Comments

Gabriel October 7, 2011 5:22 PM

Wasn’t there a chef who recently came up with a way to make humboldt tender? Dinner?

Predator drone fleet command hit with a keylogger, on air gapped classified networks. Sounds like bad practices, maybe they thought being air gapped was good enough. http://arstechnica.com/business/news/2011/10/exclusive-computer-virus-hits-drone-fleet.ars

Researchers claim they created a secure vm, not monitorable by the hypervisor, using the x86 System Management Mode:
http://arstechnica.com/business/news/2011/10/researchers-create-stealth-virtual-machine-that-can-run-alongside-insecure-vms.ars

Dom De Vitto October 7, 2011 5:25 PM

Yeah, this happens, but the question is why?

Humboldt’s are really smart, and it’s only massively changed currents or a major food source migration that would make them do this, IMO.

If they’re around a foot long, they are only a few months old and very, very immature.

If case anyone cares, adult Humboldt’s eat people, given the chance.

Gabriel October 7, 2011 7:38 PM

@Rob D: Steganography by Printed Arrays of Microbes (SPAM)

Ok stop right there. If they want their work seriously, they should not name their product after one of the greatest evils on the Internet. (and according to one webcomic, in the 31st century it will be regarded equally with treason). Other than that, interesting idea.

Gabriel October 7, 2011 7:46 PM

Sorry to post again, but after getting over the terrible name… They want to do what! Make flourescent E Coli that is resistant to antibiotics? Does that not fall under stupid idea of the century? That bacteria is ubiquitous and quite happy living inside us. The last thing you want to do is give any strain an advantage over us, since it is quite the opportunist. It’s also content to live on almost anything in our food supply. What is their end goal? I don’t mention it since we don’t need any bathroom humor here.

Nick P October 7, 2011 11:01 PM

@ Gabriel

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

As soon as I saw the name Zhang, I knew it would be a nice piece of work. I downloaded hundreds, if not thousands, of academic papers to skim over the past year or two. Certain names keep popping up on good work. Zhang is one of them. So, I finished the article. It’s nice research, maybe even useful. There’s a flaw though: one commenter aptly noted it relies on a “black box” for security.

SMM is a black box. Most OS designers & security guys don’t know as much about it as we want to. Many security professionals don’t even know about it (much less ICE mode) except a vague recollection of an SMM attack. It really shouldn’t even be there in a system designed for security or robustness. So, without knowing the inner workings or trustworthiness, the scheme totally trusts this mode & bases its assurance on it.

An additional problem concerns some of the target markets. Cloud computing, virtualized enterprises, etc. will have issues with this, more likely will ignore it outright. The reason is that you can’t migrate the functionality in the SMM VM if the hypervisor doesn’t see it. Live Migration, backups, etc. are built into major virtualization platforms & I doubt they will give it up. Even if some way to do it is implemented, it’s doubtful that it will be integrated quickly into standard VI management tools.

Hence, it’s a clever idea & might have its uses, but it can’t be trusted and won’t sell well. Fail. Note that I think this could be used on personal PC’s or non-virtualized, individual servers. It would take a vulnerability in SMM or some other sophisticated attack to beat it, assuming it doesn’t break on its own due to SMM behavior obscurity. There’s simply too many good alternative proposals (see SecureMe, SecureCore & Verisoft) to go for this. Not to mention, many specific use cases have commercial solutions from the likes of Green Hills, Argus, Trustifier, GD, Raytheon and others.

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJOj8p9AAoJEFvQ0aBVJJxWDpwH+QGboha9j/4PBh6juESewKu5
H3zZEFHrbrguyXXPrcHP4fffMk6BzqIKBu9qbaUpVIiU9zdIGT6ujQFsstFiiadf
HGAUk9iNklSNC2VM1JtaiuMzRgj2vFLxNqsePfHI+ww7EqpqeSBe/KSu9CDg88eY
v3zf6y+ko7MF6fTln9gnu1QKSeSk13XDTSSYazrC92npdEbuscPC9XM5IIwDzdb1
g9lZkrQLDX0E2IxEsGwLP5Q15d51r/N8Y7/H/PR6Y6S6trHxAcar79UH2sZ4V4C/
QCE2A2zPkZc+ibYk6njYFZlh1GV5v4jSOhwe4qtyGu8pZCfXq6sX0UINfrsACU4=
=mLs6
—–END PGP SIGNATURE—–

Nick P October 7, 2011 11:06 PM

@ Gabriel

“Ok stop right there. If they want their work seriously, they should not name their product after one of the greatest evils on the Internet. ”

I’m half-heartedly in agreement. Spam is a bad thing for most people, but academics often make jokes like this. (Esp at Black Hat & Defcon Conferences 😉 It did remind me of something: one stego technique of the past hid messages in fake spam. Spammimic auto-generates entire spam-looking messages for each true, hidden message. Really clever. Actually, one of my favorite stego approaches. An example is below. You can decode it on their web site.

Dear Friend , Thank-you for your interest in our publication
! We will comply with all removal requests . This mail
is being sent in compliance with Senate bill 1620 ;
Title 3 , Section 309 . This is not multi-level marketing
. Why work for somebody else when you can become rich
as few as 59 weeks . Have you ever noticed how long
the line-ups are at bank machines and most everyone
has a cellphone ! Well, now is your chance to capitalize
on this ! We will help you SELL MORE and SELL MORE
! You can begin at absolutely no cost to you ! But
don’t believe us ! Mr Anderson who resides in Colorado
tried us and says “My only problem now is where to
park all my cars” . This offer is 100% legal ! You
have no reason not to act now ! Sign up a friend and
you’ll get a discount of 60% ! Thank-you for your serious
consideration of our offer ! Dear Internet user ; This
letter was specially selected to be sent to you ! If
you no longer wish to receive our publications simply
reply with a Subject: of “REMOVE” and you will immediately
be removed from our mailing list ! This mail is being
sent in compliance with Senate bill 1621 ; Title 9
; Section 309 . This is NOT unsolicited bulk mail .
Why work for somebody else when you can become rich
within 31 DAYS ! Have you ever noticed most everyone
has a cellphone & nearly every commercial on television
has a .com on in it ! Well, now is your chance to capitalize
on this . We will help you decrease perceived waiting
time by 150% plus turn your business into an E-BUSINESS
. You can begin at absolutely no cost to you . But
don’t believe us ! Prof Ames of California tried us
and says “I’ve been poor and I’ve been rich – rich
is better” . We are licensed to operate in all states
. We BESEECH you – act now ! Sign up a friend and your
friend will be rich too ! Cheers ! Dear Salaryman ,
Thank-you for your interest in our letter ! This is
a one time mailing there is no need to request removal
if you won’t want any more . This mail is being sent
in compliance with Senate bill 1627 , Title 6 ; Section
309 . THIS IS NOT MULTI-LEVEL MARKETING ! Why work
for somebody else when you can become rich inside 55
days ! Have you ever noticed how long the line-ups
are at bank machines and how many people you know are
on the Internet ! Well, now is your chance to capitalize
on this . We will help you SELL MORE & process your
orders within seconds . The best thing about our system
is that it is absolutely risk free for you . But don’t
believe us . Mr Jones of New York tried us and says
“I was skeptical but it worked for me” . We assure
you that we operate within all applicable laws ! If
not for you then for your LOVED ONES – act now ! Sign
up a friend and you’ll get a discount of 80% ! Thank-you
for your serious consideration of our offer .

Jimmy BLT October 8, 2011 11:41 AM

I may be breaching some informal rules here, but upon reading this article about the US drones and this keylogging virus, I immediately cruised down the Information Superhighway to see what Schneier, the Security Man, has to say about it.

http://www.foxnews.com/scitech/2011/10/07/us-military-drones-infected-with-mysterious-computer-virus/?test=latestnews

Once again, I apologize if I’m overstepping the local rules with my barging in here. I know this is Squid Friday and “comment about this week’s comments” Day, so once again, sorry fellas; I’m just really eager.

Nick P October 8, 2011 12:33 PM

@ Jimmy BLT

No need to apologize or worry. The Friday Squid Blogging threads are open to off-topic security news, discussions, etc. Everything else must stay on topic.

The predator story is no surprise. I’ve long rambled on how the government killed the high assurance market by buying low assurance products en masse & producing low assurance GOTS products labeled “high assurance.” That they are letting Windows PC’s have significant control over one of these things isn’t a good idea.

A Solaris system with Argus Pitbull or one of the recent separation kernel approaches would have been better. They could have used Windows/Linux/whatever for untrusted networking, storage, etc. & run security critical portions right on the secure kernel. Any of these options have good performance, better security, good dev tools, POSIX compliance, & affordability. Instead, they used a vanilla Windows PC. No surprise there. None whatsoever.

Aside: This kind of behavior in the government & my policy of not doing INFOSEC work for Uncle Sam are totally a coincidence. I swear. 😉

Bell’s paper on rise & fall of govt high assurance
http://selfless-security.offthisweek.com/presentations/Bell_LBA.pdf

John October 8, 2011 3:47 PM

http://www.ccc.de/en/updates/2011/staatstrojaner

“Federal Trojan” of germany found and disassembled.

Quote:
“The analysis concludes, that the trojan’s developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.”

Gabriel October 8, 2011 4:45 PM

@Nick P, Jimmy BLT: I agree on the need for High Assurance systems (hell, a properly configured BSD, Linux, or other Unix would go a long ways), but what shocks me is that their information systems management staff did not seem to be prepared to handle this. Even a medium sized enterprise IT staff would probably have a better policy in place. At the very least, make sure they have reliable and trusted backup images of all of their machines, so that they don’t suffer so much downtime. They need these systems to have high availability. Never mind their more controversial killing role, they are vital for intelligence and situational awareness of a battlefield.

Imagine if their networks were not air gapped. They would have been “pwned” much worse than HB Gary. I have to wonder if their IS management staff got complacent, not protecting their machines with up to date antivirus, locking down USB and CD-ROM access, etc. Another problem is sometimes a culture of complacency develops where other users don’t challenge or report inappropriate behavior, like indiscriminately using media on classified systems. No file on any storage device should be accessed without first scanning the media for viruses. Lock down the configuration so that files are never autorun (looking at you MSFT for this most stupid of ideas). Restrict access to USB storage media to only certain users who require it. These are just a few examples.

Another problem, and this ties into the need for HA systems, is that many of these systems are still running legacy Windows XP, instead of newer and more secure versions of windows. Many of these applications require a life of 10 – 20 years or more, which is not supported by most commodity operating systems. I bet most of their control software only runs on Windows XP, and is not yet ready for Vista or 7. Indeed, they will probably never be ported. Since these are the key and mission critical operations, running in a VM is probably too cumbersome, not to mention will probably make their security procedures harder to manage/update. For example, it won’t be enough to erase and wipe out the VM, you will also have to wipe the underlying host OS. So they either need to adopt more agile lifecycles for their software, or use high assurance systems that would be supported by a vendor for the lifecycle they require. Green Hills and many other RTOS vendors certainly know how to support such systems.

Jimmy BLT October 8, 2011 4:51 PM

Thanks, fellas, for the good feedback.

Once again, the Internet’s market of knowledge is simply amazing.

Daniel October 8, 2011 4:58 PM

I must say that the article about the drone virus is strange. I’m not so shocked that they got infected. What surprises me is the Keystone cop methods they have used to try and fix it. I find it difficult to believe that they really don’t know what the virus does, that the very first step they took was to ask the Russians for help, and then after wiping the hard drive and reinstalling the OS they hooked the clean machine back up to a network that they knew was still infected. Really???

I don’t know what advantage the US military thinks it gets from playing dumb on this issue but I frankly don’t believe it.

Clive Robinson October 8, 2011 4:59 PM

@ Jimmy BLT,

“I may be breaching some informal rules here, but upon reading this article about the US drones and this keylogging virus”

I was probably one of the first to breach the rules to give Bruce a heads up on stories that I thought might be of interest to him and others…

With regards the story it’s self I’m far from surprised.

If you have a look at the publicaly available history of the drones and their systems and read between the lines, you will find that they were in effect a rush job and security was not at the time an over riding requirement, geting them up in the air over the target was.

The problem with this is that security needs to be built in from day zero if it is to work effectivly, bolting it on at a later date is never a good idea as you always end up with holes you cann’t immediatly see (or sometimes at all).

Now we are ten or so years down the road and some of the holes in the design are begining to show and the threads around them are begining to unravel to make new holes.

Oh and as Bruce has noted on the odd occasion “Attacks always improve with time”.

Which brings me onto the subject of the comments of Anup Ghosh, quoted in the article. The article says he’s a former scientist with the Defense Advanced Research Projects Agency and currently chief scientist with security company Invincea.

If he has been quoted correctly,

m. “None of this should be surprising.” The system should be replaced or “re-imaged” with a virus-free, bit-for-bit copy of the data on the drive in order to get rid of the infection, he said…

Either he’s a little out of date in his thinking or the journo has stiched him up.

One problem is that the HD is not the only semi-mutable memory in these PC systems thus it’s not just the HD you need to re-image. For instance it is known that the flash BIOS chips and other flash memory etc in the PC motherboard and some IO cards can be used to hide malware away so that when the system is re-booted the system is re-infected no matter how many times you provide a clean HD&OS.

And yes there are other places the malware can be covertly tucked away in a complex system, as one researcher showed not so long ago even the micro controler in a laptop (Apple) battery can be subverted…

Thus you realy have to have intimate knowledge of the entire system to make it secure, and guess what with “off the shelf components” you are not likely to have all the information required…

Esspecialy if you are doing the design in a hurry to get it “field ready”…

Gabriel October 8, 2011 7:34 PM

@Jimmy BLT: Ahh, you have now heard from two of the smarter people on this blog, not counting Bruce. Keep reading and you can absorb a lot from these folks.

Gabriel October 8, 2011 8:44 PM

@Cliff: Regarding Malware tucking itself into the BIOS, isn’t the SMM mode of x86 the attack vector used for that? From reading up on it, apparently, it is impossible to disable the interrupt that enters this mode, and the interrupt vector is setup by the BIOS, hence the OS is not able to rewrite it. Bad ideas in x86 legacy that are biting us. If I recall correctly, BIOS used to be an EEPROM that took external tools to program. However, being a classified environment, no PC should be used unless they know how to clear every bit of programmable memory/storage on that system. Even monitors aren’t allowed in such an environment unless they have documentation for every memory on the device.

Clive Robinson October 9, 2011 4:11 AM

@ Gabriel,

There are a number of ways the flash memory in various parts of a PC can be changed and often it depends on where it is.

As some know even CPU chips contain flash memory to correct “bugs” in the micro code etc, sometimes protected by code signing sometimes not. And flash memory hides away in other even less obvious places, sometimes known only to the chip manufacture and those who might have worked there at some point.

With regards,

“However, being a classified environment, no PC should be used unless they know how to clear every bit of programmable memory/storage on that system.”

That’s the ‘ideal’ but in practice there are two many unknowns one of which is “second source” components.

We know there are counterfit chips entering the supply lines, sometimes these are obvious in use and sometimes they are not. For instance a lower spec part having the package markings altered to make it look like a higher spec part, and in the past the chip for chip price difference was a couple of hundred USD, so well worth a little effort…

[How do they get away with this? simple as “overclockers” know you can get away with quite a bit of abuse this way. One reason for this is that. quite often the actual silicon inside the chip is of higher spec than the package markings indicate. This happens because the chip manufacturer trys to make all the chips to the higher spec to start off with and yield patterns dictate what actually makes the individual specs or not, but sales and marketing determins the quantaties of what get sold at what spec.]

Some other chips are compleate duds slipped in amongst real chips thus usually getting by “goods inward test” that uses “10% sampling” not 100% test.

And some in the past were actually fakes at the silicon level that were made using stolen IP etc.

However there is a newish game in town based on the fact for various reasons even the chip designers don’t actually know what goes onto their chips.

This is because they don’t design from the “transistor up” any longer but use libraries of functional blocks often purchased in under licence from other companies.

Likewise most “chip designers” don’t actually manufacture the chips they sub contract this out to just a handfull of fab plants around the world.

If you have a look at past discussions between Nick P, RobertT and myself you will see that there is in effect no real security in the process.

So how do you tell if your chip design has been compromised and had extra malicious features added or not? The simple answer is you cann’t…

So the manufactures of PC motherboards and IO boards cann’t tell either, thus nor can those buying the COTS into a project secret or otherwise…

This might account for why the US Gov DoD is sponsering research projects into changing this state of afairs.

However there is an other problem COTS projects have and that is the speed of change in the market. Just the collection, colation and checking of the paperwork for a PC motherboard is longer than the likely manufacturing life of the motherboard.

Basically the cycle of continuous improvment in chip revisions, interchangability of chip parts etc etc means that quite often many of the parts will actually change during the design and manufacturing cycle which can be less than a year…

COTS might be seductivly cheap, but the hidden price of “not knowing” can render any such price advantage non existant.

Finally, there is the issue of what is secret and what is not, take a GPS receiver module, if it goes in a mobile phone it’s not secret, if it goes in a drone then it might be secret. But as we know increasingly soldiers are taking mobile smart phones onto the battle field as they work way way better than the kit they get issued with. Thus with an increasingly greater probability insecure comms equipment is going to end up on the battle field in areas where the equipment should be classified to the higher levels. Such insecure equipment represents a real EmSec issue especialy when it comes within a certain range of secure equipment.

But COTS is also less reliable thus has a higher turn over in component parts, this has a significant cost in “secure disposal” and with the likes of thumb drives and smart phones it is beyond control already.

COTS is a security nightmare but the lid of the Pandora box has been opened and we are going to have to live with the consiquences…

Gabriel October 9, 2011 11:33 AM

@Clive: First, my apologies, with my back hurting me, I must not have paid attention when I wrote Cliff.

Second, the folks at that base were certainly lucky in that they were only hit by a rubber bullet of malware, as opposed to something more pernicious, such as a stuxnet like work designed to do more evil things (i.e. Change the coordinates sent to a Reaper for missile targets, just ever so slightly). I certainly understand that design and manufacturing of products has become so complex. And it’s a hard problem to solve. Even if every electronics defense contractor were to develop parts and secure fabs in which to make them, it would be impossible to keep up with the rate of growth you see in COTS. This means COTS parts and devices will always be more desirable from the shiny and functional perspective, as opposed to some big, bulky, and ruggedized green box. I think, however, with regards to this instance, the greatest source of consternation appears that they were unprepared to clean up and handle the malware. I know malware can be rather hard to clean up, but they didn’t seem to be aware of a few basic things. My opinion is they were probably not as diligent, believing that being off the net, they wouldn’t be vulnerable.

Clive Robinson October 9, 2011 12:15 PM

@ Gabriel,

“First, my apologies, with my back hurting me, I must not have paid attention when I wrote Cliff”

No worries, I suffer from amongst other things chronic back pain, for which other medical conditions stoop me taking normal NSAID pain killers, which leaves the CNSD type opiates and their analogues which unfortunatly stop the old grey porridge working the way it should (and give mild hallucinations). Having recently hurt my back in a small accident (I was not looking…) I’ve been a bit out of (it) myself, and cannot concentrate for more than a few minutes hence my lack of comments recently 8(

I agree that as described in the article those involved with sorting out this particular malware attack do not appear to have acquitted themselves that well. However I reserve judgment due to the way the journo has written the piece (and when it comes to malware reporting few journos appear to be able to grasp the details accuratly or avoid sensationalism). Oh and there is also the issue of “painting it big” which the APT mob are fond of doing.

What I will note is that crossing the air gap the way it did is one of a number of ways I worked out how to propogate “fire and forget” malware across “air gaps” to the likes of voting machines etc. Which leaves the questions of,

1, targeting.
2, phoning home.
3, in AV definiton files

That is was the keylogging software “targeted” at these specific systems or was it more general, aimed at anything .mil or just anything.

And importantly did it contain a mechanism to get the logged key strokes back across the “air gap” and back to a speciffic destination.

Further if it was “known malware” in a standard AV companies definition files would tell us quite a bit more about it and why it was not picked up before crossing the air gap.

If the malware was more general I would have expected it to have been picked up long before it got close to these systems. The fact that it was not picked up gives us a number of potential clues,

A, If not specificaly targeted, it was either cleaver malware or the general level of IS security on .mil is not good.

B, It is likely that these systms are at most one hop away from the Internet or other infection vector, or again the general level of IS security on .mil is not good.

C, If the malware is designed to cross air gapped systems in both directions then it is more sophisticated than the majority of malware and the game has gone up another notch.

The problem is we don’t know quite enough to say more definatly, which also makes me wonder if the whole incident has been less than objectivly reported for some reason.

As ever in these things we need more details to eliminate hypotheses (but I guess they are not going to get reported)

Steve October 9, 2011 7:18 PM

In re beached squid, yes, it happens periodically. I’ve seen hundreds of the critters down here in San Diego on the beach. The gulls have a great feast.

BF Skinner October 9, 2011 9:12 PM

They’re just trying to evolve before the touch screen makes the keyboard obsolete and their obvious competitive advantage is rendered moot.

Tom October 10, 2011 7:17 PM

Bruce, you might wanna have a look at this: http://ccc.de/en/updates/2011/staatstrojaner

The CCC investigated a trojan the german government is using without permission, i.e. without being backed by law. On the contrary, the german constitution explicitelly has forbidden usage of software which can alter the content of the hard disk. Plus it is not very well programmed and creates lots of security breaches (commands are transferred unencrypted, traffic is routed through an US server, self-destruct mechanism moves the files to recycle.bin, etc.)

Information also here: http://www.spiegel.de/international/germany/0,1518,790944,00.html

And lots of (probably only german) links can be found on the netzpolitik.org blog.

As of now, several german states have admitted to use this or similar software. Which, again, is explicitelly forbidden by the german constitution and the Cederal Constitutional Court.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.