantage, and improve its value-added proposition next to its rivals' ones

- The arms race in patents and brands registering across the world, has resulted in a great deal of still unused, and in beta mode of testing technologies and names

- The competitiveness in the Business Services market segment that IBM was seeking, is among the main reasons for their sale of the company's entire PC units devision -- today's Lenovo

An analysis of hard cover security ads from the most popular business magazines will follow at the beginning of the week. Actual shots, the messages themselves and detailed recommendations are to be included as well. Information security and business always tend to intersect, excluding one is like ignoring the other.

Dancho Danchev

Monday, July 10, 2006

India's Espionage Leaks

You may find this brief overview of Indian security's leaky past cases informative :

- "Defence Research and Development Organisation (DRDO) hard drive theft. The hard drives were stolen from the offices of the Scientific Analyses Group (SAG) and the Institute for System Studies and Analyses (ISSA) inside the DRDO complex. The SAG is responsible for cryptography. In other words, all codes and cyphers to ensure communication security for the defence forces have an SAG stamp. The ISSA, on the other hand, analyses competing weapons systems for induction into the armed forces."

- "Rabinder Singh. It is said there was a question mark over his reliability since the early 1990s when he began an operation for the collection of intelligence about US government activities in South Asia through a sister of his, who was employed in a sensitive US agency with links to the CIA."

- "Rattan Sehgal. The IB's counter-intelligence division reportedly found that a woman CIA officer posted in the US embassy was in contact with government servants and others on a mobile telephone, allegedly registered in the name of their boss, the suspect IB officer."

- "KV Unnikrishnan. During those jaunts in Singapore, compromising photographs of the stewardess and her lover were taken. These photographs and other documents were recovered by mid ’86 and it was learnt that Unnikrishnan was working for the CIA."

- "Larkins Brothers. The Larkins’ interrogations led to the arrest of Singh and it was found that Jockey and Bud were CIA operatives."

- "Samba Spy Case. By 1974, he began working for its army's Field Intelligence Unit at Sialkot on a regular basis. In the June of 1975, Dass was arrested on suspicion of espionage but by then he had persuaded some of his colleagues (including a certain Aya Singh) to become accomplices."

Understanding the past means predicting or at least constructively speculating on the future. Insider leaks due to HUMINT recruitment activities may seem to have vanished given the increasing number of IT-dependent infrastructures and the insecurities their connectivity brings -- SIGINT taking over HUMINT espionage. While modern spy gadgets remain trendy, this very same connectivity has resulted in various hacktivism tensions in the past, namely the India vs Pakistan cyberwar, and, of course, MilW0rm's infamous speculation on breaching India's Bhabha Atomic Research Center through the use of U.S military servers as island-hopping points.

Office surveillance graph courtesy of BugSweeps.

Dancho Danchev