Security Art Work

In previous posts we saw a practical approach to the concept of auditing in general (currently only in Spanish) and then we discussed internal audits or first-party audits (currently only in Spanish). Let’s take now a leap, leaving the second-party audits for the next post and go directly to the third-party, external or certification audits.

Third party audits are carried out by certification authorities at the request of an organization. Its main purpose is to certify compliance with the requirements of a specific standard with the purpose to include the audited organization in a register or list of certified organizations. They are performed on a annual basis and, with some exceptions established by law, every organization, public or private, is free to choose to go through a certification process or not.

External audits are more centered in checking the efficacy in the way stated by the standard without getting into, usually, in issues related to efficiency and resource management. As we saw in the first-party or internal audits, the objectives are very different; in theory in an external audit it could be approved the use of cannons to kill flies.

As seen in the first post (currently only in Spanish) of the serie, for an audit to be carried out there are three essential ingredients:

• High degree of preparation and training in auditing techniques along with good technical knowledge of the activities to be audited (aptitude).
• Enough time, both a) prior to field work to prepare the site audit as well to b) carry it out in its entirety and then to document the results in a complete audit report appropriate to the objectives of the audit.
• Professional pride (attitude).

These three ingredients are necessary but not sufficient by themselves and this applies to internal audits, second and third party audits. With missing only one of them the result of the audit may have limited value or even be useless.

From the point of view of the degree of training and experience of auditors, the processes and criteria used by certification bodies for qualifying auditors are often too lax in my opinion, since no previous great experience is required usually to audit a specific activity. Unfortunately, you may find auditors that are not experts in the activity they must assess, or that they have excessive bias towards those standards they know further. At the other extreme, it is noteworthy that there are auditors with extensive experience and knowledge that make audits a process that can be very profitable for the audited organization.

On the other hand, as we have already said in this blog, certification bodies face the target in a way contradictory to get new customers and keep the ones they have, while having to maintain a certain rigor in audits, what can make them to lose customers. Moreover, the current crisis has in many cases led to price discounts (and consequently to the number of days necessary established by the national accreditation bodies) that give auditors less time than the necessary to carry out their work.

On bad sized audits (I dare to say that almost always auditors would like to have more time than they usually have) and auditors that do not audit we discussed in this blog a few months ago so we will not extend.

To finish this post, indicate that one of the benefits that are attributed at the time to certification audits is precisely to provide confidence to lay the foundation of a solid business relationship and mutually beneficial relationship with certified suppliers. This would save both customers and suppliers dedications and costs associated with the second party audits, since it was assumed that a certified company had gone necessarily through an external audit. Objective not accomplished. I know of no single organization that was previously doing audits of its suppliers and that stopped to do so simply because the provider had achieved some sort of certification. That is: in practice, third party audits have failed to reduce the number of second party audits, just as expected.

Long life for the second party audits. Moreover, while this powerful technique of selection and performance monitoring of strategic suppliers is not well known nor is so widespread (excepting large corporations), the second party audit is of great interest, as it is shown it can provide high benefits in terms of improvement of the standards of quality and safety (and therefore costs).

The next post will be dedicated to that interesting and powerful management tool that are second party audits.

In the previous post we considered the theoretical cost and feasibility of scanning all Internet IP addresses and it resulted to be very low. Therefore, we decided to conduct a little experiment: see if it was possible to scan the entire Internet, of course without doing anything harmful.

While the action may not be completely harmless (some may have IDS complaning), we have tried to do the experiment as innocuous as possible. In this sense, the safest action we thought was to launch a ping (ICMP echo) to each and every one of the Internet IP addresses. Although we have sent just a single packet per IP, we messed the scans to prevent a network receiving a high number of consecutive packets.

To do so we prepared two threads, in which work I have had the invaluable help of Nacho López, an experienced C programmer. The source code of ping could have been a good source of inspiration also:

Envia_echo-icmp ()
Recibe_echo_icmp ()

The process works in stateless mode: one thread sends the packets blindly, and the second one simply writes down the response packets received, so the connections do not consume any amount of memory.

The increased complexity came from the disk storage resources; it was necessary to adjust well and program the threads considering the disk performance, so the results received were not lost. After 10 hours, we got the following results:

Ping overall results answered: 284,401,158 IP addresses responded to the ping, i.e. 7% of systems. Graphically:

If we group the results in /8 networks we see the following percentages:

Grafically:

We need to keep in mind that we have scanned the entire address space without deleting reserved private addresses or networks. Obviously we see that the reserved addresses do not answer, which fits with what IANA says about the reserved networks.

We have also grouped the number of pongs that each /24 (class C) network has answered, so we can see the density level of IP addresses in these networks: From many C class networks did we receive 20 pongs?

Grafically:

We can see that many networks do not answer anything, mainly because they are reserved networks. Also, there are blocks with many IPs answering.

We have also performed the analysis on the least significant byte of the IP address, taking into account that we have treated them as if they were all normal IP addresses. It is clear that IP addresses finishing in .0 and .255 reply to the ping to a lesser amount. On the other hand we can also see that the IP ending in .1 is the one most answering the pings, because it usually corresponds to the router, and from there to inside the traffic is usually filtered. This can be seen by comparing the X% with the average. We see also some stripes corresponding to networks /25, /26, /27, etc.

Grafically:

Obviously from the number of answers it is not possible to draw conclusions about the density of IP population, as they may be conveniently filtered.

The % of IP addresses answering to ping seems reasonable, given that it is logical that the external equipment answers to this protocol to aid troubleshooting. It is also normal that many others do not answer, but in any case IPv4 does not appear to be so saturated as usually it is said.

This experiment is a proof of concept of how easy it is to make a global action against all Internet, with almost no cost, short time and basic knowledge. We can see that it would be possible to scan a TCP port, or even do some intrusion attack globally (always stateless), for which any UDP attack could be very effective (as it did with slammer). In any case these actions are and would be considered as attacks, so as expected we will not go further and evolve this project.

Probed that IPv4 is really small, we have another argument to answer the usual question: Why would somebody want to attack me? With IPv6, the attack vector is many orders of magnitude higher, preventing scans “so brute”.

Curiously, we did not have any counter response, or received hostile activity in response. However, we were receiving traffic from a server that sent us the pong for hours continuously and repeatedly (DUP!), we think that due to a IP error that we could not determine.

Although the experiment has been the most innocuous and harmless we could thought about, during the experiment we have received some complaints from organizations related to the the scan. However, taking into account the number of “attacked” sites, the complaints have been few and the hosting provider that received the pings acted in any case time communicating the complaint after the end of the experiment, which shows that such a global attack would be really unstoppable.

With the extracted data more interesting analysis can be done, that we leave for next entries, such as the issue with network and broadcast addresses (.0 and .255). I hope you liked the experiment, and in any case I apologize if I annoyed you with my ping.

After reading @chemaalonso‘s post about DHCP Ack Inyector, I remembered my college years back in 2005 when you just needed to go to the library, plug-in your laptop to the network and voilà, just “listening” network traffic you saw all those vulnerable or misconfigured protocols such as STP, HSRP, DTP, etc..

Not only that. There wasn’t any type of control over the information the users could send, and using tools such as Gobbler, dsniff, ettercap, yersinia, etc., you could perform any man-in-the-middle attack. The most interesting part was that the networking devices used for traffic management were almost entirely Cisco. I.e. devices fully able to control and mitigate virtually most of these attacks, but that were configured to perform basic networking functions: routing, VLANS, ACL, QoS, etc. Either because of ignorance or carelessness, they were not being taken the performance that actually justified his acquisition.

Over time I have realized that this situation is quite common: it is really hard to find a company with strict configuration policies to secure the local network environment. I personally think that many organizations are unaware of the damage that a disgruntled employee could do in a network “poorly controlled”. Without using any sophisticated tools like Loki or Yersinia, it is possible to bring down an entire network with just a couple of packets. Using Scapy, you can perform MitM using ARP / DHCP / VRRP / HSRP or without much effort even more entertaining things like getting a pool of shells with Metasploit browser_autopwn and etterfilters.

[Read more…]

(Check the result of this experiment in the second part of this post: The result of pinging all the Internet IP addresses)

Internet, the World Wide Web. All modern organizations in the world are connected to the Internet. A large number of people have Internet access, at work, in the homes and on the mobile device.

This can make us think we’re talking about a vast range of addresses within which attackers can focus their attacks in a given organization. For now we will take the entire Internet address space of IPv4. When deployed IPv6, this will change and there will be an added level of complexity.

Let’s suposse we want to carry action against all the Internet addresses? Would it be viable? How much would it cost? Technical resources? Physical resources? Time? Money? Let’s do some maths and maybe then do a little experiment. To begin, we assume the following scenario:

• We want to do a ping (ICMP ECHO) to each and every one of the Internet IP addresses.
• We store the result of whether they have responded to ping or not (if they have made pong).

Here are some calculations:

How many IP addresses are there?

256^4 = 4,294,967,296, i.e. approx. 4 billion addresses.

How much bandwidth is consumed by a ping?

• In our case we will consider as 58 bytes per ping.
• Let the bandwidth necessary to ping all the Internet: 256^4 * 58 bytes = 232 GB.

If we store the response with only one bit per address it would take 512 MB. If for processing convenience we store one byte per response it would take 4GB.

Considering a bandwidth of 50 Mbit/sec we would finish the scan in approx. 10 hours.

Technical skills required: We need a program with two threads: one that continuously send packets blindly, and another that receives responses in a stateless manner (there is similar software for TCP scans called scanrand).

Technical capacity: Any person with some knowledge of sockets in C, looking at ping.c, could do this program.

Power required: With an average PC is more than enough. In our experiments we have done it without problems with a Dual-Core 2.66Ghz 4GB of RAM and a 100Mbits internet connection.

Cost of equipment and connection: In any known hoster it can cost 30 EUR per month. In server usage percentage it would be 0.42€.

So anyone with knowledge in C programming and 30 Euros can make a massive, global action to all Internet addresses in less than 10 hours. Another example that just by being connected to the Internet you can receive an attack (spanish link). In the history of Internet there have been many worms that have indiscriminately attacked all the Internet addresses. The networks of today and the power equipment can turn local problems into global incidents within minutes. A famous example of this was the SQL Slammer worm that in just under 10 minutes got Internet crashed, taking advantage of a vulnerability attacked with a single UDP packet of 376 bytes.

So, it is clear that the Internet is a very, very small place, and you have to be really well protected. As seen, just being on the Internet makes you an indirect target of global and automated attacks. And not being on the Internet is no longer an option.

In the next post we will see the result of implementing this theoretical exercise. To do so, we decided to make a simple and benign ping against all Internet IP addresses. While it is true that a ping can be the first step to a more sophisticated attack, this is not (obviously) the intention of this experiment. Furthermore, that ping can show us the filtering level or the population level of Internet IP ranges what may have some academic interest.

Do not miss the next post where we will describe the results of the experiment. What technical problems we encountered ? How many pongs we received? And complaints? Any counterattack? What networks do answer more?

Trying to raise awareness of cybersecurity issues among my fellow process & control engineers is a challenging task. We’ve talked about it before, making it clear how the lack of the basic notions on ICT environments and procedures turn the risks and mechanisms of attack almost inconceivable for these engineers. I mean ‘inconceivable’ sensu stricto: not something with a very low assigned probability, but something you cannot even think about because you lack the cultural background and experience to do so.

The most common response is denial, built on several fallacies that often explain this sense of security. One is the confidence in the mechanisms laid to provide physical protection of equipment: i.e. safety interlocks by mechanical or electrical devices that operate autonomously without processing or communication capabilities and, therefore, are regarded as cyberattack-proof. Somehow, in a control engineer state of mind (myself included), these systems are regarded as the last line of defense, absolutely isolated and independent of processor-based systems malfunction (even when those processors are human) and are laid to avoid damage to physical equipment caused by improper process operation.

In my own experience, design of control systems has always relied on a two-fold strategy:

• Deployment of a higher control level based on electronic instrumentation and processing algorithms which, by their very nature, allow for a finer tuning and higher efficiency. This is a processor-based level.
• Deployment of a lower level based on relays and electrical and mechanical actuators that enable system operation in case of control system crash-down or severe malfunction. This level is not processor-based and, as has been stated above, prevents the physical system operation under improper conditions. It relies on built-in and hard-wired electromechanical equipment.

This second level supports the claims for the virtual impossibility of physical equipment suffering severe damage, even if a malicious individual or organization takes control of the system. However, there are two facts that undermine this security paradigm:

• I have noticed that in many brand new control systems safety interlocks are implemented through digital instrumentation readings, communication networks and control network PLCs. The aim is twofold: first, lower costs in wiring and devices regarded as redundant and, secondly, a will to leverage the greater accuracy and adaptability of digital systems. I know of some epic fail cases which rank in the tens to hundreds of thousand Euros because of this practice.
• Interlocks and protection systems are designed to prevent damage if the process runs beyond the allowable operating conditions. But since physical systems are not explained on a 1 and 0 basis (there is a continuum of intermediate states) one should always allow a regulation deadband to prevent annoying tripping of protection devices and to account for normal measurement variability. This is achieved by setting deadband controls, hysteresis loops, tripping delays, etc…

In the first case physical protection devices are seriously compromised by their being software and network dependant. But even in the latter case it is possible, in principle, to conduct an attack planned to take advantage of this design logic and aimed to force working conditions that result in damage to physical systems. Too complicated? Vain speculation? Not really. There is at least one documented case in which this strategy was used with spectacular results: The so called Aurora vulnerability.

This is an experiment conducted at the INL (Idaho National Laboratory) in 2007 and, as far as I can see, has fallen into that limbo that lies between professionals involved in control systems and those who are engaged in information and communication technologies security: after all, to get a full understanding of the attack one must have, so to speak, a foot in each half of the field. This could be the reason that explains why news of the experiment went almost unnoticed (beyond a video broadcast by CNN that, possibly because of its spectacular nature, triggered the typical reaction of denial in those who may be directly concerned). Even the veracity of the facts shown has been intensely questioned, suggesting that pyrotechnic devices were used to enhance the visual effect!

What is Aurora all about? To put it simply: Aurora is an attack designed specifically to cause damage to an electric power generator. The thing goes like this: all generator units are (or should be) protected to avoid out-of-synchronism connection to a power grid. This is achieved by checking the waveform being generated to asses that it matches that of the power grid (within certain limits). To do that voltage, frequency and phase are monitored. Why? Because connecting to a power grid in out-of-synchronism condition will cause the generator to synchronize almost instantaneously, resulting in an extraordinary mechanical torque at the shaft of the generator, stress this device is not designed to bear. Repetition of this anomalous operating condition will cause the equipment to fail. Let’s imagine someone willing to jump onboard a moving train: We can see him running along the tracks trying to match the train’ speed and then jumping inside. If he’s lucky enough he will get a soft landing on the wagon’s floor. An alternative but no advisable method is to stand beside the tracks and grab the ladder handrail as it passes right in front of you. It is easy to see that the resulting pull is something you don’t want to experience.

However, the protective relays allow for a certain delay between the out-of-syncronism condition recognition and the protection devices action, delay set to avoid annoyance tripping. This offers a window of opportunity to force undesirable mechanical stress in the generator without power grid disconnection. You can find a detailed technical analysis of the attack and possible mitigating measures.

True, for an attack of this kind to be successful a number of pre-conditions must be met: physical system knowledge, remote access to a series of devices, certain operating conditions of the electrical system, knowledge of existing protections and their settings … These are the arguments that will arise in the denial phase. But that’s not the point.

The point is: given the degree of exposure of industrial control systems to cyber attacks (owing to several reasons: historical, cultural, organizational and technical issues), the only thing needed to wreak havoc upon them is knowledge of physical systems and their control devices. Aurora Vulnerability is a very specific case. But it should be enough to show that confidence in physical protection of equipment has its limits, limits waiting to be discovered. Regarding them as our only line of defense is a risk that no one can afford.

Can we?

By the way, the original Aurora vulnerability video can be seen below:

Usually, when we have to do network segmentation using VLANs, we create the necessary networks either manually or automatically using protocols like Cisco VTP (VLAN Trunking Protocol). After that, we assign each one of the network devices to the different VLANs defined. This means that if I move tomorrow and change my laptop of network connection point, I will have to change the new network connection point so it belongs to the original VLAN I had.

One solution to this problem is the use of the VTP protocol together with the Cisco VMPS (VLAN Management Policy Server) service, which provides a first approximation to a solution of network access control such as the ones offered by manufacturers today. Among other features, VMPS allows to dynamically associate devices to VLANs based on MAC address (with the security issues this involves). This way, I can connect my laptop to any network point of the office and it will always belong to the same correct VLAN.

Any midrange Cisco switch supports VMPS as client. However, only the upper range (higher than 4000) support the server mode. Despite this, it is not necessary to have one of these devices to implement this solution because there are many tools, both free (some outdated) and commercial, that provide the VMPS server functionality we need. Among all them, we have selected vmpsd (http://sourceforge.net/projects/vmps/), a little daemon for GNU/Linux that provides a VMPS server without installing too much software, as a management system database. To configure VMPS on our switch (the Cisco 2960 is the chosen device), we have to perform the following steps:

1) Configure VTP

Switch(config)#vtp  mode  server 
Switch(config)#vtp  domain s2

Switch#show  vtp  status 
          : running VTP2
Configuration Revision          : 1
Maximum VLANs supported locally : 255
Number of existing VLANs        : 14
VTP Operating Mode              : Server
VTP Domain Name                 : s2
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Enabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xC4 0xE8 0xDB 0x1A 0xF2 0x6B 0xC2 0x79 

2) Configure the switch device as a VMPS client

To perform this configuration, we use the IP address of the main VPMS server (we can have several).

Switch(config)# vmps retry 3
Switch(config)# vmps reconfirm 1
Switch(config)# vmps server 172.18.0.150 primary
Switch#show  vmps 
VQP Client Status:
--------------------
VMPS VQP Version:   1
Reconfirm Interval: 1 min
Server Retry Count: 3
VMPS domain server: 172.18.0.150 (primary, current)
Reconfirmation status
---------------------
VMPS Action:         No Dynamic Port

3) Create the VLANs

Switch(config)#vlan 21
Switch(config-vlan)#name MANAGMT
Switch(config)#vlan 22
Switch(config-vlan)#name USUARIOS
Switch(config)#vlan 23
Switch(config-vlan)#name GUESTS
Switch#show  vlan 
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    
22   USUARIOS                         active    
23   GUESTS                           active   

4) Mark the interfaces that use VMPS

Switch(config)#interface  range  fastEthernet 0/10-20 
Switch(config-if-range)# switchport mode access
Switch(config-if-range)# switchport access vlan dynamic

Switch#show  interface fastEthernet 0/10 switchport 
Name: Fa0/10
Switchport: Enabled
Administrative Mode: dynamic access  ******
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: unassigned  *******
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

5) Configure the VMPS server (vlan.db)

vmps domain s2
vmps mode open
vmps fallback GUESTS
vmps no-domain-req deny

vmps-mac-addrs
address 0023.8bd7.c2b3 vlan-name MANAGMT

In the configuration must take into account the following:

• The domain must coincide with the one configured in VTP.
• The “GUESTS” VLAN is used to redirect the MACs that are not authorized by the policy because we have configured the open mode. If we use the secure mode, the interface would be disabled.
• We assign the MAC address of my laptop to the VLAN “MANAGMT”.

Once here, we start the daemon and launch a test query (we use the IP address, the VTP domain and MAC address)

perl vqpcli.pl  -s 172.18.0.150 -v s2  -m 0023.8bd7.c2b3
Vlan: MANAGMT
MAC Address: 00238bd7c2b3 
Status: ALLOW

As we can see, the MAC address is authorized and it gets the VLAN “MANAGMT”. Reached this point, we just have to connect to the switch (we set the debug mode on with the command debug vqpc all) to do several tests:

Connect the laptop to one of the network connection points defined to use VMPS (fa0/13).

*Mar  1 02:23:09.070: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar  1 02:23:11.075: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar  1 02:23:12.081: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed 
                      state to up
*Mar  1 02:23:13.986: VQPC LEARN: 
*Mar  1 02:23:13.986: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar  1 02:23:13.986: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 02:23:13.986: VQPC: allocating transID 0x00000471
*Mar  1 02:23:13.986: VQPC PAK: xmt transaction ID = 0x00000471
*Mar  1 02:23:13.986: VQPC PAK: sending query to VMPS
*Mar  1 02:23:13.986: VQPC PAK:  
*Mar  1 02:23:13.986: VQPC PAK: rcvd packet from VMPS
*Mar  1 02:23:13.994: VQPC PAK: transaction ID = 0x00000471
*Mar  1 02:23:13.994: VQPC: rcvd response, transID = 0x00000471
*Mar  1 02:23:13.994: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar  1 02:23:13.994: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar  1 02:23:13.994: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 21, mac: 0023.8bd7.c2b3
*Mar  1 02:23:13.994: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar  1 02:23:13.994: VQPC EVENT: changing Fa0/13 to vlan 21
*Mar  1 02:23:13.994: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13, type = 0x0001
*Mar  1 02:23:13.994: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/13
*Mar  1 02:23:13.994: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/13 to FORWARDING

As we can see, it assigns to the MAC address the VLAN 21 (“MANAGMT”):

Switch#show  vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/13
22   USUARIOS                         active   
23   GUESTS                           active    

Switch#show  interface fastEthernet  0/13 switchport 
Name: Fa0/13
Switchport: Enabled
Administrative Mode: dynamic access
Operational Mode: dynamic access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 21 (MANAGMT)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled

Now we disconnect it and connect it to other switch port (fa0/17):

*Mar  1 02:24:42.938: VQPC EVENT: -pm_port_vqp_start: port Fa0/17
*Mar  1 02:24:44.650: VQPC LEARN: 
*Mar  1 02:24:44.650: VQPC LEARN: -learning mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar  1 02:24:44.650: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17, type = 0x0021
*Mar  1 02:24:44.650: VQPC: allocating transID 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: xmt transaction ID = 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: sending query to VMPS
*Mar  1 02:24:44.650: VQPC PAK:  
*Mar  1 02:24:44.650: VQPC PAK: rcvd packet from VMPS
*Mar  1 02:24:44.650: VQPC PAK: transaction ID = 0x00000491
*Mar  1 02:24:44.650: VQPC: rcvd response, transID = 0x00000491
*Mar  1 02:24:44.650: VQPC PAK: VLAN name TLV, vlanName = MANAGMT
*Mar  1 02:24:44.650: VQPC PAK: Cookie TLV, cookie = 0023.8bd7.c2b3, length = 6
*Mar  1 02:24:44.650: VQPC EVENT: -set_hwidb_vlanid: port Fa0/17 to vlan 21, mac: 0023.8bd7.c2b3
*Mar  1 02:24:44.650: VQPC EVENT: saving 0023.8bd7.c2b3 from old vlan 0
*Mar  1 02:24:44.650: VQPC EVENT: changing Fa0/17 to vlan 21
*Mar  1 02:24:44.658: VQPC LEARN: adding mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17, type = 0x0001
*Mar  1 02:24:44.658: VQPC LEARN: deleting mac 0023.8bd7.c2b3 on vlan 0, port Fa0/17
*Mar  1 02:24:44.658: VQPC LEARN: changing mac 0023.8bd7.c2b3 on vlan 21, port Fa0/17 to FORWARDING
*Mar  1 02:24:44.943: %LINK-3-UPDOWN: Interface FastEthernet0/17, changed state to up
*Mar  1 02:24:45.950: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/17, 
                      changed state to up

Switch#sh mac-address-table | inc DYNAMIC
  21    0023.8bd7.c2b3    DYNAMIC     Fa0/17

Switch#show  vlan                                    

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/13, Fa0/17
22   USUARIOS                         active   
23   GUESTS                           active    

We see that the Fa0/13 interface is still assigned to the VLAN “MANAGMT”, so we connect other computer to that port:

*Mar  1 00:03:35.016: VQPC EVENT: -pm_port_vqp_start: port Fa0/13
*Mar  1 00:03:36.887: VQPC LEARN: 
*Mar  1 00:03:36.887: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:03:36.887: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 00:03:36.887: VQPC: allocating transID 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: xmt transaction ID = 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: sending query to VMPS
*Mar  1 00:03:36.887: VQPC PAK:  
*Mar  1 00:03:36.887: VQPC PAK: rcvd packet from VMPS
*Mar  1 00:03:36.887: VQPC PAK: transaction ID = 0x00000061
*Mar  1 00:03:36.887: VQPC: rcvd response, transID = 0x00000061
*Mar  1 00:03:36.887: VQPC PAK: VLAN name TLV, vlanName = GUESTS
*Mar  1 00:03:36.887: VQPC PAK: Cookie TLV, cookie = 0005.1b00.3f81, length = 6
*Mar  1 00:03:36.887: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 23, mac: 0005.1b00.3f81
*Mar  1 00:03:36.887: VQPC EVENT: saving 0005.1b00.3f81 from old vlan 0
*Mar  1 00:03:36.887: VQPC EVENT: changing Fa0/13 to vlan 23
*Mar  1 00:03:36.895: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 23, port Fa0/13, type = 0x0001
*Mar  1 00:03:36.895: VQPC LEARN: deleting mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:03:36.895: VQPC LEARN: changing mac 0005.1b00.3f81 on vlan 23, port Fa0/13 to FORWARDING
*Mar  1 00:03:37.021: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar  1 00:03:38.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, 
                      changed state to up

As the MAC address is not authorized by the defined policy, it assigns dinamically the VLAN “GUESTS”.

Switch#show  vlan 

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
21   MANAGMT                          active    Fa0/17
22   USUARIOS                         active    Fa0/24
23   GUESTS                           active    Fa0/13

If we now change the policy to the secure mode and without a fallback VLAN we connect the same PC:

*Mar  1 00:12:57.019: VQPC LEARN: 
*Mar  1 00:12:57.019: VQPC LEARN: -learning mac 0005.1b00.3f81 on vlan 0, port Fa0/13
*Mar  1 00:12:57.019: VQPC LEARN: adding mac 0005.1b00.3f81 on vlan 0, port Fa0/13, type = 0x0021
*Mar  1 00:12:57.019: VQPC: allocating transID 0x00000151
*Mar  1 00:12:57.019: VQPC PAK: xmt transaction ID = 0x00000151
*Mar  1 00:12:57.019: VQPC PAK: sending query to VMPS
*Mar  1 00:12:57.019: VQPC PAK:  
*Mar  1 00:12:57.019: VQPC PAK: rcvd packet from VMPS
*Mar  1 00:12:57.019: VQPC PAK: transaction ID = 0x00000151
*Mar  1 00:12:57.019: VQPC: rcvd response, transID = 0x00000151
*Mar  1 00:12:57.019: %VQPCLIENT-2-SHUTDOWN: Interface Fa0/13 shutdown by VMPS
*Mar  1 00:12:57.019: %PM-4-ERR_DISABLE: vmps error detected on Fa0/13, putting Fa0/13 in 
                      err-disable state
*Mar  1 00:12:57.019: VQPC EVENT: -pm_port_vqp_stop: port Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: port Fa0/13, REMOVE dynamic access config
*Mar  1 00:12:57.019: VQPC EVENT: deleting all addresses on vlan 0,t Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: Deleted TCAM catch-all for port Fa0/13
*Mar  1 00:12:57.019: VQPC EVENT: -set_hwidb_vlanid: port Fa0/13 to vlan 0, mac: NULL
*Mar  1 00:12:57.019: VQPC EVENT: changing Fa0/13 to vlan 0
*Mar  1 00:12:58.026: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, 
                      changed state to down
*Mar  1 00:12:59.024: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down

Switch#show interfaces fas 0/13 status 

Port      Name     Status       Vlan        Duplex  Speed Type
Fa0/13             err-disabled unassigned  auto    auto 10/100BaseTX

We can see as it has disconnected the interface from the switch and so it shows in the VPMS protocol stats:

Switch#show  vmps statistics
VMPS Client Statistics
----------------------
VQP  Queries:               53
VQP  Responses:             20
VMPS Changes:               0
VQP  Shutdowns:             5
VQP  Denied:                0
VQP  Wrong Domain:          0
VQP  Wrong Version:         0
VQP  Insufficient Resource: 0

As shown, this solution provides more security than the usual solution, improving the mobility in our network. However, it has other security problems we will see in future posts.

Last week, playing with a forensics challenge left by Jack Crook (@jackcr) in the GCIH LinkedIn group, I upgraded Volatility to version 2.3_alpha. In this challenge, the author had included the RAM dump and the disk timeline of each one of the affected computers, and a capture file of the network traffic. However, reviewing the novelties included in this Alpha version I saw a couple of them quite interesting: mbrparser and mftparser.

Mftparser, as indicated in the Volatility webpage, scans and analyzes entries in the Master File Table (MFT). The plugin scans the memory dump for possible MFT entries and prints out information for certain attributes. For more information see OMFW 2012: Reconstructing the MBR and MFT from Memory.

Despite having the timeline, I decided to try the new plugin and compare the output with the one we had been provided. The output can be displayed in a tabular format or, and here is where it gets powerful, in the body format of Sleuthkit (with option –output=body).

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin mftparser –output=body
Volatile Systems Volatility Framework 2.3_alpha

Scanning for MFT entries and building directory, this can take a while
(FN) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
  1353971273|1353971273
(SI) 0x12d588|WINDOWS\Prefetch\NETEXE~1.PF|11727|---a-------I---|0|0|424|1353971273|1353971273|
  1353971273|1353971273
(FN) 0x12d588|WINDOWS\Prefetch\NET.EXE-01A53C2F.pf|11727|---a-------I---|0|0|424|1353971273|
  1353971273|1353971273|1353971273
(FN) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
  1353971306|1353971306
(SI) 0x2bbee0|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|432|1353971306|1353971306|
  1353971306|1353971306
(FN) 0x2bbee0|(Null)|11728|---------------|0|0|432|0|0|0|0
(FN) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353971306|1353971306|
  1353971306|1353971306
(SI) 0x311000|WINDOWS\Prefetch\NET1EX~1.PF|11728|---a-------I---|0|0|480|1353980005|1353980005|
  1353980005|1353971306
(FN) 0x311000|WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf|11728|---a-------I---|0|0|480|1353971306|13
  53971306|1353971306|1353971306
(FN) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971435|1353971435|
  1353971435|1353971435
(SI) 0x311400|WINDOWS\Prefetch\SLEXE-~1.PF|11729|---a-------I---|0|0|472|1353971493|1353971493|
  1353971493|1353971435
[...]

Then you just have to run mactime (included on Sleuthkit) on this file and you get a system timeline from the RAM dump.

mbelda@audit:~/Forensics/jackcr-challenge$ mactime -b  ENG-USTXHOU-148/body.txt >  
  ENG-USTXHOU-148/body_mactime.txt

I find this especially useful when, for reasons of size or availability, we can not have a disk image to get the information about the creation or access times of certain files.

Here’s an example. Thanks to searching for strings (strings command with the IP showed with the command connscan) directly on the RAM dump, we find a mail received by the user is that contains a link to a suspicious executable file:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin connscan

Volatile Systems Volatility Framework 2.3_alpha
Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x01f60850 0.0.0.0:0                 1.0.0.0:0                 36569092
0x01ffa850 172.16.150.20:1291        58.64.132.141:80          1024
0x0201f850 172.16.150.20:1292        172.16.150.10:445         4
0x02084e68 172.16.150.20:1281        172.16.150.10:389         628
0x020f8988 172.16.150.20:2862        172.16.150.10:135         696
0x02201008 172.16.150.20:1280        172.16.150.10:389         628
0x18615850 172.16.150.20:1292        172.16.150.10:445         4
0x189e8850 172.16.150.20:1291        58.64.132.141:80          1024
0x18a97008 172.16.150.20:1280        172.16.150.10:389         628
0x18b8e850 0.0.0.0:0                 1.0.0.0:0                 36569092
0x18dce988 172.16.150.20:2862        172.16.150.10:135         696

mbelda@audit:~/Forensics/jackcr-challenge$ strings ENG-USTXHOU-148/memdump.bin > 
  ENG-USTXHOU-148/strings.txt
mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/strings.txt

[…]

Received: from d0793h (d0793h.petro-markets.info [58.64.132.141])
        by ubuntu-router (8.14.3/8.14.3/Debian-9.2ubuntu1) with SMTP id qAQK06Co005842;
        Mon, 26 Nov 2012 15:00:07 -0500
Message-ID: <FCE1C36C7BBC46AFB7C2A251EA868B8B@d0793h>
From: "Security Department" <isd@petro-markets.info>
To: <amirs@petro-market.org>, <callb@petro-market.org>,
        <wrightd@petro-market.org>
Subject: Immediate Action
Date: Mon, 26 Nov 2012 14:59:38 -0500
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0015_01CDCBE6.A7B92DE0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512
Return-Path: isd@petro-markets.info
X-OriginalArrivalTime: 26 Nov 2012 20:00:08.0432 (UTC) FILETIME=[A2ABBF00:01CDCC10]
This is a multi-part message in MIME format.
------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Attn: Immediate Action is Required!!
The IS department is requiring that all associates update to the new =
version of anti-virus.  This is critical and must be done ASAP!  Failure =
to update anti-virus may result in negative actions.
Please download the new anti-virus and follow the instructions.  Failure =
to install this anti-virus may result in loosing your job!
Please donwload at http://58.64.132.8/download/Symantec-1.43-1.exe
Regards,
The IS Department
------=_NextPart_000_0015_01CDCBE6.A7B92DE0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META name=3DGENERATOR content=3D"MSHTML 8.00.6001.18702">
[…]

Running the iehistory plugin (also new in this version 2.3 of Volatility) we could confirm that the user clicked the link:

mbelda@audit:~/Forensics/jackcr-challenge$ python ~/volatility/vol.py --profile=WinXPSP3x86 -f 
  ENG-USTXHOU-148/memdump.bin iehistory

Volatile Systems Volatility Framework 2.3_alpha
**************************************************
Process: 284 explorer.exe
Cache type "URL " at 0x2895000
Record length: 0x100
Location: Visited: callb@http://58.64.132.8/download/Symantec-1.43-1.exe
Last modified: 2012-11-26 23:01:53 
Last accessed: 2012-11-26 23:01:53 
File Offset: 0x100, Data Offset: 0x0, Data Length: 0xa8

But it would be thanks to the timeline created by the plugin mftparser that we could confirm he did not only clicked the link but also that the file was downloaded and executed, and thus the system compromised.

mbelda@audit:~/Forensics/jackcr-challenge$ cat ENG-USTXHOU-148/body_mactime.txt
[…]
Mon Nov 26 2012 23:01:54      472 mac. --------------- 0  0  10117    Documents and Settings\
                                                                       callb\Local Settings\Temp
                              352 macb ---a-------I--- 0  0  11721    System Volume Information\
                                                                       _restore{68B1E438-DDF2-48EE-
                                                                       BFAF-9C59BEF8C439}\RP26\
                                                                       A0008032.sys
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\
                                                                       SYMANTEC-1.43-1[2].
                                                                       EXE-3793B625.pf
                              504 macb ---a-------I--- 0  0  11722    WINDOWS\Prefetch\SYMANT~1.PF
                              584 mac. --------------- 0  0  3420     WINDOWS\system32\CatRoot2
                              824 .a.. --------------- 0  0  3432     WINDOWS\system32\CatRoot2\
                                                                       {F750E~1
                              344 mac. ---a----------- 0  0  6996     WINDOWS\system32\CatRoot2\
                                                                       tmp.edb
                              352 .a.. ---a----------- 0  0  8499     WINDOWS\system32\CatRoot2\
                                                                       edb00095.log
                              344 .ac. -h------------- 0  0  8610     WINDOWS\system32\6to4ex.dll
                              336 mac. ---a----------- 0  0  8611     WINDOWS\system32\CatRoot2\
                                                                       edb.log
                              472 mac. -----------I--- 0  0  8823     System Volume Information\
                                                                       _restore{68B1E438-DDF2-48EE-
                                                                       BFAF-9C59BEF8C439}\RP26
Mon Nov 26 2012 23:01:55      352 m.c. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                                                                       beep.sys
                              344 mac. ---a----------- 0  0  206      WINDOWS\system32\drivers\
                                                                       beep.sys
                              416 .a.. ---a----------- 0  0  3438     WINDOWS\system32\CatRoot2\
                                                                       {F750E6C3-38EE-11D1-85E5-
                                                                       00C04FC295EE}\TIMEST~1
                              416 .a.. ---a----------- 0  0  3439     WINDOWS\system32\CatRoot\
                                                                       {F750E6C3-38EE-11D1-85E5-
                                                                       00C04FC295EE}\TIMEST~1
                              576 .a.. -h------------- 0  0  45       WINDOWS\inf
                              344 mac. ---a----------- 0  0  7161     WINDOWS\system32\wbem\Logs\
                                                                       wbemess.log
                              352 .a.. ---a----------- 0  0  8071     WINDOWS\inf\syssetup.inf
                              568 ..c. -hs--------I--- 0  0  8835     Documents and Settings\callb\
                                                                       IETLDC~1
                              344 m.c. -hsa-------I--- 0  0  8836     Documents and Settings\callb\
                                                                       IETldCache\index.dat
                              344 .a.. --s------------ 0  0  9481     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                                                                       Microsoft\SystemCertificates\My\
                                                                       CTLs
                              344 .a.. --s------------ 0  0  9482     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                                                                       Microsoft\SystemCertificates\My\
                                                                       CRLs
                              472 .a.. --s------------ 0  0  9483     WINDOWS\system32\config\
                                                                       systemprofile\Application Data\
                                                                       Microsoft\SystemCertificates\
                                                                       My\CERTIF~1
Mon Nov 26 2012 23:01:56      352 macb ---a-------I--- 0  0  10216    System Volume Information\
                                                                       _restore{68B1E438-DDF2-48EE-
                                                                       BFAF-9C59BEF8C439}\RP26\
                                                                       A0008033.PNF
                              360 mac. ---a----------- 0  0  3355     WINDOWS\inf\syssetup.PNF
Mon Nov 26 2012 23:01:59      352 .ac. ---a-----c----- 0  0  10219    WINDOWS\system32\dllcache\
                                                                       beep.sys
                              352 macb ---a-------I--- 0  0  11705    System Volume Information\
                                                                       _restore{68B1E438-DDF2-
                                                                       48EE-BFAF-9C59BEF8C439}\
                                                                       RP26\A0008034.sys
                              936 mac. rhs------c----- 0  0  71       WINDOWS\system32\dllcache
Mon Nov 26 2012 23:02:07      352 .a.. ---a----------- 0  0  23813    WINDOWS\system32\racpldlg.dll
Mon Nov 26 2012 23:03:10      472 macb --------------- 0  0  7556     WINDOWS\webui
Mon Nov 26 2012 23:03:21      488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\
                                                                       IPCONFIG.EXE-2395F30B.pf
                              488 macb ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 .a.. ---a----------- 0  0  24145    WINDOWS\system32\ipconfig.exe
Mon Nov 26 2012 23:03:55      376 mac. ---a----------- 0  0  3436     WINDOWS\system32\CatRoot2\
                                                                       {F750E6C3-38EE-11D1-85E5-
                                                                       00C04FC295EE}\catdb
Mon Nov 26 2012 23:04:14      352 .a.. ---a----------- 0  0  23351    WINDOWS\system32\drivers\
                                                                       fastfat.sys
Mon Nov 26 2012 23:04:24      336 mac. ---a----------- 0  0  9790     WINDOWS\system32\CatRoot2\
                                                                       edb.chk
Mon Nov 26 2012 23:06:34      504 macb ---a----------- 0  0  11710    WINDOWS\ps.exe
                              472 m.c. --------------- 0  0  28       WINDOWS
Mon Nov 26 2012 23:06:35      504 m.c. ---a----------- 0  0  11710    WINDOWS\ps.exe
Mon Nov 26 2012 23:06:47      416 macb ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:48      416 mac. ---a----------- 0  0  11719    WINDOWS\webui\gs.exe
Mon Nov 26 2012 23:06:52      440 macb ---a----------- 0  0  11723    WINDOWS\webui\ra.exe
Mon Nov 26 2012 23:06:56      344 macb ---a----------- 0  0  11724    WINDOWS\webui\sl.exe
Mon Nov 26 2012 23:06:59      368 macb ---a----------- 0  0  11725    WINDOWS\webui\wc.exe
                              288 m... ---a----------- 0  0  11739    WINDOWS\system32\wc.exe
Mon Nov 26 2012 23:07:31      352 .a.. --------------- 0  0  11470    WINDOWS\system32\iertutil.dll
                              344 .a.. ---a----------- 0  0  11498    WINDOWS\system32\urlmon.dll
                              344 .a.. ---a----------- 0  0  11502    WINDOWS\system32\wininet.dll
                              488 mac. ---a-------I--- 0  0  11706    WINDOWS\Prefetch\IPCONF~1.PF
                              352 macb ---a----------- 0  0  11726    WINDOWS\webui\netuse.dll
[...]

The other highlighted files are those that Dropper creates when executed in order to compromise the PC. If anyone wants to see the final report of the challenge, follow the link below provided by Bryan Nolen (@BryanNolen) at Volatility page.

@Jackcr Forensics Challenge.

A month ago took place in Madrid a new edition of the seminar “Recent developments in Payment Systems“. A seminar organized by “Athena Interactive”, where were discussed some of the most important aspects of payment systems currently in operation.

One of the issues that was raised more comments was the complexity to obtain the lists of companies audited by the organization PCI DSS, and this saw interesting enough to write an entry about the function of this organization and its most relevant characteristics.

According to his own website, “PCI Security Standards Council is an open global forum established in 2006“, whose mission is to increase the security of the card industry payment, protect the user and reduce credit card fraud .

[Read more…]

Anyone who carefully reads the report A7-0167/2012 of 05.16.2012 on the protection of critical information infrastructure of the European Commission will notice that the authors of the report, members of the Committee on Industry, Research and Energy, are very worried. We can also analyze the opinion of the Committee on Civil Liberties, Justice and Home Affairs of the EU with this report and see —you don’t need to read between the lines— that not only those with direct relation with the issue are concerned, but also commissions that aren’t apparently directly affected by issues related to cyber security of critical infrastructures.

If you also have the patience to study the recent report on cybersecurity and cyberdefense 2012/2096 (INI) of the Committee on Foreign Affairs, dated October 17th, 2012, you will realize that the concerns sometimes turn into “fear”, urging everyone to put to work enumerating countless reasons why we should do it (the “considerations” are impressive…).

The outlook is bleak because the “considerations” show many points that we should be working on and even though there is work done, they are not functional for many reasons, all of them logical. The fact is that everything that has to do with cyberthreats is moving very fast, too fast, and the European institutions very slow, too slow. As a society we should be prepared to take control of the situation but, unfortunately, this is one of those cases where I get the impression that the regulator is ahead of civil society because society is not aware of the magnitude of the threat.

This report on cybersecurity and cyberdefense literally says, “the danger posed by cyber-threats and cyber-attacks against government, administrative, military and international agencies is growing rapidly, both in the EU and in the world, and there are important concerns that state and non-state actors, especially terrorists and criminal organizations, can attack critical infrastructures of information and communication institutions and members of the EU, with the chance of causing significant damages including kinetic effects“, taking into account that most cyber incidents, as stated in the report, both in the public and private sector go unreported, urging the authorities to assess the possibility that a EU member state may suffer a cyberattack and talking about the possibility of implementation of the mutual defense clause (Article 42, paragraph 7 of the EU Treaty) without prejudice to the principle of proportionality. In this sense, could be a cyberattack considered a state-backed casus belli?

We leave the question open but in the case that the answer to the above question is yes, there are still other troubling statements in that report: It “notes that recent cyberattacks against European information networks and state information systems have caused extensive damage from the viewpoints of economic and security whose scope has not been adequately evaluated“.

Clearly cyber defense should be part of the common security and defense policy (CSDP) to, among others, to protect and preserve the lives of people, digital freedoms and respect for human rights online. However until June 2012, only 10 Member States have adopted a cybersecurity strategy, the first step to get to work. In Spain is under development.

In any case, both reports urge to develop strategies for cybersecurity and emergency plans for their own systems, asking explicitly to all institutions and agencies to address in their risk analysis the consequences of cyber crisis and emphasizing the importance of awareness. The members are encouraged to increase their investment in R&D in defense to 2% to make it one of the principal support of cybersecurity and cyberdefense.

This is alright, but they are nothing more than petitions done by the EU commission to the European Parliament through its reports and draft reports but… what happens in the meantime in the real world? Are we really doing our duties in this matter? Are we aware of the danger as a society? Are politicians who run our country aware of these risks? Yes? To what degree?

I have my own pinion. We see it in the work we do every day. And we will have to do an enormous effort to awareness society that this is a very important problem for all of us…

(1) Casus belli refers to the fact that is considered a cause or pretext for military action. The term appears in the context of international law of the late nineteenth century as a result of the ius in bello political doctrine. The casus belli, as part of the ius in bello or “law of war”, seeks to regulate the military actions of different countries, so a priori it prohibits the use of armed force to resolve conflicts, but allows the military power against another country under the principle of ultima ratio, ie as a last resort.

(2) In 2010 only a European member had reached 2% in research and development in defense, and thar year five countries had invested nothing.

(Today we have an interesting collaboration of Pedro Lopez, who describes Buster Sandbox Analyzer tool for those who do not already know it and invites anyone interested to collaborate with its development)

Buster Sandbox Analyzer is a tool designed to analyze the suspicious behavior of applications, ie those actions carried out typically by malware. Some examples of typical actions performed by malware are making a copy of itself elsewhere on the hard drive, modifying registry keys or adding files in the Windows installation directory among others.

However, when identifying an action as “dangerous”, the question is that some of the actions considered as suspicious are also usually performed by legitimate applications. It is thus very important to consider the overall context of the analyzed application: is it reasonable that the application we tested perform these actions?

[Read more…]