Mandiant: has the leopard changed its spots in its first major report since being acquired by FireEye

April 10, 2014 Leave a comment

The Mandiant M-Trends 2014 Threat Report: Beyond the Breach, published today, is Mandiant’s first report since its acquisition by FireEye. Mandiant is a technically competent company (it was one of the original four companies chosen by GCHQ to take part in the pilot incident response scheme); but for me it is also a politically suspect company. The latter stems from its famous or infamous APT1 report from just over a year ago. That report very clearly accused the Chinese government of being involved with the APT1 hacking group, which it said was part of the People’s Liberation Army Unit 61398. This was at a time when it was politically expedient for the US government to hype the cyber terrorism threat, and to particularly challenge China. No other security expert or company that I have spoken to has ever suggested that it is possible to be so certain about the precise source of a cyber attack.

So I consider that there are two aspects to this new report worthy of consideration: firstly its content because of Mandiant’s expertise; and secondly, any political over- or undertones following the takeover by the more circumspect and therefore believable FireEye.

Jason Steer, director of technology strategy, FireEye

Jason Steer, director of technology strategy, FireEye

There are five sections to this report. Jason Steer, director of technology strategy (from the FireEye pedigree) guided me through them: some general statistics; a closer look at Syrian Electronic Army activities followed by an evaluation of ‘suspected’ Iranian activities; a look at financial attacks with particular focus on the retail industry; and then what amounts to a defence of the APT1 report.

The statistics come from Mandiant customers, but Jason pointed out that doesn’t mean only large companies. “Some of our customers have as few as 200 users,” he told me. It’s not the size of the company that would warrant FireEye/Mandiant involvement, but the value of the data to be protected. He mentioned small companies that might have a highly valuable Trading Floor algorithm to protect, or a patent on the transmission of power via laser.

Those statistics appear to show a very slight improvement in the state of security. Compromises are being detected up to two weeks faster than they were in 2012; but against this the number of breaches detected by the breached company is down from 37% to 33%. 67% of victims were warned of the breach by an outside source, sometimes a bank or financial institution, but “Law enforcement is one of the primary sources,” Jason told me. Agents watch and monitor the underground chat rooms, pick up hints and warn the victim. (Of course, if the victim is particularly unlucky, discovery may come via Brian Krebs and Hold Security and be exposed to the world via KrebsOnSecurity.)

spacer

mandiantstats

spacer

One conclusion from the statistics could be that criminals and malware are getting better at hiding themselves on the network; but that law enforcement has become even better at infiltrating underground chat rooms.

The section on the Syrian Electronic Army provides additional lesser known facts about SEA’s methods. It is often suggested that SEA is unsophisticated and technically inferior to other groups. We don’t actually know this because it has been very successful in what it does and what it seeks: compromise sites and accounts for propaganda purposes. It needs little more than successful phishing, and its phishing has been very successful.

SEA“Since its inception in 2011,” reports Mandiant, “the SEA has successfully infiltrated more than 40 organizations, primarily targeting the websites and social media accounts of major Western news agencies.” But the effort used to do this is revealing. In one particular incident, Mandiant says, “All told, the SEA sent thousands of phishing emails to a large number of employees over the span of three hours. Despite having a success rate of only 0.04%, the phishing emails still allowed the SEA to harvest the credentials necessary to access the targeted resources. Within two hours of the first phishing email, the SEA obtained credentials for the news agency’s main website.”

The next section, Iran-based Activity, is particularly interesting since it gives clues on whether the Mandiant leopard has changed its spots. Mandiant had been called in to investigate a suspected breach at a state government office. Its investigation led it to believe that the attackers were probably Iran-based and not particularly competent.

Mandiant’s observations of suspected Iranian actors have not provided any indication that they possess the range of tools or capabilities that are hallmarks of a capable, full-scope cyber actor. They rely on publicly available tools and capitalize solely on Web-based vulnerabilities — constraints that suggest these cyber actors have relatively limited capabilities.

I put it to Jason that this is exactly how I would behave if I were a third-party agency, perhaps beginning with N or G, who for political purposes wished firstly to be discovered, and secondly to implicate Iran. “Absolutely,” he replied. “That’s why we have said ‘suspected’ Iranian involvement.” When you read this section you get the overwhelming feeling that Mandiant is accusing Iran – but when you examine the content you find the word ‘suspected’ repeated eight times (out of a total of nine throughout the whole document) at strategic points. It is, one might almost say, a suspected semantic insertion after the event.

If this sounds like a paranoid conspiracy theory, I would briefly refer you back to the very first page of the report. It says, “With no diplomatic solution in sight, the ability to detect and respond to attacks has never been more important.” You cannot have a diplomatic solution to criminal activity. I suspect, then, that this report was always, or at least originally, intended to highlight the type of state-sponsored activity that could be swayed by diplomacy. If this is the case, a primary purpose of the report was to accuse Iran of state-sponsored cyberwar – and the leopard has not yet changed its spots.

This conclusion is possibly confirmed by the final section of the report which is an analysis of the period since Mandiant’s APT1 report last year. It starts with that ninth use of the word ‘suspected’: “January 2013 marked the first large-scale public disclosure that an advanced persistent threat (APT) group with suspected ties to the People’s Republic of China (PRC) had compromised a key U.S. media company: The New York Times.” The rest of the section, however, amounts to a renewal of the original accusations and a robust defence of Mandiant’s of conclusions.

Despite the recent accusations and subsequent international attention, APT1 and APT12’s reactions indicate a PRC interest in both obscuring and continuing its data theft. This suggests the PRC believes the benefits of its cyber espionage campaigns outweigh the potential costs of an international backlash.

My reading of this report is that Mandiant still wishes to name and shame political opponents to the United States; but that it is being reined in somewhat by FireEye proof readers. If this is the case, I wish FireEye all success in doing so. Mandiant’s technical expertise is overshadowed by doubts over its political desires – and that is a huge shame. The information that Mandiant is otherwise able to give security defenders is too valuable and useful to be lost to such concerns. That missing fourth section, for example, includes the warning that average criminals are mass compromising systems, and then selling on the cherries to more advanced and organized gangs who take over the initial entry point with more sophisticated and stealthy malware intent on long-term compromise and data exfiltration. Such insights will only serve to improve industry’s overall security stance by helping to formulate and guide more effective defensive policies.

Categories: All, Politics, Security Issues

The Heartbleed bug and SSL implementations

April 9, 2014 1 comment

heartbleedlogoLike the tree falling in the forest, we simply do not know if the Heartbleed bug was ever exploited. The problem is that exploiting it makes no sound.

The Heartbleed bug is a fault in the implementation of the Heartbeat extension to OpenSSL. The effect is to expose up to 64kb of supposedly encrypted traffic in plaintext. That plaintext would likely include the encryption keys, user credentials (ID and password) and message content. But exploiting the bug leaves no trace in the logs, so in theory it could have been used by hackers at any time or ever since the flaw was introduced several years ago.

This potential problem is huge. “Just one application that uses OpenSSL, Apache, is used to run 346 million public websites or about 47 percent of the Internet today” explains Kevin Bocek, Vice President, Security Strategy & Threat Intelligence at Venafi. “And the problem is even larger since this doesn’t include the tens of millions of behind-the-firewall applications, devices and appliances that run Apache and use OpenSSL.”

An update to OpenSSL has been released, and hopefully the faulty implementations are being fixed. The encryption keys are being changed and all should be well soon. But will it?

Once the SSL keys are known, then all previous messages could be decrypted. So if any attacker has been sniffing and storing messages, and has at any time obtained those keys, then those stored messages could be decrypted (unless forward secrecy – which provides new keys for each message – was being used). Forward secrecy is only now becoming more popular for precisely such a concern.

The elephant, of course, is the NSA and GCHQ (and to a lesser extent probably every other national intelligence agency in the world). On the plus side, there is no indication in the Snowden files released so far to suggest that the NSA knew about or used this bug. The downside is that unless they wrote about it, we would probably never know.

Meanwhile, researchers have been trying to discover which services use vulnerable versions of OpenSSL and have put their users at risk. Filippo Valsorda produced a test site to check whether particular sites are vulnerable. “Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk,” commented Graham Cluley this morning.

More worrying, however, is that Yahoo was affected (although it has been fixed now). The problem with Yahoo is that we know that GCHQ had been intercepting and storing Yahoo traffic.

Qualys has also added Heartbleed detection to its SSL test site. The advantage of this site is that it provides a detailed analysis of a website’s overall SSL implementation. The two graphics show summary the results from Yahoo (after fixing Heartbleed: A) and a site operated by a major security company (which should really do better: F).

spacer

YahooSSL

spacer

otherSSL

spacer

Although Yahoo has now fixed the Heartbleed bug, Yahoo users should all consider changing their passwords – just in case.

Categories: All, Security Issues

The Federal Financial Institutions Examination Council mandates DDoS preparedness

April 8, 2014 Leave a comment

The Federal Financial Institutions Examination Council (FFIEC) made it clear last week that US financial institutions are now expected “to address DDoS readiness as part of ongoing information security and incident response plans.” There are six specific requirements:

  1. maintain ongoing assessment of the risk
  2. monitor traffic to detect attacks
  3. activate an incident response plan if an attack is suspected
  4. ensure adequate staffing for the duration of an attack and consider hiring third-party services
  5. consider sharing information with organizations such as the Financial Services Information Sharing and Analysis Center and law enforcement
  6. evaluate any gaps in the response following an attack and adjust risk management accordingly

This is good advice that should be followed by all companies. The danger is that it is a response to the Izz ad-Din Al Qassam Cyber Fighters who attacked US banks over a year ago over the offensive Innocence of Muslims video film – the advice is for financial institutions following attacks on financial institutions; and other companies could believe the threat is only towards financial institutions. This is far from reality – all companies, including SMBs – must now prepare their defences against DDoS attacks.

The second weakness is that the advice is primarily about recognizing attacks and learning from attacks. There is nothing about coping with or mitigating attacks that are in progress. This is despite the very clear warning from the FFIEC on the effects of DDoS:

These attacks caused slow website response times, intermittently prevented customers from accessing institutions’ public websites, and adversely affected back-office operations. In other cases, DDoS attacks served as a diversionary tactic by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.
Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources

The Izz ad-Din Al Qassam attacks were pure hacktivism. They attacked the banks to punish the West for insulting Islam. They even had a formula that worked out bank downtime costs in relation to video views. But other DDoS attacks on other companies can have purely criminal motivations, including extortion and attacks by competitors – and all internet companies need to be ready to defend themselves.

Nevertheless, while these requirements don’t offer or advise any specific DDoS mitigation approach, they could lead the institutions towards one. “We believe that mandated controls, like those proposed by the Federal Financial Institutions Examination Council (FFIEC) will drive organizations to take proactive steps to regaining control of their online presence,” explained Ashley Stephenson, CEO of Corero Network Security (a DDoS mitigation company). “These mandates, at a minimum offer guidance for Financial Institutions for appropriate DDoS activity monitoring and adequate incident response planning, this will ultimately lead to the deployment of more effective DDoS defence solutions.”

The DDoS threat has now grown to such an extent that DDoS mitigation should be seen as one of the must-do’s of security – along with staples like anti-virus and data loss prevention – and this is a good starting point.

Categories: All, Security Issues

United States Trade Representative threatens the EU

April 7, 2014 Leave a comment

UsvsEUThe United States is accustomed to getting its way internationally through trade threats. One method is the Special 301 Report Watch List, which is an annual list of countries which the US believes are failing in their duties towards copyright protection (specifically, US copyright protection). Once included in the Priority Watch List, a foreign country is liable for legal and/or trade sanctions. The Special 301 Report is compiled by the Office of the United States Trade Representative (USTR), and is seen as a method of bullying recalcitrant nations into conformity with US preferences.

This is not the only annual report from the USTR. It also produces the Section 1377 Review which examines international compliance with telecommunications trade agreements. This too, perhaps because it has become entrenched in the USTR way of doing business, can take a bullying tone. The latest report was released on Friday – but I would suggest that it thinks again if it believes it can bully the European Union at this stage of EU/US relations.

Background
Following the Snowden revelations on NSA/GCHQ spying, the now former head of Deutsche Telekom, René Obermann, proposed in November 2013 that Europe should establish a Schengen-routing and Schengen-cloud. The idea was that any communication from one point in Europe to another point in Europe should never leave Europe; and that personal European data should remain within Europe. This latter would effectively remove the existing safe harbour agreement with the US.

‘Schengen’ was chosen specifically as a mechanism for excluding the UK. The Schengen Area comprises 26 European countries that have abolished border control for Europeans between common borders – the UK has always remained outside of this agreement. As Die Welt described in March, the ‘Schengen-routing’ is intended to be “a defensive measure against the encroachments of the Anglo-Saxon intelligence on European internet users.”

Germany’s Angela Merkel and France’s François Hollande (that is, the central axis of the European Union) have declared support for the idea.

USTR’s Section 1377 Review
At the end of last week the USTR released its 2014 Section 1377 Review. On cross-border data flows it has two concerns: Turkey and the EU.

In Turkey, in the run-up to the recent local elections (‘won’ by Prime Minister Erdogan’s AKP party) and ahead of the presidential elections in August, the government has been tightening its grip on and control over the internet. USTR is concerned over restrictions on data flows and will seek “to ensure that data flows supporting legitimate trade can expand unimpeded.”

In Europe, the report notes that

DTAG [Deutsche Telekom AG] has called for statutory requirements that all data generated within the EU not be unnecessarily routed outside of the EU; and has called for revocation of the U.S.-EU “Safe Harbor” Framework, which has provided a practical mechanism for both U.S companies and their business partners in Europe to export data to the United States, while adhering to EU privacy requirements.

Well, obviously, this is a false statement. The safe harbour agreement requires that US companies holding European data do not pass that data to any third-party – but clearly they do pass it to the NSA and law enforcement. The report continues,

The United States and the EU share common interests in protecting their citizens’ privacy, but the draconian approach proposed by DTAG and others appears to be a means of providing protectionist advantage to EU-based ICT suppliers. Given the breath [sic] of legitimate services that rely on geographically-dispersed data processing and storage, a requirement to route all traffic involving EU consumers within Europe, would decrease efficiency and stifle innovation. For example, a supplier may transmit, store, and process its data outside the EU more efficiently, depending on the location of its data centers. An innovative supplier from outside of Europe may refrain from offering its services in the EU because it may find EU-based storage and processing requirements infeasible for nascent services launched from outside of Europe.

This is riddled with emotive language and inaccuracies. Draconian? Protectionist advantage? (Now I freely accept that DTAG will be looking for commercial opportunities, and that it is not a company I personally wish to use. From personal experience, I will never have dealings with T-Mobile again. But it is interesting that it seems to be willing to trade the US market for the European market.)

And the inaccuracies… Europeans would suggest that the US has shown scant regard for anyone’s privacy, while it is the US that delivers protectionist advantage (sometimes via economic espionage) to its own companies. Secondly, it completely misrepresents the proposals. European point-to-point communications should stay within Europe (that’s the ‘routing’); while personal data should not leave Europe (that’s the ‘cloud’). But the USTR is lumping the two together into some form of balkanised European intranet completely cut off from the rest of the internet. In reality, it should have little effect on legitimate trade between the EU and US.

It is not, for example, nearly as draconian as the US exclusion of Huawei from the US markets without any proof of actual threat (other than economic).

Then comes the USTR threat:

Furthermore, any mandatory intra-EU routing may raise questions with respect to compliance with the EU’s trade obligations with respect to Internet-enabled services. Accordingly, USTR will be carefully monitoring the development of any such proposals.

In reality we should not take this too seriously. It’s a form of lobbying – perhaps the first of much more to come – and we already know that USTR is not averse to lobbying on behalf of US industry. But it does show that the US is beginning to take the Schengen threat seriously. The UK should too. In the meantime, it should be said that US industry is not without its European allies. Neelie Kroes, the European Commissioner in charge of the European Digital Agenda, has said: “It’s not realistic that we can keep data in the EU, and the trial could jeopardize the open Internet.” Neelie Kroes is the commissioner who recently tried to redefine ‘net neutrality’ to suit big telecoms companies, only to have her definition rejected by the European Parliament.

Categories: All, Politics, Security Issues
Follow

Get every new post delivered to your Inbox.

Join 127 other followers