Friday, August 5, 2011

Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales


Black Hat Briefings 2011: Mudge of DARPA, the App as Ultimate Wingman, Why the Water Comissioner's Hair is on Fire, & Other Strange Tales

By Richard Power


Here are my notes from Black Hat Briefings (USA) 2011, held at Caesar's Palace in Las Vegas, Nevada.

Mudge of DARPA

"Mudge of DARPA" sounds like the name of a character out of World of Warcraft, or some other massively multiplayer online role-playing game (MMORPG). But no, and although in the case of this analogy, truth is not stranger than fiction, it was indeed remarkable to see Peiter "Mudge" Zatko, legendary denizen of the L0pht, author of L0phtCrack, and founder of @Stake, truly one of the iconic figures of the cyber security counter culture, keynoting at Black Hat 2011, in his new role as Program Manager at the Defense Advanced Research Project Agency (yes, DARPA).
In his talk, Mudge offered glimpses into two of his initiatives: Analytic Framework for Cyber Security and Cyber Fast Track.

Touching on the Analytic Framework for Cyber Security, Mudge remarked, "Think of the cold war, and spending, right now we're looking pretty much like Russia."

Using a few fascinating graphs and charts, Mudge illuminated some of fundamental flaws in established approaches. For example, one of his charts, titled "We are Divergent with the Threat," compared average lines of code over a fifteen year period from 1985 to 2010: security software (currently at ten million lines) versus average lines of code in malware (holding consistently at one hundred twenty five lines of code).

The second of these two initiatives, the Cyber Security Fast Track (DARPA-RA-11-52), had just gone live.

According to Mudge, a single government cyber security project typically takes eighty-one months to reach completion.
"Six years. The threat landscape will be different by then. So rather than run one program for six years let's run hundreds with maker spaces and boutique security firms ... Small groups of motivated and like-minded researchers have repeatedly shown significant talent and capabilities."

He hopes to reach such entities with a streamlined funding application and approval process, vetted by four compatriots belonging to that same cyber security counter culture from which Mudge emerged.

"This relationship needs to be mutually beneficial. DARPA intends to cultivate relations and become a resource."

I do not know how the tale of Mudge of DARPA will end; but somehow it feels right to me that he's there, and I hope it leads to genuine breakthroughs. But I assure you, after twenty years in the wilderness that is cyber security, I could only be pleasantly surprised.


100% Out of Sync

In a panel discussion entitled Trillions of Lines of Code and Counting - Securing Applications At Scale, Jeremiah Grossman, founder and CTO of WhiteHat Security offered some insightful perspectives that echoed that kind of critical thinking Mudge had been advancing when talking about developing his Analytical Framework earlier in the day.

Grossman's views are worthy of attention. His street cred? WhiteHat performs weekly vulnerability assessments on four thousand high profile sites (.e.g, banks, insurance companies, healthcare providers, retailers, etc.), seven out of ten of those sites have serious vulnerabilities (i.e., the kind that would enable attackers to access customer information, or hack users accounts, or perform other headline-grabbing misdeeds).

"Whenever we discuss the software security problem, it is inevitably said that what we need to do is train developers to secure code, and it is difficult to argue against that position, especially in regard to people going through college and graduate school programs. But meanwhile there are seventeen million active developers, my guess is that less than one percent of them have formal software security training. How do you give remedial training to seventeen million developers? We don’t even have anywhere near the number of instructors that would be required. Computer-based training would be the only viable solution."

But according to Grossman, the loudly trumpeted issue of training developers hides a different problem, that is just as systemic and at least as damning.

"If you look at IT budgets, businesses investing in the network, host and application layers. Generally, organizations spend the least on routers and switches, and spend a little more on servers, desktops, commercial software, etc. But they spend the most on their own applications, they have legions of developers writing code. It is said that one of the major financial institutions has three developers for every banker. So that's where the business is investing. Now InfoSec likes to say it practices risk management aligned with business. And yet, where does InfoSec spend its money? It spends the most on firewalls and IDS, to protect what the business spends the least in building, followed by anti-virus and patch managements to protect the host, but very little protecting the apps where the business is spending the most. The way we do Infosec budgeting doesn't work. Congratulations, InfoSec, you are 100% out of sync!"


In the Age of Augmented Reality, the Ultimate "Wingman"

CyLab's Alessandro Acquisti broke some of the biggest news at Black Hat Briefings 2011; well, just prior to Black Hat 2011 actually, since The Economist (8-30-11) and the Wall Street Journal (8-1-11) ran exclusives leading up to his conference presentation.

In "Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be," Acquisti debuted the results of research conducted with two other Carnegie Mellon researchers, Ralph Goss and Fred Stutzman. This sensational work is a worthy follow-up to the blockbuster study on guessing social security number) Acquisti and Goss co-authored in 2009.


In the course of three experiments, Acquisti and his research colleagues investigated the "feasibility of combining publicly available online social network data with off-the-shelf face recognition technology for the purpose of large-scale, automated, peer-based ... individual re-identification, online and offline, and 'accretion' and linkage of online, potentially sensitive, data to someone’s face in the offline world."

What does this mean in practical terms. A lot. And in terms of individual privacy much of it disconcerting.

Imagine a smartphone app, with which a man in a bar could snap a photo of a woman he is talking to, and after a brief search have access to her dating site info; imagine at the same moment, she is accessing his credit score. Acquisti and a member of his team demonstrated how this would work with a little program amusingly named "Wingman."

The implications are staggering, as Acquisti articulates.

"Is the combination of technologies described [facial recognition and social media applications] going to provide these linkages [all your different, perhaps disguised on-line personas with your actual identity], where we are not simply giving a name to an anonymous face, but we actually blend together on-line and off-line data? ...[Guessing social security numbers] is just one example of what is going to happen, through this blending of on-line and off-line data, this convergence of personal and predictable information - in a way it is written on your face, even if you may not be aware of it. It may democratize surveillance, and i am not saying this in a good sense, I am saying it with concern. We are not talking just about constricted and restrained Web 2.0 applications that are limited to consenting, opt-in users, such as maybe Picasia or currently Facebook tagging. We are talking about a world in which anyone could, in fact, recognize your face and make these inferences, because the data is already out there, it is already publicly available. So what will our privacy mean in this kind of future of augmented reality? We have already created a de-facto Real ID infrastructure ... Nationally, Americans are against Real IDs, but we have already created one for the marketplace."

For better and worse, it will change our world.

"In fact, augmented reality may also carry deep‐reaching behavioral implications. Through natural evolution, human beings have evolved mechanisms to assign and manage trust in face‐to‐face interactions. Will we rely on our instincts, or on our devices, when mobile devices make their own predictions about hidden traits of a person we are looking at?"

For more insights on this important study, you can read my CSO Magazine interview with Acquisti, "Face recognition and social media meet in the shadows". And on Acquisti's own site, you will find an excellent Frequently Asked Questions (FAQ) on the Facial Recognition, as well as the Draft Slides for the Black Hat 2011 Presentation



Google This ...

In "Pulp Google Hacking: Next Generation Search Engine Hacking Arsenal," Fran Brown and Rob Ragan of Stach & Liu, LLC debuted a slew of sophisticated, new tools to optimize the use of Google searches for open source intelligence, including:
  • GoogleCodeSearchDiggity, which identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, etc. (loaded with 40 default searches that identify SQL injection, cross-site scripting, insecure remote and local file includes, hard-coded passwords, etc.)
  • DiggityDLP, which leverages Google and Bing to identify exposures of SSNs, credit card numbers and other sensitive information via common document formats such as .doc, .xls, and .pdf
  • FlashDiggity, which provides automated Google searching, downloading, decompiling and analysis of SWF files to identify Flash vulnerabilities and info disclosures
  • DroidDiggity, an smartphone app that delivers GoogleDiggity and BingDiggity to Android phones.
Here is just one of their numerous (and compelling) examples of such tools' powerful capabilities, and the implications thereof.

"Another interesting one that made the news last week or the week before ... I believe this was released by one of the members of Anonymous ... governmentsecuritybags.com ... this is a web site that sells bags with locks on them that you can use to carry around top secret or classified documents ... this has been removed now ... while they were good enough to remove it, thank you Google for cacheing it ... This made the news last week, I didn't even notice it until one of our searches with "Blvd" and "75th." So, basically, we are looking at the actual personal information, billing addresses, usernames and passwords that they registered with ... So if you want to go one-stop shopping for the e-mail addresses, passwords, billing addresses ... it even has a picture of the bag they purchased, so you know what to look for ... Here is a list of six hundred or so people you could go after, who are walking around with top secrets bags on them."

If intelligence gathering is something required in your work (and at this point, if you are in cyber security and it isn't already your skill set, you are way behind the curve), or if you or your organization are the likely target of intelligence gathering, whether it be corporate, state-sanctioned or lone wolf (and at this point who or what wouldn't be from some vector or another), then you ignore the Google Hacking Project at your own risk.



Why is the Water Commissioner's Hair on Fire?

In the developed world, when people turn on the tap, they expect the water to flow; and while they might prefer to drink bottled water, they also expect the tap water to be relatively safe. Of course, although these expectations are based on a lifetime's experience, it is also based on ignorance. Water is one of the most pressing sustainability issues that confronts the human race in the 21st Century. Furthermore, the infrastructures that delivers the water to our populations are, in many (if not most) cases, old, deteriorating and vulnerable to both bad actors and bad luck.

Of course, that's not stopping the push toward and smart water meter networks; and just as with the similar, albeit much more high-profile push toward a smart power grid, this push will open new vulnerabilities and aggravate some existing ones.

John McNabb of South Shore PC Services (Boston, MA.), has undertaken his own independent research into the potential risks and threats involved. For thirteen years, McNabb served as Water Commissioner for a small local water utility.

Speaking on "Vulnerabilities of Wireless Water Meter Networks" at Black Hat 2011, McNabb shared his insights.

There is a lot at stake and a lot at risk.

"Water is a $400 billion global industry ... Al Qaeda has repeatedly threatened to 'poison' U.S. drinking supplies ... the American Society of Civil Engineers gives the nation’s drinking water infrastructure a D- grade and estimates that an investment of $255 billion is needed to bring the system to needed standards."

Think of a water meter as a cash register, McNabb suggest.

"$40 billion, the annual income of US water utilities, comes mostly from meter information."

Thus, the threats and risks involve not only terrorists or some disgruntled ex-worker bent on sabotage, but also common criminality (yes, the kind of criminality that always rises in times of great economic hardship).

According to McNabb, theft through meter tampering is not only a big issue for energy suppliers ("electric utilities assume 10% loss each year from theft"), it is also an issue for water utilities (“Theft of water by tampering with or bypassing water meters costs BWSC [Boston] thousands of dollars a year & .. imposes costs every paying customer.”

There should be plenty of opportunity for everyone.

"The U.S. advanced metering infrastructure (AMI) market (electricity+gas+water) will grow from $2.54 billion in 2010 to $5.82 billion in 2015, an 18% compound annual growth rate." Although most US water meters are still read manually (only 28% have [Automatic Meter Reading] AMR meters). the worldwide installed base of smart water meters is expected to increase from 5.2 million in 2009 to 31.8 million by 2016."

Today, McNabb continued ,much of the data collection. even with smart meters, is done by walk-by and drive-by, but, of course, the fixed network is where it is all going.

"This takes the full capabilities of the wireless water meter and enables it to become a sensor network for the water utility that can allow almost continuous water usage readings (usually every 5-15 minutes). In the fixed network the signals from the single meter are transmitted and then collected in a central receiving station, if close enough, or to repeaters and then to the central receiving station. In most cases a star topology is used, but in some implementations a mesh topology is used to each meter can act as a repeater for any others within range."

McNabb cites numerous vulnerabilities in wireless water meters, ranging from design (e.g., low on-board memory) to lack of security awareness ("Badger gives out its default network username, password and wireless key on web site') to no encryption (even though "more of them are coming out with encryption now").

"Water meters are an integral component of the national drinking water infrastructure," McNabb concluded. "Tampering with water meters, either mechanically or electronically, cost s money for local water systems. Wireless water meters need to be better secured to prevent potential financial loss to water suppliers and to reduce potential security vulnerability to the water system."

Hopefully, his quest will prove to be more than Quixotic.

After all, there is the Maroochie incident, as McNabb reminded us in his presentation.

"The Maroochie incident in 2000, when a disgruntled former contractor used inside info to release 800,000 liters of sewage into the environment, using wireless network communications from his laptop, is an example of how insider threat could impact a wireless sensor network."

Related Posts

BlackHat USA 2010: How to Turn ATMs Into Jackpotted Slots, Basejump the GSM, Lift Malware Developer's Fingerprints & Face Our Existential Dilemma

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)