Monday, January 29, 2018

Non-State Actors Practice Deterrence!

I know it's going to annoy the International Relations/Law people when I say this, but non-state actors have a more developed deterrence methodology in the cyber domain than state actors at the moment.

There's a whole slide about this in the Immunity T2/S4 keynotes:

Governments, including the USG, need to be aware of the levers of power projection various private entities have. "Access/Analysis/Remove/Offer" come from the Immunity cyber weapons categorization methodology as explained elsewhere.

To be fair, I think Microsoft and Google can do many things that will, completely legally, hamstring the USG in many ways.

For whatever reason, the thing that has awoken many in Government to this threat is the much more innocuous Strava Heat Map. I know that a month ago if you asked "How would I unmask every US drone base in Africa" the answer would not be an SQLi bug in a jogging data app.

But of course the fact that the international consortium of industry players working on the Meltdown bug were able and willing to keep it a secret from the USG is another interesting data point when it comes to way private industry can hold its own interests above governments.

One thing I look at with a lot of this technology analysis is whether or not we have crossed the cell membrane that separates a world where the USG is a market driver, or whether it is considered a niche market and the rivers all run in the opposite direction. For information security, it was true ten years ago the USG was driving the latest technological trends. They were a huge market and had specialized needs that they were very clear about.

I don't think anyone believes that's the case anymore, and it has massive implications for important things like supply chain security, export control, and strategic issues around technological diffusion and power projection.

Friday, January 26, 2018

What is the merit of a merit-based immigration system?

Last week's Grey's Anatomy had a transsexual hack-back plot-line. It was realistic: The FBI looked after their own interests instead of the victim. And there are a ton of transsexuals in the hacking community. As you might imagine any discipline of iconoclasty has a tendency to fit in well.

This week's Grey's Anatomy had a plot point of a black 14 year old getting shot by cops as he broke into his own house. They don't show the aftermath, but you, if you're doing strategic analysis of the cyber domain, have to think: This is what you would target if you were our adversary. The natural fault line. The military "center of gravity" of the States is a fragile unity when you have Mattis telling his soldiers to "hold the line" and yet we can't stop racist memes from being on the signs in the Overwatch League video stream.

It's a normal thing to explain to some of our kids how to behave around cops so they don't get murdered by them. THIS IS EXACTLY THE SORT OF THING CYBERWAR WEAPONIZES INTO INSURGENCIES.

I have three kids, and one of them is brown enough I don't let him carry toy guns outside the yard.

The most surprising thing to a lot of us is that anyone is surprised at how many neo-Nazis there are in America. Like every time Susan Hennessy is like "Where did all this come from?!?" you have to laugh. A lot of Immunity employees in Miami sometimes fantasize about moving the HQ to a different city. But to me a lot of cities were always out of the running. Miami's justice system can be corrupt, but it's not compromised by a Confederacy.

I've felt it both ways: on one hand I'm chameleon enough because of my vocal intonations , sometimes I can pass - I had one person in a bar in Del Ray ask me if I could understand what it was even like growing up a "person of color" and I almost spit out my beer. On the other hand, in the Florida Keys, which are an hour south of Miami and fifty years behind, I'm my white friend's Hispanic helper to the locals. It's a thing. When girls in Miami flirt with me they often start with "Where are you from?" by which they mean "Why are you brown, exactly?"

I see immigration both ways too. I had a cousin who was a dreamer who had to go back to Peru without knowing more than third grade Spanish. She liked World of Warcraft and computer stuff and that's the shibboleth of being an American as far as I'm concerned. But do companies want a massive increase in H1Bs because it lowers salaries overall? Probably. And I don't think the Democratic proposals are coherent because that's their general policy in life.

A lot of countries use a "merit based" immigration system. They assign points to people based on how likely they are to be of benefit, like going for a job interview at a big company. I remember my job interviews at the NSA, which was for a sort of affirmative action ROTC-like program where they paid for collage.

My grades in high school were terrible, and the only reason the NSA was talking to me was I was brown, and my SAT scores were decent, and I wanted to join, because although the NSA was more secret back then, it was still the geekiest thing I'd ever heard of.

Affirmative action is by definition odiously unfair. But on the other hand, I think the NSA did OK with that program. I think it needed a few people who would park their shitty Camry with the FREE KEVIN sticker in the director's spot without even thinking about it, and frankly who cares how they got them? That was a precipitous time and the NSA had a few people who were outside its box right when it needed them.

For a lot of people, the merit they are looking for in their immigration system is one that let's them bring their family to live with them in a place they've come to love. I don't think the NSA knew it was getting a needed skill-set when it hired me so many years ago. They didn't have a points system. I think they took a chance on an unknown who had enough drive to want to be a part of them. And you can't tell me some bureaucrat can think of a better merit than that.

In any case, Immunity is hiring again soon for information security consulting jobs, and you don't have to be brown, or even American.

Changing the Meta: Format String Bugs

New bugclasses often change the meta-game of cyber war, and a smart player will prepare for that eventuality. And the one I think best represents this dates to 2000, when Scut of TESO did a talk at Chaos Computer Congress 17 and then released a paper on it. Who is this Scut guy and whatever happened to him, you might ask? I'm sure it's not important.

The specifics of what a format string bug are a bit beyond a policy blog, but here's some things you learn from his paper:

  1. Format string vulnerabilities were everywhere
  2. Exploiting them taught the hacking community a lot about exploit primitives, for example how to covert relative write-one word primitives to absolute write-many or into information leaks. In that sense it was a watershed.
  3. Having source code made it super easy to scan for format string vulnerabilities, including with automated analysis techniques. That's why today, like Dodos, they are rather rare.
To return those glory days of free remotes in every public daemon you have to go into IoT auditing. But there were winners and losers when it came to the format string feeding frenzy of 2001. Having source code mattered for the offensive teams because it was a race and because exploitation at this level involves a deeper understanding of an entire program than vulnerability finding does.

But that said, when it's not a race, binaries are just as good as source, and often better.

To take it back into a higher level: The meta changed and if you were prepared for it and could adapt quickly enough, you were able to establish a beachhead of shells on boxes all around the world that could establish a permanent power projection capability.

Adaptability is a hard thing to measure in your offensive team. Can your static analysis tools be quickly retooled to find a new bugclass? Can your implants be quickly ported to a new platform? Does your operator team have the ability to quickly absorb a new toolkit?

And yes: Having a lot of source matters to prepare for meta changes because grep is the cheapest and best security analysis tool ever invented. There's a reason every Government finds a way to get source code to everything. If it 's not some sort of issue with your imports being certified, then it's because you want to export your code and it happens to link to a cryptographic library. In that sense, source code access is about new bugclasses, not new bugs.

Wednesday, January 17, 2018

The role of the shotcaller

In Overwatch and many online games, one player is often decreed the "shotcaller" on your team. This person has a scope of the battlefield (i.e. is a backline player), and while they are not responsible for the overall strategy (i.e. team composition, initial setup positioning), they do make "Calls".

  • Use Ultimates/Don't use (we've already won/lost)
  • Fight (We have a chance top win!) or Run/Die on Purpose (We have lost, time to regroup) 
  • Status of enemy cooldowns, location of important enemies (such as snipers)
  • Target focus (Roadhog is alone!)/Healing focus (Our Reinhardt needs heals!) 

This has direct analogies to cyber operations. I know right now military people are nodding about the ooda loop, but people always focus on the "action" portion of the ooda loop, whereas in cyber, you gain your advantage from speeding up the analysis portion.

To give you an example, let's say you ssh into a box with a stolen key, and then you notice the admin is on the box poking around. You have a set up choices. Do you immediately log out, and hope the admin doesn't notice the logs you have left by logging in? Do you root the box with an 0day, then clean up the logs, then leave immediately? Do you just continue on your mission as if they were not there, since you are probably in and out before they can figure out what's going on?

Ana (who is usually the shotcaller)'s seated pose is from Carlos Norman Hathcock's pic...

A lot of people will say "This is what the operator does" but the decisions you make here affect your global scope. If you try your 0day on boxes where you are likely to get caught, that 0day can easily be burned. But if you log off immediately, your stolen key will likely be burned. If you root the box to clean up, but don't finish your mission, then they may patch or secure the box before you can get back in. A good shotcaller is NOT TOO PARANOID because the question of "Have we been found?" is a very hard one to get right and extremely high consequence.

In other words, the decisions of a shotcaller in a cyber operation (or a penetration test) are the same as in Overwatch. When to go in, when to get out, when to use which tools, where to be persistent and where to leave alone. This is different from your operational planner, which is going to be more tightly connected to your development arm and decide which tools to build and how to tie them together to get an operational capability.

Since this blog is for policy people I want to also point out the policy implications of the Persistence part of APT. Persistence induces many additional risks, especially when done in the face of an active attempt to remove you from a network. There are opsec risks, of course, but what I want to focus on are the risks to the target network.

In order to remove a persistent threat, the target is going to have to rip up large portions of their network, and the attacker is going to have to use techniques that have a chance of causing permanent damage to hardware or causing downtime. If, say, the Chinese QWERTY PANDA group's policy is to stay resident on the DNC's network even after being found, that introduces an escalatory problem first for the DNC, and then for the US.

Most government have a default policy of "If you get caught, get out" for opsec reasons only. I would argue that it makes sense as a norm for other reasons.

Thursday, January 11, 2018

Rethinking Rethinking Security

It's worth reading Jim Lewis's paper from this week on the CSIS website. That said, I can also summarize it polemically by paraphrasing it as "Westphalian states remain the only players that really matter, and cyberwar won't change how they interact that much."

Needless to say, I think he's very very wrong in ways that are important enough to write a blog post about.

We haven't seen a cyber 9/11 only if you refuse to recognize a cyber 9/11 when it is the headline of every politico article for the past two years!

He thinks that if we define "attack" to be equivalent to "coercion against a state to achieve political effect" that it's not happened and all any of us can do is look around and see it happening in real time! Likewise, his claims of states being robust organizations that shake cyber operations off is totally true except that really Westphalian states are giant balloons made of reputation and shared mythos and cyber seems like a bullet created to pop exactly that sort of thing!

My S4 talk, which is what I'm supposed to be working on right now, is the exact opposite of this position. But it's that way not because I feel like aggrandizing cyber operations, but because I have seen a different history and I honestly believe it is impossible to analyze the strategic impact of Mendez's little creation without having that whole picture. Jim says in his paper that the Internet is a creation of Millenial ideals, but the 90's hackers have had a massively larger impact on it. What does he think w00w00 is doing right now?

Where is Dug Song when you need him?

To me, not understanding click-scripts and why they are used and still doing strategic analysis is the same as not understanding the longbow but still trying to understand the battle of Agincourt. This, of course, is the kind of opinion that gets you not invited to write Lawfare pieces. :)

I'm not saying states are powerless, but if he was hanging around inside the NSA while cyber started, and then watched it grow, he'd probably believe the river of talent and technology was mostly running the opposite way, that non-nation-states may have capabilities that rival or eclipse EVEN THE MOST ADVANCED NATION STATES, and to think otherwise is to continue to develop the same cyber policy that has led to us wandering the cyber desert for forty years and I for one think it's time to hire a cartographer or two!

I mean if he thinks nation states are so resilient as an institution, then why exactly? Has he noticed that his barber and taxi driver are both pretty invested in bitcoin right now? Does he know a state with a unvarnished reputation for truthfulness that could withstand all forms of cyber coercion right now? Did he just watch the US govt come out with an attribution of Wannacry that was several months after Google's and backed up with basically the same stuff?

As far as I can tell the argument is this:

  • Cyber operations have had limited impact on states
  • What impact they HAVE had is beyond reach of non-state players
  • Conclusion: Don't Panic

I just think those things are so obviously false that to me the whole concept of the conclusion falls into wishful thinking. It's not just him, of course, I think there's a massive element of cognitive dissonance in a lot of people who do cyber policy. Partially because, unlike other areas of policy, a lot of people (NOT EVERYONE) just don't want to read the source material, which in this case, is often source code.

Coming back to S4, which is a conference mostly about ICS - you get the feeling from reading Jim's paper that he thinks non-nation-state hackers cannot really do the complicated modeling and physical-cyber coordination to cause physical effects. Look, the real reason, is they don't feel like it.


Tuesday, January 2, 2018

What hasn't happened

When turning around a ship of this size, there's going to be a long moment where you make neither forward nor backward progress...

I wanted to provide a counter-tale to the Paul Rosenzweig piece in Lawfare last week. We can sum it up with this quote:
Trump’s efforts in cybersecurity have not been terribly impressive. He has made some modest policy improvements and begun putting together a good team—but not much more.
But in fact I think it is a mistake to say that doing nothing is not progress and all the areas where I have been directly involved have been massive improvements on that front. In particular:

The VEP process was one of a bad idea that was about to be codified into law. Instead, it has been shaped by a team that understands the real equities and supply chain issues involved, to try to make it work strategically as opposed to being driven by a an unrealistic ideology. The message previously was "We don't understand why we even need this line of the modern SIGINT business." That goes into massive brain drain and strategic failure. Now: Exactly the opposite message, even though the policy has not changed a lot, as Paul mentions in his article.

A similar thing is true for the export control area. The idea that you have to cut two regulations to add any one regulation is a silly one. But it works. Previously there literally was no concept of reducing the regulatory burden from things like export control, one of the most spaghetti codes on our lawbooks, and one that applies equally to all American businesses, big and small. If we had a Democratic administration I have no doubt that we would have implemented the Wassenaar Arrangements broken cyber tools controls without even bothering to change them - or more importantly, without examining WHY they were broken in the first place.

Needless to say, the fact that the EU and the US are going in very different directions on cyber regulations is not something we can just paper over, but without some of the sillier rules in place, and a savvy and business friendly appointment at Commerce, we wouldn't have situational awareness of our policy gaps going into the near future (AI, Quantum, etc.).

To sum up: America's cyber policy overall has been moving towards something more data-based, and realistic as opposed to something purely aspirational. While yes, as Paul and many people have noted, we don't have a Universal Theory or a detailed national strategy for dealing with many of our currently known systemic threats, we are at least demonstrating that we can change our policy based on evidence, which is a good first step.

P.S. I also think the Kaspersky thing is a sign of progress, but hard to detangle that argument here. :)