Department of Defense creates their own Linux distro

http://www.computerworld.com/s/article/9218771/DoD_debuts_brand_new_security_focused_Linux_for_telecommuters?taxonomyId=142

Aimed at telecommuters, the Department of Defense (DoD) has released a lightweight Linux distro aimed at telecommuters who need a secure VPN connection to their government websites.

The distro, called “Lightweight Portable Security” boots directly from a CD or Flash Drive, requiring no installation from the end user. While this is typical of most linux distros, it also comes packaged with a modified Firefox browser that accepts Common Access Cards and other physical authentication mechanisms that other distros may not support out of the box.

This is a good alternative for employees to use instead of their own operating system. The DoD can ensure employees are all on the same page by running their own Linux operating system. Since storage is not persistent, a simple reboot would wipe any malware that managed to make its way onto the system. If this is available for public download I will definitely be looking into this.

Host-based Intrusion Detection System OSSEC

While on my co-op, I was tasked to deploy a HIDS on the servers in order to comply with the information security standard. The previous co-op student had started implementing OSSEC, which stands for Open Source Security. One of the major “selling points” was that it is freeware (GNU General Public License (version 3)). [1]

“OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.” [1]

The server was relatively easy to set up (I wasn’t that comfortable with Ubuntu when I first started) and the OSSEC agent was very easy to install. First, you set up the server and create agents that have a hostname, and IP address, and an ID that you give them. Once you have the agents registered on the server, you extract the security key from the server and copy/paste from PuTTY into the OSSEC Windows agent window. After that it’s as simple as starting up the agent to begin protecting the server.

OSSEC saves daily log files in a compressed format on the server (.tar.gz if I remember correctly). These can get rather large, even when compressed, after a period of time. Luckily, our security standard only called for 3 months of record keeping.

The downside of this software is the huge number of false positives it generates. The way OSSEC rates threats is assigning a ‘level’ to the event that occurs between 0 and 15. Generally level 7 and below are harmless and levels 10 – 15 are what you want to be apprised of. Our standard however, required us to log EVERYTHING. This meant thousands of redundant WINDOWS AUDIT FAILURE events saved to the logs. There is a way to manually edit the configuration file to ignore certain event codes (like Windows Audit Failure) but again, we were required to log every single event.

It is very time consuming to read through the hundreds of pages of logs and look for threats, so I looked for log consolidation software that would help organize it better and make it more readable and I found Logwatch. Logwatch broke the logs up into sections and sent a daily email with its report. This was OK for a couple days but when I had all 8 servers reporting to the OSSEC server, the log sizes grew very large and the email server cut the attachment automatically.

I talk about the drawbacks to OSSEC because you probably won’t read about it elsewhere. You can read about its accolades at http://www.ossec.net. It did seem to do its job well.

[1] http://www.ossec.net/main/about

Spoofing Locations

I found an article that talked of a security researcher, Don Bailey, visiting Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported. The man was using a Zoombak to report in at multiple places by intercepting SMS. The device is essentially a GSM module with a separate micro controller. The service sends a SMS over GSM with A5/2 encryption and then the device responds with its location via pure HTTP.

From the device Bailey was able to find the T-mobile sessions used by the service by checking the cellular networks home location register. He then performed a search for the numbers that were on but only allowed SMS and disabled incoming calls. Now he could send HTTP as that number and make it look like he was in different countries within a matter of minutes.

Using this research allows for spoofing of SMS responses from GSM-based traffic controls systems and SCADA systems. So what it comes down to is that any remote devices that uses SMS over GSM modules is completely vulnerable to this kind of attack. It even said in the article that this would include GSM-based skimmers placed on ATMs, which would be good thing if law enforcement knew how to intercept these devices. Below I’m going to be pasting Baileys talk that he gave which was all about his research on this subject.

“A Million Little Tracking Devices: Turning Embedded Devices into Weapons”

Why report a cyber crime?

Companies that become victims of cyber crimes sometimes question if they should report it. They figure they will try to increase there security and keep law enforcement out of it. They do this for a number of reasons, for example they question if the information being publicly known will be bad for business. Also some companies worry that company secrets may be leaked by law enforcement, especially if a case goes to trial. But the truth is the help of law enforcement might be worth the risk. Law enforcement has spent a good amount of time working with cybercrimes now, and they understand the necessary secrecy inside the company, and will try to work with companies to be get the job done while being discreet. Nancy Gohring from IDG News Service reported on on Networkworld saying:

Aravind Swaminathan, assistant U.S. attorney in the Western District of Washington, took pains to describe the lengths to which his office goes to be sensitive to the needs of companies that report crimes. He spoke during a cybercrime conference at the University of Washington School of Law on Friday.

“Everybody’s worried that their trade secret will end up on the front page of the paper,” he said. “Trade-secret cases are hard, but work with us. We aren’t obtuse. We know that’s the stock and trade of your business.”

The law enforcement will try there best not to cause problems for the company, and if the company doesn’t seek there help they could run into even more serious problems. If information that a cyber crime happened and was not reported to the police, the company could end up being sued in the future. Also if an attack is taking place the company employees might not have the experience and knowledge to correctly fend off a cyber attack. Law enforcement in the cyber crimes field will most likely have the knowledge to assist with this and recommend ways to tighten up security as well as analyzing what the most probable next target would be.

On a more personal computing note. Its not only important for large organizations to report cyber crimes. Even simple home office cyber crimes should be reported. Theres no guarantee they will get the same attention from law enforcement as a coperate attack, and there may not be as much reason for you to report it. But the fact is a crime still took place and the police should be notified. If nobody reported cyber crimes then hackers would have nothing to be afraid of, and internet security problems would increase. So do your part in keeping the internet safe.

Evilgrade: Exploiting Automatic Updating

Evilgrade is a framework created by infobytesec that you can download and use to exploit various programs that use online automatic updating insecurely. Essentially what happens is when a program you’re attacking goes to look for an update, you intercept it and send it your own update instead. This could obviously be used to send malicious updates,  Evilgrade provides the framework for making your own updates for various programs.

There are over 60 different modules that you can play around with including:

- Safari
- iTunes
- Quicktime
- APT
- Java
- iTunes
- Mirc
- Adium
- Notepadplus
- Opera
- Bsplayer
- Winamp
- Trillian
- Teamviewer
- Virtualbox
- Vmware
- Winscp
- Winupdate

For each module, there is the proper framework needed to imitate an update from that program.

The reason this works is because many programs don’t bother to use crypted keys for updates that only their program should be accessing. To prevent this, there needs to be proper authentication and validation within the update system. Because these programs don’t have that, they are prime targets for exploitation.

The best guidelines I found for creating a secure updater are from security researcher, Dan Kaminsky. According to him, for an update to succeed, the update package must be:

- Signed.
- Signed by you.
- Signed by you, using the right EKU (Extended Key Usage)
- Signed from an unrevoked signature
- Be the same product
- Be a new version

An updater utilizing all of those security guidelines would be much more secure. Unfortunately, today there are still many security gaps in the programs that we use all the time. So next time your computer asks you is you want to update a program, see if your application updates require some authentication and verification. If they don’t, then be careful.

A video showing exactly how Evilgrade works can be found here.

IPs and UFOs

What does an IP address have to do with UFOs?

Well, a 42 year old self-taught British IT expert is facing 60 years in prison because his IP address was found after he supposedly made the ‘biggest military computer hack of all time’.  Gary McKinnon, a UFO enthusiast was arrested in 2002, for hacking into the US government’s computer systems. It was such an ease to hack into the systems that he ‘got sloppy’ and went into places directly rather than going through systems. This caused NASA to track back his IP address and so on…

McKinnon, a UFO enthusiast at the time was searching for any information that was associated with extra-terrestrial findings and to his surprise came across many things. He got a hold of top secret images and documents, and one document claimed that the
agency has to airbrush UFOs out of satellite photos because ‘there are so many of them’. I found this very surprising because I thought UFO findings are rare.

The government’s security systems have failed to protect its data, and have caused confidential data to be leaked out into the public. But, I always wonder why the US government would hide this type of information. Also, why does this UFO enthusiast have to go to prison for so long. I could see that if he gained information for money, then I would understand, but he just wanted to know more about UFO findings. Also, McKinnon thinks that he is facing 60 years because the government is scared of what he has seen. Since this was back in 2002, the US government should have made some improvements in computer security by now. But, with the recent virus hitting the military’s predator drone, it makes me wonder if computer security is a top priority for the government.

To read more on the article, visit the link below.

Source: http://www.guardian.co.uk/world/2008/jul/27/internationalcrime.hacking

Social Computing Installations and the Security Risks

A friend of mine shared a link to this website http://deaddrops.com/ which is a social computing installation experiment that is spreading across the world. In the creators own words “Dead Drops is an anonymous, offline, peer to peer file-sharing network in public space.”

I started watching the video on how this experiment is supposed to work and its basically people installing a USB drive onto a wall in a public space using some cement and others come around with their computers and plug them into these USB drives and download and share the data. Right away security risk red flags went up everywhere in my head.

This installation serves as a testament to how ignorant and misinformed most people are. Connecting your laptop to these mounted USB drives, is like opening your house for a thiefs and inviting them over to sniff through your stuff. It’s crazy and the sad thing is that common people don’t even understand the nature of the risk.

Facebook scammers exploit death of Steve Jobs

Since we recently talked about social engineering in class, I think this post has a great deal to how people were socially engineered through Facebook, and ignorance.  PandaLabs, a popular internet security blog, recently found a Facebook page that was claiming to give away 50 free iPad 2′s in honor of Steve Jobs’ death.  The page gained five new fans every second and gained more than 90,000 fans since late yesterday.

As of approximately 8:00 AM PDT October 6th, the page has been disabled, but it’s unknown as to how many users’ PCs have become infected since more than 25,000 users clicked the link in less than eight hours.

Luis Corrons, technical director of PandaLabs said, ”Unfortunately, as soon as we learned of Steve Jobs’ death, we knew scammers would start to figure out how to exploit it.  It is not unusual for cyber-crooks and fraudsters to take advantage of headline-grabbing events to spread their creations and affect the maximum number of victims possible in a short period of time.”

This security issue is primarily dealing with how any type of internet user, whether they are social media users, or general internet users, can be manipulated and persuaded easily.  Social engineering is a process, it’s the art of manipulating people into performing actions or divulging confidential information.  In this case, Facebook users were manipulated into getting free iPad’s, but without them knowing they were on their way into being spammed and taken to sites where users were prompted to fill out surveys for their “Free iPads.”

These scammers actually make a profit, as sick as that sounds.  They get money from the ads displayed every time someone follows the instructions.  The scammers profit when users click through those links, by earning commissions based on the amount of traffic they bring to the websites.  The formula is simple for profit:  more traffic = More income.

Social engineering is used by almost everyone for a purpose.  Whether this purpose is malicious, or helpful, it is scary to see that people can be manipulated because there’s a chance that they can “Gain an iPad” or “Click here for a free iPhone 5.”  The class discussion on social engineering could have included the Facebook scam of Steve Jobs, because users were tricked into clicking on the false advertisement of the iPad.  Unfortunately, these scammers can make a pretty penny for doing these kinds of manipulations and its terrible.

These types of scams are not rare, but on the contrary they are seen all over the internet.  Just this year with the death of Amy Winehouse, these scammers were on the prowl for internet suckers when they broadcasted on the internet a link for a shocking video of Amy Winehouse before she died.  Eventually, this video traveled to e-mail form, and when a user tries to open the attachment of the so called “shocking video” they were attacked by malware.

http://nakedsecurity.sophos.com/2011/10/06/steve-jobs-death-facebook-scam/

http://www.thetechherald.com/article.php/201130/7446/Amy-Winehouse-scams-jump-from-Facebook-to-email

The White House orders new computer security rules

Due to the disclosure of hundreds of thousands of classified government documents to WikiLeaks last year, The White House is planning to issue an executive order to replace the flawed patchwork of the computer security safeguards they hard in place, but were exposed after the leak of classified information. This order by the President after a seven month review of its policies and procedures regarding the handling of classified information and documents, and now they have created recommendations and how to reduce the risk of breaches.

The military after the initial WikiLeaks disclosures last November disabled 87 percent of its computers to prevent people from downloading classified data onto memory sticks, CD’s or DVD’s. The Pentagon also developed procedure to monitor and detect suspicious behavior on classified compute systems. There are computer security analysts that say these safeguards, as well as the new orders in the executive order, will bring greater consistency and accountability to information sharing and protection policies.

Now currently every Defense Department computer is blocked from downloading classified information on to memory sticks or CDs, except for a few explicitly authored machines’s, needed for mission essential duties. The Pentagon has also issued cyber identity credentials to anyone using unclassified networks in order to allow supervisors to track what users are working on, and the military is accelerating the analysis of logs from computers on the classified networks to detect large transfer of data or the use of data that is unrelated to an individual’s job duties.

Monte Hawkins, the director for identity management and biometrics policy at the National Security Council stated, “I don’t think we’ll ever be able to guarantee this won’t happen again, but this will greatly enhance our chances of preventing it or catching it in the process”. I believe this is true, it is very hard to prevent the hacking and leaking of information because as we figure out how to block one way, hackers just figure out another way, but if we can put in place safeguards to try to stop it, or even catch it in the act, we can better stop classified information from getting out.

Predator Drone ‘Virus’ Could Be Military’s Own Monitoring

Earlier last week it was reported that the military’s Predator and Reaper UAV fleet was hit by a virus that logged the pilots keystrokes. After several attempts to remove it, the virus kept coming back to the system’s.

Security researcher Miles Fidelman says, however, the virus may be an internal Department of Defense (DoD) security monitoring package. He noted there are “a couple of vendors” who sell such technology to the DoD, which are “essentially rootkits that do, among other things, key logging.” The comments were sent to the Dailydave security mailing list, which was posted through SecLists.org.

“I kind of wonder if the virus that folks are fighting is something that some other part of DoD deployed intentionally,” Fidelman adds.

It would be quite glaring if the Air Force’s tech’s are wasting there time fighting this virus if it was employed by the DoD itself as accountability on its pilots.

Source: http://techzwn.com/2011/10/predator-drone-virus-could-be-internal-monitoring-system-analyst/