Sabtu, 30 Juni 2012

China's High-Tech Military Threat and Air Sea Battle

Two months ago Bill Gertz published an excellent article titled China's High-Tech Military Threat. I wanted to share a few excerpts that resonated with me.

[I]n November 2011, the Pentagon conducted an unusual rollout of a new military unit called the Air Sea Battle Office...

The concept calls for the Air Force, Navy, and Marine Corps to integrate forces and other capabilities to defeat what the Pentagon has labeled “anti-access and area denial weapons” — high-technology arms that can prevent or deter the United States military from operating in certain areas...

When pressed on the question of whom the initiative was targeting, one official responded, “The concept isn’t about a specific actor; it’s about countering anti-access, area-denial capabilities...”

[T]he Air Sea Battle Concept is the culmination of a strategy fight that began nearly two decades ago inside the Pentagon and U.S. government at large over how to deal with a single actor: the People’s Republic of China...

The reluctance to publicly identify Chinese belligerence as the impetus for the concept is merely a ruse to mollify adherents of a “Benign China” school of foreign policy — the losing side of the long internal policy fight.

The ideological godfather of the benign-China school is Harvard professor and former Clinton administration defense policymaker Joseph S. Nye. In 1995, Nye put forth the notion that if the United States treated China as a threat, it would become a threat.

Nye, who is also one of the progenitors of the soft-power school of policymaking now adopted by Secretary of State Hillary Clinton, has called the notion of a threatening China a self-fulfilling prophecy only warmongers and defense contractors would or could celebrate.

The Gertz article continues by describing the battle for leadership between the "Benign China" and "realist" China schools of thought.

For more information on this issue, please consider reading another Gertz article: Panda War.

Photo credit: ChineseDefence.com

Jumat, 29 Juni 2012

Bejtlich's Thoughts on "Why Our Best Officers Are Leaving"

Twenty-two years ago today I flew to Colorado Springs, CO and reported for Basic Cadet Training with the class of 1994 at the United States Air Force Academy. I took the oath of office pictured at left the following day. I left the service in 2001 because I could no longer fit my military intelligence and computer network defense career interests within the archaic, central planning commission-like personnel system the ruled Air Force assignments.

Today I read an article by Tim Kane, USAFA class of 1990, titled Why Our Best Officers Are Leaving. This article resonated so strongly with me I got a little emotional reading it. The following are some relevant excerpts.

Why are so many of the most talented officers now abandoning military life for the private sector? An exclusive survey of West Point graduates shows that it’s not just money. Increasingly, the military is creating a command structure that rewards conformism and ignores merit. As a result, it’s losing its vaunted ability to cultivate entrepreneurs in uniform...

The military’s problem is a deeply anti-entrepreneurial personnel structure. From officer evaluations to promotions to job assignments, all branches of the military operate more like a government bureaucracy with a unionized workforce than like a cutting-edge meritocracy...

In a recent survey I conducted of 250 West Point graduates (sent to the classes of 1989, 1991, 1995, 2000, 2001, and 2004), an astonishing 93 percent believed that half or more of “the best officers leave the military early rather than serving a full career.”

Why is the military so bad at retaining these people? It’s convenient to believe that top officers simply have more- lucrative opportunities in the private sector, and that their departures are inevitable. But the reason overwhelmingly cited by veterans and active-duty officers alike is that the military personnel system—every aspect of it—is nearly blind to merit. Performance evaluations emphasize a zero-defect mentality, meaning that risk-avoidance trickles down the chain of command.

Promotions can be anticipated almost to the day— regardless of an officer’s competence—so that there is essentially no difference in rank among officers the same age, even after 15 years of service.

Job assignments are managed by a faceless, centralized bureaucracy that keeps everyone guessing where they might be shipped next...

When I asked veterans for the reasons they left the military, the top response was “frustration with military bureaucracy”—cited by 82 percent of respondents (with 50 percent agreeing strongly)...

In a 2007 essay in the Armed Forces Journal, Lieutenant Colonel Paul Yingling offered a compelling explanation for this risk-averse tendency. A veteran of three tours in Iraq, Yingling articulated a common frustration among the troops: that a failure of generalship was losing the war. His critique focused not on failures of strategy but on the failures of the general-officer corps making the strategy, and of the anti-entrepreneurial career ladder that produced them:

“It is unreasonable to expect that an officer who spends 25 years conforming to institutional expectations will emerge as an innovator in his late forties.”

[A]n internal job market might be the key to revolutionizing military personnel. In today’s military, individuals are given “orders” to report to a new assignment every two to four years. When an Army unit in Korea rotates out its executive officer, the commander of that unit is assigned a new executive officer. Even if the commander wants to hire Captain Smart, and Captain Smart wants to work in Korea, the decision is out of their hands—and another captain, who would have preferred a job in Europe, might be assigned there instead.

The Air Force conducts three assignment episodes each year, coordinated entirely by the Air Force Personnel Center at Randolph Air Force Base, in Texas. Across the globe, officers send in their job requests. Units with open slots send their requirements for officers. The hundreds of officers assigned full-time to the personnel center strive to match open requirements with available officers (each within strictly defined career fields, like infantry, intelligence, or personnel itself), balancing individual requests with the needs of the service, while also trying to develop careers and project future trends, all with constantly changing technological tools. It’s an impossible job, but the alternative is chaos.

In fact, a better alternative is chaos. Chaos, to economists, is known as the free market, where the invisible hand matches supply with demand...

Here is how a market alternative would work. Each commander would have sole hiring authority over the people in his unit. Officers would be free to apply for any job opening. If a major applied for an opening above his pay grade, the commander at that unit could hire him (and bear the consequences). Coordination could be done through existing online tools such as monster.com or careerbuilder.com (presumably those companies would be interested in offering rebranded versions for the military). If an officer chose to stay in a job longer than “normal” (“I just want to fly fighter jets, sir”), that would be solely between him and his commander...

I surveyed ex-military officers at Citi, Dell, Amazon, Procter & Gamble, TMobile, Amgen, Intuit, and countless venture-capital firms. At every company, the veterans were shocked to look back at how “archaic and arbitrary” talent management was in the armed forces. Unlike industrial-era firms, and unlike the military, successful companies in the knowledge economy understand that nearly all value is embedded in their human capital.

I completely agree with this article, especially the concepts of an "internal market" for hiring and retaining talent. I hope someone with the power to implement change reads Mr Kane's article and fights the bureaucracy to improve all the military services by nurturing their most important resource: people.

Selasa, 26 Juni 2012

More Disclosure of Vulnerabilities in Attacker Tools

Two years ago I wrote Full Disclosure for Attacker Tools, where I wrote in part:

The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive Network Self Defense that links to an article describing Joel Eriksson's vulnerability research into Bifrost and other remote access trojans.

What's a little more interesting now is seeing Laurent Oudot releasing 13 security advisories for attacker tools. Laurent writes:

For example, we gave (some of) our 0days against known tools like Sniper Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit Pack, Neon Exploit Pack, Yes Exploit Pack...

In the post I addressed some of the issues involved, but a recent development involving the popular Poison Ivy (PI) remote administration tool (RAT) brought the debate back to life.

Today I became aware of Gal Badishi's Monday post Own And You Shall Be Owned. In the post he writes:

We will now present a fully working exploit for all Windows platforms (i.e., bypassing DEP and ASLR), allowing a computer infected by Poison Ivy (or any computer, for that matter) to assume control of PI’s C&C server...

In light of this analysis, a Metasploit module without encryption is being prepared.

"C&C server" means "Command and Control server," or the system operated by an intruder to control the multitude of victim systems on which he installed PI.

On the surface it may seem cool that "good guys" can now attack "bad guy" infrastructure thanks to this research. However, I think it's important to weigh the pros and cons of this disclosure of vulnerabilities in attacker tools.

Reasons One Should Disclose Vulnerabilities in Attacker Tools

  1. Intruders already know about the vulnerabilities anyway.
  2. Good guys already know about the vulnerabilities anyway.
  3. Publicizing, and especially weaponizing (via Metasploit), this vulnerability gives good guys a way to strike back at bad guy infrastructure.
  4. "Information wants to be free." Trying to protect the info from disclosure is a losing game.
  5. If good guys didn't know about the vulnerabilities, they now can put them to work attacking intruder infrastructure for "active defense" and "research" purposes.
  6. There's no place to disclosure vulnerabilities in attacker tools "responsibly" anyway.
Reasons One Should Not Disclose Vulnerabilities in Attacker Tools
  1. Not all intruders know about the vulnerabilities, or perhaps none do.
  2. By publicizing the vulnerabilities, it tips the intruders to defend their infrastructure by patching.
  3. Good guys who previously had access to the infrastructure lose access once the intruders upgrade their vulnerable software.
  4. A researcher just saved intruders time and resources by providing free software security and quality assurance services.
  5. Information doesn't have to leak. Many organizations keep secrets, even without the infrastructure of classified systems.
  6. There are several private, vetted mailing lists that do a reasonably good job keeping information confidential, while providing benefit to defenders.
I tend to think it's a bad idea to publicize vulnerabilities in intruder tools for the reasons I listed, but I see the other side as well. My biggest concern is that researchers don't weigh these issues, or given them enough thought, prior to publishing their findings. What do you think?

Kamis, 21 Juni 2012

Charting Procmon network output with .NET 4.0 and Powershell


Lots to work out in this post. Powershell v 3.0 CTP2 or Beta.  Procmon is Mark Russinovich's flagship tool for diagnosing Windows activity. It normally runs from the (admin) command prompt:

procmon /noconnect /nofilter /minimized /quiet

From Powershell admin prompt you can run thus:

start-process .\procmon.exe -arg '/LoadConfig JustNetwork.pmc' /quiet -verb runas -window hidden

whereupon a hidden procmon would run in the background capturing network traffic provided  that you have exported the configuration 'JustNetwok.pmc' to your path. You can create this filter and  export this configuration from the file menu:




There is no command line interface to procmon, however the GUI options can be found with 
'procmon /?'.
So we can create some powershell functions:

function p {start-process .\procmon.exe -arg '/LoadConfig JustNetwork.pmc',/quiet -verb runas -window minimized}
function q {start-process .\procmon.exe -arg /Terminate -verb runas}

Start the procmon filter: (e.g. function 'p' )
Now export the data from the interface to CSV format only (e.g. 'JustNetwork.csv')
Terminate procmon or stop the capture from the interface or from Powershell:  (e.g. function 'q')
Now import the data into an array:  [array[]]$n=import-csv .\JustNetwork.CSV
So that $n[0]:

Time of Day  : 8:40:40.7263831 PM
Process Name : svchost.exe
PID          : 484
Operation    : UDP Receive
Path         : ff02::1:2:dhcpv6-server -> rmfvpc:dhcpv6-client
Result       : SUCCESS
Detail       : Length: 72, seqnum: 0, connid: 0


$n[0..2]."Time of Day"
8:40:40.7263831 PM
8:40:40.8708796 PM
8:40:40.8709720 PM


$n[0..2].PID
484
4
4

Now choose two numerical  fields to chart making sure the X data is unique ('keys') and preferably sequential. Procmon's seven digit seconds work great!  Then create a hashtable suitable for Microsoft Charting in Powershell using MS Charting as a download or as it comes with .NET 4.0 Framework. Use Powershell's new hashtable array feature with the ordered attribute to do this:

[ordered]@{XKey=YValue}

foreach ($i in (0..($n.count - 1))) {$hashdata+=[ordered]@{$n[$i]."Time of Day"=$n[$i].PID}}


Your data looks like this:
($hashdata | more)[0..20]



Name                           Value
----                           -----
5:44:48.6806780 AM             1896
5:44:48.7189591 AM             4
5:44:48.7190397 AM             4
5:44:48.8205623 AM             1896
5:44:49.0389037 AM             1896
5:44:49.2649718 AM             1896
5:44:49.2650074 AM             1896
5:44:49.4831550 AM             4
5:44:49.4832392 AM             4
5:44:49.5346115 AM             1896
5:44:50.7088010 AM             1896
5:44:50.7088479 AM             1896
5:44:50.7890861 AM             1896
5:44:50.7891464 AM             1896
5:44:50.9011721 AM             1896
5:44:50.9012164 AM             1896
5:44:51.3591575 AM             944
5:44:51.3633674 AM             944



Source the function :  '. .\Chart-hashdata.ps1'
Now chart the hashtable
chart-hashdata point 500 500 "Process IDs" TIME PID



Object array data is important and faster to process, but I can not get it to chart:

$ArrayData=foreach ($i in (0..($n.count - 1))) {[ordered]@{$n[$i]."Time of Day"=$n[$i].Path.split('>')[1]}}

$ArrayData.gettype()


IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array


$ArrayData


Name                           Value
----                           -----
8:40:40.7263831 PM              rmfvpc:dhcpv6-client
8:40:40.8708796 PM              192.168.0.255:netbios-ns
8:40:40.8709720 PM              rmfvpc.rmfdevelopment.com:netbios-ns
8:40:41.6257380 PM              192.168.0.255:netbios-ns
8:40:41.6257937 PM              rmfvpc.rmfdevelopment.com:netbios-ns
8:40:42.3757645 PM              192.168.0.255:netbios-ns
8:40:42.3758202 PM              rmfvpc.rmfdevelopment.com:netbios-ns
8:40:44.0271291 PM              192.168.0.1:domain
8:40:44.0642094 PM              192.168.0.1:domain


$a=$ArrayData.Values | group | Sort -desc count | ft -auto Count,Name
$a


Count Name
----- ----
  144  RMFHOPE:microsoft-ds
   30  RMFHOPE:1029
   27  sea09s01-in-f21.1e100.net:https
   22  192.168.0.1:ssdp
   14  ec2-107-22-87-71.compute-1.amazonaws.com:ms-wbt-server
    6  RMFHOPE:epmap
    5  rmfvpc:dhcpv6-client
    3  rmfvpc.rmfdevelopment.com:netbios-ns
    3  224.0.0.252:netbios-ns
    3  239.255.255.250:netbios-ns
    3  192.168.0.255:netbios-ns
    3  192.168.0.1:netbios-ns
    3  224.0.0.252:llmnr
    2  sjc-not4.sjc.dropbox.com:http
    2  RMFHOPE:netbios-ns
    2  192.168.0.1:domain
    1  rmfvpc:65428


Selasa, 19 Juni 2012

What Gets Measured, Matters

I received the latest issue of my alumni magazine, Checkpoints, today. It's graduation season, so the content included statistics about the latest graduating class as shown at right.

This relates to a recent post, Whither United States Air Force Academy?, where I said the skill most needed to help grow the nation is digital defense.

The statistics the Checkpoints editors chose to print, however, reminded me of the Academy's current focus. Notice that between the demographic information and the "fun facts" we see details on so-called "rated officers," reprinted below:

  • 529 total rated graduates
  • 490 pilots
  • 8 combat systems operators
  • 2 air battle managers
  • 29 unmanned aerial system pilots

To me, these statistics reflect the idea that "what gets measured, matters." Clearly the bias at USAFA continues to be towards flying. I get the "Fly, Fight, Win" message. I repeat it often at inappropriate times thanks to effective brainwashing techniques.

Imagine what the list might look like if a different paradigm operated:

  • 529 total cyber operators
  • 107 computer network defenders (generic category)
  • 102 incident responders
  • 101 developers (secure coding focus)
  • 98 reverse engineers
  • 84 forensic investigators
  • 37 offensive specialists

...or something like that. Don't dwell on the categories or counts: focus on the message. Could you imagine a military academy producing young people with skills like that? Imagine the impact they could have inside and outside the military. Think of the growth in civil aviation after World War II thanks to the influx of former military pilots.

Seeing statistics like I created will be a signal that we have a chance of winning the ongoing cyberwar.

Sabtu, 16 Juni 2012

Flame Hypocrisy

I liked Kurt Wismer's post Flame's Impact on Trust. He says:

if you haven't watched it yet, i encourage you to check out the video of chris soghoian's talk at personal democracy forum 2012. the TL;DR version is that, because it compromised the microsoft update channel, the flame worm damaged our trust in automatic updates and that's a bad thing because automatic updates have done so much good for consumer security.

mikko hypponen is even reported to be planning to write a letter to barack obama to ask him to stop the US government from doing this sort of thing again.

Kurt links to this story US Government Behind Flame Virus According to Expert with choice quotes like this:

Hypponen believes that making Microsoft digital certificates untrustworthy in the eyes of some of the 900 million Windows users around the globe is a very serious and worrying move...

Hypponen told IBTimes UK that he was planning on writing an open letter to Barack Obama this week to say: "Stop taking away the trust from the most important system we have, which is Microsoft Windows Updates."

To be blunt, this is one of the dumbest arguments I've ever heard. I don't think this is the right approach. The reason is simple:

If a "security researcher" discovered and weaponized the vulnerability, the argument would be totally different.

The security research community would be pointing at Microsoft for being at fault for developing such vulnerable software and processes. The "security researcher" would present his or her findings at a major security conference and receive rock star treatment. Those promoting "full disclosure" would push back on any attempts to contain information about the attack. And so on...

The bottom line is that a "security researcher" discovered and weaponized the vulnerability. Critics should start with that fact and let their normal security instincts take over.

Update: I struck the inflammatory language because I didn't intend for this post to be interpreted as a personal attack. To be honest I was feeling ornery after my early morning flight was cancelled, and an eight hour wait at the airport wasn't doing my mood any favors. Sorry Mikko and Chris!

Sabtu, 09 Juni 2012

Whither United States Air Force Academy?

From TaoSecurity
Thomas Ricks' post Does the Air Force Academy have ‘the least educated faculty’ in the country? inspired me to write this post. Mr. Ricks cited a story by Jeff Dyche, a former USAFA professor who cited a litany of concerns with the USAFA experience. I graduated from the Air Force Academy in 1994, ranked third in my class of 1024 cadets, and proceeded to complete a master's degree at Harvard in 1996. In my experience, at least in the early 1990s, USAFA faculty were as good, or better, than Harvard faculty. I considered the nature and volume of my graduate courses to be simple compared to my USAFA classes. When several fellow graduate students broke into tears after learning what the Harvard faculty expected of them, I couldn't believe how much easier the classes were going to be!

Rather than address points made by Ricks and Dyche, I prefer to focus on a theme that appears every few years: "why does the nation need service academies?" To provide one answer to this question, I'm going to draw on some lessons from a biography I'm reading called Grant by Jean Edward Smith. As you probably know, US Grant was a West Point graduate. According to Smith, during Grant's time as a cadet, West Point was one of only two schools in the nation that trained graduates as civil engineers. According to West Point in the Making of America,"

Following the example of the famous French engineering and artillery schools that the army had sent him to study, [Superintendent] Thayer made West Point America's national engineering school. West Point combined officer training with a highly technical undergraduate education...

Engineering itself became the army’s elite branch of service, the first choice by those who ranked highest in a graduating class. Lower-ranking cadets went to the cavalry, infantry, and other branches. West Point also became the nation's major source of civil engineers and of engineering educators. In the three decades before the Civil War, West Pointers as teachers, writers, and practitioners fostered science and engineering at Cornell, Harvard, Yale, and other colleges.

So, beyond just producing professional military officers, West Point met the country's exploding demand for civil engineers. As Smith says:

[A]s the nation moved westward, the demand for engineers grew steadily. For that reason, few of the young men who went to West Point did so with the intention of making the Army a career. It was no disgrace to resign from the service to take a better civilian position, and of the 1058 cadets who graduated from the academy between its inception in 1802 and 1839, only 395 remained on active duty.

I believe West Point's experience in the early 1800's could serve as an example for USAFA in this century. Few would advocate closing USAFA if it produced graduates with skills seldom found elsewhere, meeting another exploding demand. It seems to me that the skill most needed to help grow the nation is digital defense. This requirement takes many forms, including secure coding, infrastructure design/construction/operation, incident detection and response, forensics, threat intelligence and adversary characterization, malware analysis and reverse engineering, counter-threat operations, and related fields. With the proper leadership, faculty, and determination, USAFA could differentiate itself as the nation's premiere "cyber school," with an integrated curriculum focusing on securing cyberspace -- both in the military and government or private sectors.

This change doesn't require shifting all Academy resources to the cyber mission, but I would admit far greater numbers of cyber-affiliated candidates and radically beef up the Academy's cyber program. There is a precedent: in 1990 when I was admitted, I was one of the approximately 150 freshmen (out of about 1,500 total freshmen) who lacked 20/20 vision. 90% of my class was "pilot qualified" because the demand for pilot training was projected to be high by 1994.

If USAFA became known as "the" school for cyber, accepting that not all graduates intend to serve a twenty year Air Force career, I doubt the school would suffer so many questions of relevance and cost.

Charting ordered Hash Data from the Security Event Log







# RMF Network Security Friday, June 08, 2012  PS CTP3V2
# See http://thinking-about-network-security.blogspot.com/2012/03/evtsys-actually-auditpol-and-auditusr.html for auditpol configuration to accumulate (Security) Kernel counters.
# where do.txt:
# New Process Name:
# Destination Address
# See MS Charting derived Function 'Chart-hashdata'

if ($HashData) {rv HashData}; if ($ArrayData) {rv ArrayData};
[array[]]$ArrayData=get-winevent -log Security -max 1000 |`
   where-object  {$_.ID -eq 4688 -or $_.ID -eq 5156 -or $_.ID -eq 5157}`
   | Select Timecreated,RecordID,ID,@{Name="MessageString"; Expression = {($_.Message |findstr /G:do.txt)}}
foreach ($i in ($ArrayData)) {$HashData+=[ordered]@{$i.RecordID=$i.ID}}
Chart-hashdata line 500 500 "Security Log Audits: New Process and Destination Address Events" Events "EventIDs 4688 or 5156 or 5157"

PS C:\ps1\CTPv3> $Arraydata[0..10] | ft -auto

TimeCreated          RecordId   Id MessageString
-----------          --------   -- -------------
5/30/2012 2:11:35 PM 44766425 4688     New Process Name:    C:\Windows\SysWOW64\auditpol.exe
5/30/2012 2:11:35 PM 44766424 4688     New Process Name:    C:\cygwin\bin\bash.exe
5/30/2012 2:11:26 PM 44766423 5156     Destination Address:    127.0.0.1
5/30/2012 2:11:26 PM 44766422 4688     New Process Name:    C:\Windows\SysWOW64\auditpol.exe
5/30/2012 2:11:26 PM 44766421 4688     New Process Name:    C:\cygwin\bin\bash.exe
5/30/2012 2:11:25 PM 44766420 5156     Destination Address:    ff02::1:2
5/30/2012 2:11:19 PM 44766418 5156     Destination Address:    192.168.0.1
5/30/2012 2:11:19 PM 44766417 5156     Destination Address:    192.168.0.1
5/30/2012 2:11:19 PM 44766416 5156     Destination Address:    192.168.0.1

PS C:\ps1\CTPv3> $ArrayData.ID | group | Sort -desc -property Count

Count Name                      Group
----- ----                      -----
  824 5156                      {5156, 5156, 5156, 5156...}
   23 4688                      {4688, 4688, 4688, 4688...}
    7 5157                      {5157, 5157, 5157, 5157...}

PS C:\ps1\CTPv3> ($Hashdata | more)[0..10]

Name                           Value
----                           -----
44766425                       4688
44766424                       4688
44766423                       5156
44766422                       4688
44766421                       4688
44766420                       5156
44766418                       5156

foreach ($i in $ArrayData){$i | export-csv -notype -append ArrayData.csv}

PS C:\ps1\CTPv3> more ArrayData.csv
"TimeCreated","RecordId","Id","MessageString"
"5/30/2012 2:11:35 PM","44766425","4688","      New Process Name:       C:\Windows\SysWOW64\auditpol.exe"
"5/30/2012 2:11:35 PM","44766424","4688","      New Process Name:       C:\cygwin\bin\bash.exe"
"5/30/2012 2:11:26 PM","44766423","5156","      Destination Address:    127.0.0.1"
"5/30/2012 2:11:26 PM","44766422","4688","      New Process Name:       C:\Windows\SysWOW64\auditpol.exe"
"5/30/2012 2:11:26 PM","44766421","4688","      New Process Name:       C:\cygwin\bin\bash.exe"
"5/30/2012 2:11:25 PM","44766420","5156","      Destination Address:    ff02::1:2"