SE Labs

Posts filed under 'nsa'

Anatomy of a Phishing Attack

phishing_magnifying_glass_fi-3673555Who attacked a couple of Internet pressure groups earlier this year? Jon Thompson examines the evidence.

For those on those of us engaged in constructing carefully-crafted tests against client email filtering services, the public details of an unusually high-quality spear-phishing attack against a low value target make for interesting reading.

In this case, there were two targets: Free Press, and Fight for the Future. The attack, dubbed “Phish for the Future” in a brief analysis by the Electronic Frontier Foundation, is curious for several reasons.

Free Press is a pressure group campaigning for an open internet, fighting media consolidation by large corporations, and defending press freedom. Fight for the Future works to protect people’s basic online freedoms. Objectively, they’re working for a better online future, which makes the whole affair stand out like a pork buffet at a bar mitzvah.

The first thing that struck me was that the emails were apparently all sent during office hours. The time zones place the senders anywhere between Finland and India, but apparently resolve to office hours when normalised to a single zone.

Another interesting aspect is that even though the emails were sent on 23 active days, the attackers didn’t work weekends. This immediately marks them out as unusual. Anyone who’s run an email honeypot knows that commodity spam flows 24 hours a day.

The attackers first tried generic phishing expeditions, but quickly cranked up their targeting and psychological manipulation. This begs an interesting question: If you’re an experienced, professional, disciplined crew, why jeopardise the operation by beginning with less convincing samples that may alert the target to be on the lookout? Why didn’t they simply start with the good stuff, get the job done, and move on?

One possible explanation is that the attackers were trainees on a course, authorised to undertake a carefully controlled “live fire” exercise. Psychologically manipulative techniques such as pretending to be a target’s husband sending family photos, or a fan checking a URL to someone’s music, imply a level of confident duplicity normally associated with spying scandals.

The level of sophistication and persistence on display forms a shibboleth. It looks and smells somehow “wrong”. The published report reveals an attention to detail and target reconnaissance usually reserved for high value commercial targets. Either the attackers learn at a tremendous rate
through sheer interest alone, or they’re methodically being taught increasingly sophisticated techniques to a timetable. If it was part of a course, then maybe the times the emails were sent show a break for morning coffee, lunch and afternoon tea, or fall into patterns of tuition followed by practical exercises.

phishing2b-6448783The timing of the complete attack also stands out. It began on 7th July, ended on 8th August, and straddled the Net Neutrality Day of Action (12th July). With a lot happening at both targets during that time, and one assumes a lot of email flying about, perhaps the attackers believed they stood a better chance when the staff were busiest.

So, to recap, it looks like highly motivated yet disciplined attackers were operating with uncommonly sophisticated confidence against two small online freedom groups. Neither target has the business acumen of a large corporation, which rules out criminal gain, and yet an awful lot of effort was ranged against them.

The product of phishing is access, either to abuse directly or to be sold to others. Who would want secret access to organisations campaigning for online freedom? Both targets exist to change minds and therefore policy, which makes them political. They’re interesting not only to governments, but also to media companies seeking to control the internet.

I’m speculating wildly, of course. The whole thing could very easily have been perpetrated by an under-worked individual at a large company, using their office computer and keeping regular hours to avoid suspicion. The rest is down to ingenuity and personal motivation.

We’ll never know the truth, but the supporting infrastructure detailed in the EFF report certainly points to some considerable effort over a long period of time. If it was an individual, he’s out there, he’ll strike again, and he learns fast. In many ways, I’d prefer it to have been a security service training new recruits.

Quantum Inside?

c0096943-quantum_computer_core-800x533-1387070

Is this the dawn of the quantum computer age? Jon Thompson investigates.

Scientists are creating quantum computers capable of cracking the most fiendish encryption in the blink of an eye. Potentially hostile foreign powers are building a secure quantum internet that automatically defeats all eavesdropping attempts.

Single computers far exceeding the power of a hundred supercomputers are within humanity’s grasp. 

Are these stories true, as headlines regularly claim? The answer is increasingly yes, and it’s to China we must look for much current progress.

The Quantum Internet
Let’s begin with the uncrackable “quantum internet”. Sending messages using the properties of the subatomic world has been possible for years; it’s considered the “gold standard” of secure communications. Chinese scientists recently set a new distance record for sending information using quantum techniques when they transmitted data 1,200Km to a special satellite. What’s more, China is implementing a quantum networking infrastructure.

QuantumCTek recently announced it is to deploy a network for government and military employees in the Chinese city of Jinan, secured using quantum key distribution. Users will send messages encrypted by traditional means, with a second “quantum” channel distributing the associated decryption keys. Reading the keys destroys the delicate state of the photons that carry them, so it can only be done once by the recipient, otherwise the message cannot be decrypted and the presence of an eavesdropper is instantly apparent.

The geopolitical implications of networks no foreign power can secretly tap are potentially immense. What’s scarier is quantum computers cracking current encryption in seconds. What’s the truth here?

Encryption Under threat
Popular asymmetric encryption schemes, such as RSA, elliptic curve and SSL, are under threat from quantum computing. In fact, after mandating elliptic curve encryption for many years, the NSA recently declared it potentially obsolete due to the coming quantum computing revolution.

Asymmetric encryption algorithms use prime factors of massive numbers as the basis for their security. It takes a supercomputer far too long to find the right factors to be useful, but it’s thought to be easy for a quantum algorithm called Shor’s Algorithm.

For today’s strong symmetric encryption, such as AES and Blowfish, which use the same key to encrypt and decrypt, the news is currently a little better. It’s thought that initially, quantum computers will have a harder time cracking these, only really halving the time required by conventional hardware. So, if you’re using AES with a 256-bit key, in future it’ll be as secure as a 128-bit key.

A Quantum Leap

2000q2bsystems2bin2blab2bfor2bwebsite-9704561

How far are we from quantum computers making the leap from flaky lab experiments to full production? The answer depends on the problem you want to solve, because not all quantum computers are the same. In fact, according to IBM, they fall into three classes.

The least powerful are quantum annealers. These are available now in the form of machines from Canada’s D-Wave. They have roughly the same power as a traditional computer but are especially good at solving optimisation problems in exquisite detail.  Airbus is already using this ability to increase the efficiency of wing aerodynamics.

More powerful are analogue quantum computers. These are much more difficult to build, and IBM thinks they’re about five years away. They will be the first class of quantum computers to exceed the power of conventional machines. Again, they won’t run programs as we think of them, but instead will simulate incredibly complex interactions, such as those found in life sciences, chemistry and materials science.

The most powerful machines to come are universal quantum computers, which is what most people think of when discussing quantum computers. These could be a decade or more away, but they’re coming, and will be exponentially more powerful than today’s fastest supercomputers. They will run programs as we understand them, including Shor’s Algorithm, and will be capable of cracking encryption with ease. While they’re being developed, so are the programs they’ll run. The current list stands at about 50 specialised but immensely powerful algorithms. Luckily, there are extremely complex engineering problems to overcome before this class of hardware becomes a reality.

Meanwhile, quantum computer announcements are coming thick and fast.

IBM has announced the existence of a very simple device it claims is the first step on the path to a universal quantum computer. Called IBM Q, there’s a web portal for anyone to access and program it, though learning how and what you can do with such a device could take years.

Google is pursuing the quantum annealing approach. The company says it plans to demonstrate a reliable quantum chip before the end of 2017, and in doing so will assert something called “quantum supremacy“, meaning that it can reliably complete specialised tasks faster than a conventional computer. Microsoft is also in on the action. Its approach is called StationQ, and the company been quietly researching quantum technologies for over a decade.

Our Universal Future

types-quantum-computers-7915887

While there’s still a long way to go, the presence of industry giants means there’s no doubt that quantum computers are entering the mainstream, but it’ll probably be the fruits of their computational power that we see first in everyday life rather than the hardware itself. So, solutions to currently difficult problems and improvements in the efficiency of everything from data transmission to batteries for electric cars could start appearing.

Life will really change when universal quantum computers finally become a reality. Be in no doubt that conventional encryption will one day be a thing of the past. Luckily, researchers are already working on so-called post-quantum encryption algorithms that these machines will find difficult to crack.

As well as understandable fears over privacy, and even the rise of quantum artificial intelligence, the future also holds miracles in medicine and other areas that are currently far from humanity’s grasp. The tasks to which we put these strange machines remains entirely our own choice. Let’s hope we choose wisely.

Inside the CIA…

cia-ioc-9786148

Who is behind the CIA’s hacking tools? Surprisingly ordinary geeks, it seems.

At the start of March came the first part of yet another Wikileaks document dump, this time detailing the CIA’s hacking capabilities. The world suddenly feared spooks watching them through their TVs and smartphones. It all made for great headlines.

The Agency has developed scores of interesting projects, not to mention a stash of hitherto unknown zero day vulnerabilities. The dump also gives notes on how to create well-behaved, professional malware that stands the least chance of detection, analysis and attribution to Langley. We’ve also learned some useful techniques for defeating antivirus software, which the Agency calls Personal Security Products (PSPs).

There’s also a deeper tale to tell. It’s about the personalities behind the redacted names working on these tools and techniques. They don’t seem so different from anyone else working in infosec.

User #524297 says he is a “Coffee addict, Connoisseur of International Barbecues, and Varied Malt Beverage Enthusiast.” Thanks to his comments, we know an ex-boss (nicknamed “Panty-Raider”) was considered “really odd”. Another had a large, carved wooden desk that went with him from job to job.

User #524297 also maintains a page dedicated to some interesting ideas. One is to use the OpenDNS DNSCrypt service to hide DNS requests emanating from a compromised host.

Another fun-loving User is #71473. He has a page called “List of ideas for fun and interesting ways to kill/crash a process“, which enumerates a dozen homebrew techniques and variations. Most are still at the concept stage, but under the list of uses to which they may be put, he includes “Knockover (sic) PSPs” and “Troll people”.

He also describes several proof-of-concept tools for his process crashing techniques. One is called DisorderlyShutdown, which waits a programmable amount of time (plus a random offset to make things seem natural) to select a random process to crash in the hope of leading to “data loss and gnashing of teeth”. Another is WarheadsToForeheads, which attempts to crash processes. About this tool, he says: “Considering making this an infinite enumeration to squash all user processes and make the user experience especially horrific.”

Revealingly, User #71473 also likes to hack the home pages of other Users: ” Its 11:30… time to deface people’s unprotected user pages…”

User #11628962 was deeply impressed by Subramaniam and Hunt’s “Practices of an Agile Developer”, and went to great lengths to enumerate the principles behind the work for others in his group. 

Meanwhile, we learn that User # 71475 loves to listen to music online and lists several streaming services and YouTube channels. He’s also an avid collector of ASCII-based emoticons. Everyone needs a hobby, right? ¯_(ツ)_/¯

Amusingly, User #20873595 is keen for people understand that his last name does not begin with C, implying that it is in fact Hunt. There was also some debate about what User #72907’s office nickname should be. “Monster Lite” was the apparent front runner.

hearthstone_screenshot-1364834

We also learned from the dump that some of the Users are heavily into the online card game Hearthstone, which unfriendly foreign state actors are likely now feverishly trying to hack.

The public at large has moved on, and the first of the vulnerabilities highlighted in the dump has been patched, but the industrious CIA hackers who originally found them are still beavering away, creating new tools to replace the old ones, finding new zero-days, thinking up new nicknames, trolling each other, and of course playing Hearthstone.

Trump’s Cybersecurity Policy

trump-3170923What does a Trump presidency mean for global cybersecurity?

Washington is nervous. No one knows if President Trump understands cybersecurity, or whether he’ll listen to those who do.

Some pundits are already suggesting that his first 100 days in office will include a cyber emergency.

How he responds is crucial, but his comments so far have instilled little confidence.

“Cyber is becoming so big today, it’s becoming something that a number of years ago, a short number of years ago wasn’t even a word.”

“We have to get very, very tough on cyber and cyber warfare. It is — it is a huge problem. I have a son. He’s 10 years old. He has computers. He is so good with these computers, it’s unbelievable. The security aspect of cyber is very, very tough. And maybe it’s hardly doable.”

To be fair, Trump’s campaign site does say that he’ll order a review of “all U.S. cyber defences and vulnerabilities” by a specially assembled Cyber Review Team formed from “the military, law enforcement and the private sector”.

But Washington needs to know if he will implement or even believe the Cyber Review Team’s recommendations. After all, this is the man who, when experts discovered Russian-backed groups attacking the Democratic National Committee, said:

“I don’t think anybody knows it was Russia that broke into the DNC. She’s saying Russia, Russia, Russia, but I don’t — maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, OK?”

According to The Washington Post, a sense of dread is descending on the US intelligence community. Former CIA director Michael Hayden summed up the mood:

“I cannot remember another president-elect who has been so dismissive of intelligence received during a campaign or so suspicious of the quality and honesty of the intelligence he was about to receive.”

Trump’s policy also places an onus on deterring attacks by state and non-state actors, and he has a has a particular thing about China’s hackers. He seems openly irritated by the country’s refusal to observe intellectual property law. His plan here is to:

“Enforce stronger protections against Chinese hackers … and our responses to Chinese theft will be swift, robust, and unequivocal.”

By this logic, it’s apparently difficult to attribute an attack when it’s Russia, but not when it’s China. This kind of thinking will need to change or it could damage superpower relationships at a uniquely dangerous point in world history.

Part of the danger is that a sufficiently irked President could order a pre-emptive cyber-strike against China to show everyone who’s boss. How will he pick the right target if he doesn’t listen to his advisors? China’s a very big place, and what looks like state-sponsored hacking to some might in fact turn out to be private enterprise. Such actions could be taken as an act of war, and even a limited cyberwar could leave swathes of the internet useless until rebuilt.

Trump also famously likes to abandon the script and simply ad lib during speeches, but national security depends on secrecy. Will he blurt out something in a speech that gives an enemy state a clue about America’s capabilities or, even worse, her vulnerabilities?

gchq-9563617Trump’s view that “torture works” could also irreparably damage the relationship between GCHQ and the NSA. Torture is a no-no for the UK. The Cheltenham Doughnut is expressly forbidden from sharing intelligence with countries that openly engage in torture.

A change in policy by the US would further compromise the flow of intelligence already put at risk by Brexit. The Open Rights Group also believes that Trump will exert a great deal of influence over the UK’s intelligence community.

Retaining skilled infosec talent from abroad is also about to become more of a problem for US companies, because Trump plans a crackdown on H-1B work visas. Taking up the slack means boosting cybersecurity degree courses, but any increase in trained manpower will take time to trickle through. In the meantime, who will fill the skills gap?

Ultimately, Trump is going to have to stop threatening and promising things he can’t deliver, and start listening to his advisors. To do so, he must leave his preconceptions at the door to the Oval Office and think calmly and clearly before acting. Whether that will happen is anyone’s guess, but it’s not hyperbole to suggest that a huge amount depends on it.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press