Thursday, March 27, 2014

A traditional cybersecurity company

Picture of the loft, from Space Rogue.
This is the tradition.
In the prosecutors' response to the Weev appeal, they make the snarky claim about Goatse security:
It is not, to put it mildly, a traditional security research company. The firm’s name is a reference to a notoriously obscene internet shock site. ...  Goatse Security’s corporate motto is “gaping holes exposed.” 
They are wrong. This is traditional, at least for security research companies. We start out as hobbyists having fun, not taking what we do seriously. We start wearing t-shirts and hoodies. Only as we grow older do we realize that people will pay serious money for this, and it becomes our formal job, where we might show up to meetings wearing a suit.

Wednesday, March 26, 2014

We may have witnessed a NSA "Shotgiant" TAO-like action

Last Friday, the New York Times reported that the NSA has hacked/infiltrated Huawei, a big Chinese network hardware firm. We may have witnessed something related to this.

In 2012, during an incident, we watched in real time as somebody logged into an account reserved for Huawei tech support, from the Huawei IP address space in mainland China. We watched as they executed a very narrow SQL query targeting specific data. That person then encrypted the results, emailed them to a Hotmail account, removed the log files, and logged out. Had we not been connected live to the system and watched it in real-time, there would have been no trace of the act.

The compelling attribute of the information they grabbed is that it was useful only to American intelligence. The narrowness of the SQL query clearly identified why they wanted the data. It wasn't support information, something that a support engineer would want. It wasn't indiscriminate information, something a hacker might grab. It wasn't something that would interest other intelligence services -- except to pass it on to the Americans.

I point this out to demonstrate the incompleteness of the New York Times story. The story takes the leaked document with the phrase "Leverage Huawei presence to gain access to networks of interest" and assumes it's referring to the existing narratives of "hardware backdoors" or "finding 0days". In fact, these documents can mean so much more, such as "exploiting support contracts".

A backdoor or 0day for a Huawei router would be of limited use to the NSA, because the control ports are behind firewalls. Hacking behind firewalls would likely give full access to the target network anyway, making any backdoors/0days in routers superfluous.

But embedding themselves inside the support infrastructure would give the NSA nearly unlimited access to much of the world. Huawei claims that a third of the Internet is running their devices. Almost all of it is under support contract. These means a Huawei support engineer, or a spy, can at any time reach out through cyberspace and take control of a third of the Internet hardware, located in data centers behind firewalls. Most often, it's the Huawei device or management server the NSA would target. In other cases, the Huawei product is just one hop away from the desired system, without a firewall in between.

You want to know who the Pakistani president called in the hours after the raid on the Bin Laden compound? Easy, just use the Huawei support account to query all the telephone switches. You want the contents of Bashar al-Assad's emails? Easy, just log into the Huawei management servers that share accounts with the email servers.

This isn't a just Huawei issue, but a universal principle of hacking. An example of this was last Christmas's breach of the retailer Target, where 40 million credit cards were stolen by hackers. Apparently, hackers first breached the HVAC (air conditioning) company, then leveraged their VPN connection to the Target network to then hacking into servers.


By the way, I doubt this was actually the NSA. It's more likely the CIA, who has "assets" at Huawei (support engineers they've bribed), or the intelligence service for a friendly country. The intelligence community is so huge it'd be unreasonable to assume the NSA is lurking behind every rock. I'm just pointing out that there are other ways to interpret that NYTimes story.


Thursday, March 20, 2014

Witty Worm: no seed population involved

Today is the 10 year anniversary of the Witty Worm. The thing that’s best known about this worm is that it started from a “hit-list” or “seed” population. Even Wikipedia confirms that this is true. But it’s false, as I’ll demonstrate beyond doubt in this blog post.

Witty 10 Years Later

Today is the 10 year anniversary of the Witty worm. Remember that worms exploit vulnerabilities, or bugs. Some lazy/incompetent programmer somewhere is responsible for having written the lines of code containing those bugs. Virtually all those programmers have escaped blame, safely remaining anonymous. Unique to Witty, you know the programmer who was at fault: me. I didn’t actually write the specific line of code, but I was “pair programming” with the guy who did. I reviewed his code, so I deserve just as much blame as he.

Being that this is the decadal anniversary, I thought I’d write up something on the bug from the insider’s perspective.

Wednesday, March 19, 2014

Weev’s lawyers appear in court

Some observations from today’s appeal hearing of Weev  (the notorious case of someone convicted of accessing public info).

What was it?

Andrew "Weev" Auernheimer was convicted of conspiring to violate the CFAA, and was sentenced a year ago to 41 months in jail. His lawyers appealed, the prosecutors submitted a reply brief, his lawyers submitted a reply to the reply brief. Today they got in front of the three judges of the Third Circuit Court to fight it out. Each side got to talk for 15 minutes, and the judges peppered them with questions.

Monday, March 17, 2014

MH370 must've been cyber-hacked

From @puellavulnerata comes this CNN segment where the anchor seriously speculates that it was something "supernatural" that happened to the missing plane.


Of equal stupidity is this article from the UK Daily Express that cites a government expert to claim the plane may have been cyber hacked from a mobile phone.





Tuesday, March 11, 2014

Newsweek myth busted: "disk space is cheap"

What makes the Newsweek outing of "Satoshi Nakamoto" so egregious is that the story cites no evidence. Everything cited in the story is easily disproven. An example is the following "evidence" described by the "forensic analyst" involved in the story.

According to this article, one of the corroborating bits of evidence is the bit from the Bitcoin paper describing how to conserve "disk space". According to the analyst, disk space is cheap these days, and no young person would consider conserving it. Therefore, according to her reasoning, the creator of bitcoin must come from the pocket-calculator/slide-rule generation.

This is nonsense. The current blockchain is 17.3 gigabytes in size. It takes up a sizeable amount of my 256-gigabyte SSD boot drive, meaning that Bitcoin is already too big to fit easily on laptops. Moreover, Bitcoin is growing faster than Moore's Law, meaning the problem will only get worse. In another couple years, after which desktop drives will have doubled in size, Bitcoin will have double more times, and be too big to fit easily on those drives.

Here's the thing about Moore's Law: it exists because we are constantly bumping up against resource limits. Disk drive manufacturers spend billions of dollars every year in research finding ways to increase disk drive space because we still don't have enough. Only when Moore's Law stops will we have reached the point when these resources have become too cheap to be considered.

Every engineer who does real work is constantly hitting the limits of CPU speed, network bandwidth, and drive space. Whether 17 or 70, it's unreasonable to expect that the creator of Bitcoin would ignore these resource constraints when designing a system to handle billions of transactions.

The above story claims that the forensic analyst,  Sharon Sergeant (@AncestralManor), is a "systems engineer by training with experience in computing security, military protocol analysis, and artificial intelligence". This appears to be an exaggeration. Her profession is "genealogist", not a "systems engineer". For all we know, the sum of her experience is a single engineering class in college. She may actually be more qualified, but her incorrect claims that engineers ignore resource constraints indicates otherwise.


Saturday, March 08, 2014

Airgapping Tor

Tor has a "browser bundle", combining a web-browser and the Tor proxy together. This is too dangerous to use. It's too easy to launch other applications, such as PDF readers, that will bypass the Tor service and access the Internet directly, thus revealing your IP address.

A safer way to use Tor is to use two machines, one running the Proxy, and the other running the Browser. The Browser machine is configured such that it has no access to the network, other than through the proxy. This means if you make a mistake, network access will fail rather than reveal your true IP address (a principle known as "fail close").

The way I do this is with a virtual machine on my MacBook Air. My laptop is the Proxy machine, running Tor, and a virtual machine is the Browser machine, connecting to the Tor service via SOCKS.

Here are the configuration steps you need to make.

0. Before you start

Download the "Tor Browser Bundle" onto your laptop. We won't be using the browser in the bundle, but it's a nice simple way to get the Tor proxy installed on your laptop

Install virtual machine software for your laptop. Under MacOSX, I use "VMware Fusion". Under Windows, I use "VMware Player", which is free. (I also use "VMware Workstation" for my destop).

Create a virtual machine, and install the operating system. Or, just download a pre-built virtual machine running a Linux desktop, like Kali Linux.

1. torrc/SocksListenAddress [Proxy]


By default, Tor puts the SOCKS service on "127.0.0.1:9150", which means that only software on the local machine can use the proxy. You need to reconfigure this so that another machine can access Tor.

To do this you need to find the "torrc" file. On my laptop, this is in the directory "/Applications/TorBrowserBundle_en-US.app/Data/Tor".

Edit this file, and at the bottom, add a line like:

SocksListenAddress 0.0.0.0

This is sub-optimial, because it means anybody on your local network, including other users on the local Starbucks network, can access your proxy. You probably don't want to open this up to the entire world. Instead, you might want to restrict it just to the local virtual machine. I ran "ifconfig" on the command-line and found an adapter named "vmnet8" that has an IP address of "192.168.51.1", so I used that instead:

SocksListenAddress 192.168.51.1

When you do this, when you run the Tor bundle, you'll now get an error message saying that the bundled browser isn't working. That's find -- it's just that the bundled browser doesn't know about the address change, and can't find the address. You can fix this by reconfiguring which proxy the bundled browser uses, but you shouldn't bother -- because you don't want to be using that browser in the first place.

2. VM configuration [Proxy]


There are many ways the networking of a VM can be configured. What you want is a "host only" or "private to my Mac" configuration. This means that the VM can talk only to the local host, or to other VMs, but not to the network. Since the default is to do NAT ("Share with my Mac"), you need to change this.

Before doing this, however, you may want to make sure that your've got everything working inside your virtual machine. I had to go back and re-enable normal networking to install proxychains, then go back and disable it again. It was very irritating.

3. Proxychains [Browser]


I run Linux inside the VM, so therefore, I need command-line utilities. Unfortunately, most tools don't know about proxying, so you need a tool called "proxychains" to enforce this. If you are just going to use the web-browser, then you can skip this step.

To install this tool:

apt-get install proxychains

Now you need to edit /etc/proxychains.conf. Go to the bottom of the file. There may be a default configuration line using "socks4", delete this or comment it out. Now add a line like the following, where the IP address is that of the VMware virtual machine configured in step 1:

socks5   192.168.51.1   9150

Note that older Tor defaulted to port 9050 and socks4, and newer stuff uses 9150 and socks5.

Somewhere else in the file is the configuration setting "proxy_dns". You'll want this enabled -- this fixes the old concern where DNS lookups would leak your IP address. Note that if this configuration is wrong, then proxychains just won't work -- our "failed-close" configuration makes this happen.

To use proxy chains, just prefix it to any command, such as:

proxychains wget www.yahoo.com

Run this command, and you should see it work. The same technique works for running things like "proxychains apt-get ..." or "proxychains git clone ...".

4. Iceweasel [Browser]


The default browser for many Linux distros is "Iceweasel", which is a custom build of Firefox. You need to configure it to use proxy.

To begin with, you need to tell it to proxy DNS correct. Go to the web page "about:config" to access the advanced settings, search for "dns" settings, and configure the following parameter (by double-clicking on it):

network.proxy.socks_remote_dns    true

Next, go configure the normal proxy settings at [Edit] [Preferences] [Advanced] [Network] [Connection] [Settings] [Manual Proxy Configuration] [Socks Host], and configure the same IP address and port (192.168.51 9150).

A screen shot of this is below:




5. General Tor settings

At this point, you've got a nice private machine. As long as you've got the virtual machine configured to be "host only" ("Private to this Mac"), then you don't have to worry about things escaping your computer.

But you still need to learn a bit with Tor. For example, once you get all this working, you'll find that your Google searches no longer work, because Google blocks a lot of activity from Tor exit nodes. Therefore, you'll have to change your search engine to something like DuckDuckGo, which is Tor-friendly.

Also note that you can out yourself accidentally. Let's say you are a journalist working on a super-secret article on the NSA, and you accidentally search for something like "EGOTISTICALGIRAFFE" from your main computer rather than the Tor-protected computer. The NSA can (and probably will) subpoena the information from Google to see who searched for this term before it became public, discovering your identity. You have to religiously compartmentalize what you are working on for a story, and never let ideas creep out to appear as search attempts or browser history from your work computer, friend's computer, or you laptop.

6. Optionally encrypt the VM [Browser]

Since the VM has all your secrets, you probably want to encrypt it with a strong password. You probably don't need this step if you've already got full-disk-encryption, but if you don't, then you should probably do this.

VMware has this option built-in. You can select your virtual machine and tell VMware to encrypt it. It'll ask you for the password each time you reboot the VM.

If running Linux, you can also use LUKS. The Kali site has a good description of how not only to encrypt your VM, but also configure a password that will destroy the VM in the case that somebody tried to force you to divulge the password.

Note that without encryption, people can recover files from your drive. In other words, let's say you delete your VM. The actual bytes aren't deleted yet until the drive is wiped so forensic utilities on the drive may still recover files you think are gone. Encryption solves this, such that when you delete the VM, the only thing recoverable is garbage.




Update: By the way, there are more secure ways of airgapping Tor, such as using two physical machines. The above text is for an easy alternative to the Tor Browser Bundle running on a Mac OS X or Windows laptop when on the road -- i.e. the sort of thing that I do when in a hotel and don't want people eavesdropping on my traffic.

Friday, March 07, 2014

Newsweek: I'm not Satoshi, either

Today, Newsweek relaunched its magazine with a cover story outing a Dorian "Satoshi" Nakamoto as the creator of Bitcoin. The story is bogus. It cites zero evidence. It does cite many suspicious things that hint Dorian might be Satoshi -- but that level of evidence can apply to anybody, even me.

Of the list of people most likely to be Satoshi, I'm not even in the 10,000 most likely candidates. Yet, if you went looking, you'd find just as much evidence that I was the creator of Bitcoin. Pando Daily has a good list here enumerating all the pieces of evidence cited in the story. I thought I'd create a similar list outing me, to show how easily it can be done.

1. I've got unusual ties to Japan
My brother lives in Japan. I've been visiting Japan about once a year for the past 15 years. This would explain selecting a Japanese pseudonym. This is an unusually strong connection to Japanese names you wouldn't find with most nerds.

2. My work history syncs up
I quit my job and became an independent consultant slightly more than 2 years before Bitcoin was released -- almost exactly how long it would've taken to create Bitcoin. That's a suspiciously close match.

3. I've been a cybersecurity expert since the 1990s
I have a long history with the building blocks of Bitcoin, not only the crypto, but also things like writing code and network protocols.

4. I'm a rabid libertarian
It's vogue for geeks to call themselves "Libertarian", but that's more so out of dissatisfaction with the two main Parties than real enthusiasm for libertarian principles. I, on the other hand, am hard-core.

5. My family would say I'm capable
If Newsweek were to call up my family, they'd confirm that I'm capable of Bitcoin. What I do is magic to them, so they'd confirm pretty much anything. They would assume any claim Newsweek was making might be true.

6. My family would say I'm weird and private
My family would confirm that while intelligent, that I'm moody, weird, and obsessively private. For example, I paid the $500 deposit on my cellphone so that I wouldn't have to give them my social security number. My social security number isn't tied to anything (not my house, phone, car, cable, power, etc.) that isn't required by law. I'm a little annoyed that Obamacare now forces me to link my identity with health care.

7. Some other reasons
And there are a couple other reasons I don't want to discuss, because as noted above, I'm private. But if Newsweek came looking, they'd find them convincing evidence.


What I'm trying to show here is that the Newsweek article is just an example of "confirmation bias". Once they decided that Dorian was Satoshi, they went looking for pieces that would confirm this. You can apply the same method to me, and suddenly I start looking like Satoshi. That I have such a strong tie to Japan, for example, starts to loom important, but it's not. My business partner Dave is mostly American Indian, but is partially Japanese. If you Ancestry.com him, you might find he's got an ancestor named "Satoshi" and another named "Nakamoto". But that's meaningless, both are common Japanese names.

Journalists are supposed to know this. They are supposed to be trained in the difference between actual evidence and crap like this. Such details are good reasons to go hunting for a story, to go look for real evidence, but they doesn't justify a story on its own. Sure, it's enough for blog post maybe, but it's nowhere near what is required for the cover story of a major magazine.


It seems that journalistic standards have been falling for the past few years. It'll be interesting to see if the industry will hold Newsweek accountable for this story.





Tuesday, March 04, 2014

Game theory: cheating at bitcoin mining

My mining rig: 10-gigahash/sec, 0.001 BTC/day
I think I’ve come up with a way to cheat a little at Bitcoin mining.

Bitcoin “mining” is the process in which new transactions are officially entered into the running ledger. Every 10 minutes, the current outstanding transactions are combined together in a “block”, then a "miner" calculates the SHA256 hash for the block.

The wrinkle here is that Bitcoin is decentralized, so no one person is responsible for calculating the hash. Miners must compete to create a hash. Therefore, the hash must have certain properties, namely, the first 64 bits of the hash must be zero (the current difficulty level is 63.8 bits, it changes over time to accommodate more mining power). A little bit of random data is added to the block before hashing, and the miner keeps changing that random data until the resulting hash has the proper number of leading zeros. Currently, that requires 18 quintillion calculations, or 18 billion billion, or 18,446,744,073,709,551,616 – or in technical terms, a boatload.

RSAC Keynote: support your local sherif

RSA Security chairman Art Coviello opened his company's conference with a discussion of "BSAFE backdoor" controversy [video]. Rather than defending his company's mistakes in the affair, he seemed to justify them with a four-point plan calling for greater powers for law enforcement.