security

by

At last – the benefits of AI

In response to a conversation on Facebook, I tried googling “David Harley’s net worth” and discovered a web site that reckons that my net worth is $519 million. Since it includes some information drawn from a Wikipedia page about me –  yes, of course there’s one 🙂 – it’s clearly me that all that money belongs to. There’s another AI-driven site that reckons I’m only worth $2m, but I’m going to stick with the other one, since it also says I’m 33, which I much prefer to being in my 70s. I feel younger already.

As soon as I find out where all my money is, I’m going to buy a very expensive guitar indeed.

by

Antisocial Media and Critical National Infrastructure

There was never much chance of my opening an account on Tik Tok (so you’ll have to look for my twerking videos elsewhere), so I don’t have strong personal feelings about it. That doesn’t mean I don’t have concerns about its data-gathering practices and its hotly-denied links with the Chinese government, of course. Are those concerns more profound than my concerns about Western social media? Not necessarily, but I’m not engaged enough with these matters nowadays to make comparisons between those concerns. In fact, if it were up to me, I’d advise anyone holding office in the government, security services, armed forces etc. to consider carefully the wisdom of engaging with any social media platform, though for most of us that genie escaped the bottle long ago. Clearly, there are risks in terms of personal data leakage, misinformation, social engineering and manipulation everywhere you look on the Internet, and many of those issues relate directly to groups in Russia and China, some with state sponsorship.

However, there have been other security concerns that date back to long before the launch of Douyin and Tik Tok. In 2011, I wrote on the ESET blog about issues relating to the buying-in of components ultimately sourced from China. Specifically, BT’s intention to buy network components from Huawei, and the US Navy’s purchase of 59,000 fake microchips ‘for use in systems “from missiles to transponders” ultimately sourced from China.’ Even further back, in 2009, I wrote:

I don’t have enough data to assess the seriousness of … an attack [on national systems via foreign-sourced components] in practical terms, but it seems unfortunate that “government departments, the intelligence services and the military” are apparently committed to the use of the new BT network if that network cedes significant potential control, even at component level, to a nation that clearly isn’t trusted at high levels of government.

I have to wonder how many elements of the UK’s Critical National Infrastructure (CNI) are labelled “made in China”. Not that I want to buy into the universal xenophobia that seems to dominate this story, but if you’re building or maintaining a CNI, don’t you try to keep it in-house, even if it costs more to buy from trusted sources?

I still don’t know the answer to the question in that second paragraph, and none of my former contacts (such as they were – my paygrade wasn’t particularly high) along the Corridors of Power are likely to have that exact information, let alone share it with me. The CNI is a wider network than you might think, incorporating not only obviously relevant sectors such as government and defence, but less obvious sectors such as health (hence my interest as a former NHS security professional), finance, food and even space. More information on the CNI Hub here.

Even worse, the Long March of technology (see what I did there?) means that components of components of components may fall under suspicion: tracking the provenance of every component on every potentially vulnerable site makes the sort of scanning for vulnerabilities some us enjoyed at the turn of the millennium look about as daunting as going to the front door to check that it’s locked.

In October 2022, the UK government sent a designated vendor direction to 35 telecom providers requiring them, effectively,  to remove Huawei technology from UK 5G public networks by the end of 2027. The requirement to ‘remove Huawei equipment from sites significant to national security by 28 January 2023’, given that communications are also a CNI sector, tells us that Huawei did indeed have a presence in CNI technology until less than two months ago. Call me cynical (many people have…) but I don’t think that delivery of that direction means that we’re all now safe from whatever the National Cyber Security Centre has been predicting. Nearer to home, the NCSC has published a basic explanation of the thinking behind their predictions and what it means for home and business users not directly engaged with the CNI.

Information in this post is made available by the UK government under version three of the Open Government Licence for public sector information.

And if you’re wondering what happened to the normal Dataholics dollop of cheap sarcasm, all that I can say is that sometimes political reality outdoes satire. Hopefully, normal service will be resumed shortly. On the blog, that is: I’m making no promises about political reality.

David Harley

by

The Fake Conference Season Opens

Even the fake conference crowd are trying to drag me back into testing (again). Yes, ‘Making sense of comparative anti-malware testing’ sounds like a perfect fit for the World Gene Convention. Not. I’d have been more impressed if they’d picked up on my long-gone and rather peripheral connection with the Human Genome Project.

At least the repeated invitations to a dodgy forensics conference have some theoretical relevance to what I do now.

But seems that the Gene Genie has just picked up an article I wrote of Elsevier in 2009. Or, more probably, just the abstract.

F minus for effort. F double minus for ‘would you please respond to our earlier spam?’

David Harley 

by

Next-gen Ethical Hacking

This morning I was amused to find comment spam advertising the services of a hacker for hire for ‘ethical hacks, school upgrade, money transfer, blank a.t.m’s, clear your credit score’. Well, that’s an unexpected view of what constitutes ethical hacking. (If you’re not sure what I’m getting at, read the above as ‘falsify your grades’, ‘be tricked into buying an ATM card that’s supposed to allow you to fraudulently draw unlimited funds’, and so on.)

No, it wasn’t on this blog, but I bet if I put the word ‘hacker’ or ‘hacking’ into the title of this article, something similar will turn up. Of course, if it does, you’ll have to take my word for it, since I’m not going to approve it.

David Harley

by

Symmetry and Virus Writing

Back in 2003, the University of Calgary started to offer courses in virus writing, much to the annoyance of the security industry. Well, the anti-malware industry: people outside that sector like Bruce Schneier tend to take a contrary view of the hands-on approach to understanding security threats. However, what we still called at that time the AV industry was pretty unanimous:

  • Sophos commented
  • Fridrik Skulason commented
  • Vesselin Bontchev took the idea to pieces in an AVAR paper (and made some sound suggestions about alternative ways of teaching the next generation of anti-malware researchers what they need to know).

Professor John Aycock braved a hail of criticism and has attended a number of security conferences subsequently. I’ve never been able to accept the view that you have to write malware in order to understand how to detect/defeat it, but he is an intelligent and likeable man who has contributed to our understanding of the malware scene, for instance in the (now virtual) pages of Virus Bulletin.

I don’t suppose that the current vicious spate of ransomware owes much to the teaching practices of the University of Calgary. In fact, malware technology has changed so much in the meantime it’s hard to see how it could. And certainly I’ve no particular reason to suppose that any of the students who took that class lacked honesty and integrity any more than the rest of the population.

Still, there’s a certain uncomfortable symmetry in the fact that the University of Calgary has apparently just paid $20,000 CAN to a ransomware gang for decryption keys… I won’t say ‘what goes around comes around’ but I suspect there are those who will.

David Harley

by

Pity the poor BIOS hacker

Darren Pauli for The Register:

Millions of flawed BIOSes can be infected using simple two-minute attacks that don’t require technical skills and require only access to a PC to execute.

I don’t often feel sympathy with people who attack other people’s data and systems, but I feel deeply sorry for those poor unfortunates condemned like a modern Flying Dutchman to wander the earth, breaking into millions of homes and offices so that they can get physical access to PCs and infect the BIOS.

By my reckoning, that’s around 3.8 man years per million PCs, not including travel time between sites, sleep, eating, and visiting the bathroom.

The article refers to a presentation at CanSecWest by Xeno Kopvah and Corey Kallenberg, but a presentation covering somewhat similar ground for Schmoocon seems to include the crucially different assertion that ‘Attacker does not need physical presence to attack BIOS . ‘ Well, that’s sometimes true. But clearly not explicitly stated in the CanSecWest abstract. I shall await further clarification with bated breath.

David Harley

by

21 Rules for Computer Users

I came across this collection of ‘rules’ by accident today: I’d forgotten all about it, but I get a mention there because educationalist Terry Freedman and I were exchanging email for a while in the wake of a writing project he initiated. (Jude and I contributed some content which we actually expanded on in the AVIEN Guide to Malware. Just as well, as Terry’s project seemed to have disappeared, and when I refound it, it hadn’t been updated to include our content…)

I should immediately point out that while I drew Richards’ Laws to Terry’s attention, my friend and one time co-author (on Viruses Revealed) Robert Slade drew them to my attention.

Anyway, you might find these 21 laws, rules and principles amusing.

David Harley

by

Bank of the Internet

This is, perhaps, a little heavy on the geek side. I think there may already be a bit part reserved for me on The Big Bang Theory, along with an XXL-sized Star Trek uniform (preferably not a security redshirt uniform).

However, if you’re actually reading this, I guess there’s a reasonable chance that you’re among the elite (very) few who don’t altogether hate my cheesy little cartoons. One of the most valued members of that elite band is Aryeh Goretsky who used this one in his ESET 2014 Mid-Year Threat Report broadcast.

The webinar itself has been and gone, but you can catch a recording on the ESET Internet Security Threats Channel. There’s a list of the topics covered and a link to the recording in Aryeh’s blog article.

(No, this blog is emphatically not part of the ESET empire, but I kind of like the cartoon.)

android2

David Harley
Small Blue-Green World

 

by

Division by Zero Day

Yes, it’s a vaguely IT-related post, just for a change.

A few days ago, there was a flurry of interest the LinkedIn issue raised by Zimperium with potential Man In The Middle attacks (somehow, this always makes me think of Rob Brydon) using SSL-stripping.

I must admit, I was somewhat irritated by the very trivial issue of the misuse of the term zero-day vulnerability. If Zimperium has notified LinkedIn six times about the issue, I don’t think it can be described as a zero-day vulnerability, since it’s known to the provider. Unless the notifications have been disappearing into a black hole somewhere, but Zimperium’s blog indicates that LinkedIn acknowledged to them last year that the issue existed. And in fact, SSL-stripping has been a known attack for quite a few years. As far as I can see, it isn’t a vulnerability at all in terms of the SSL trust model: it’s an implementation issue.

HTTPS is essentially HTTP with a supervening layer of SSL/TLS. While Zimperium’s blog doesn’t describe a specific vulnerability, what it refers to as SSL-stripping involves intercepting transactions between the victim and the server and replacing https requests with http. If SSL is used throughout the site, though, it should fail with a ‘connection refused’ message unless the attacker is using other tools that directly attack the underlying trust model and the way certificates are checked. HSTS (HTTP Strict Transport Security) helps by telling the browser that only HTTPS connections are allowed, but the HSTS header can be stripped in some scenarios.

There are a couple of measures (as described by Zimperium) that the consumer can take right now: turn on HTTPS for all LinkedIn transactions in Account/Security Settings, and always log in to https://www.linkedin.com, not http://www.linkedin.com.

Of course, there may be other issues that Zimperium’s blog doesn’t mention, and I’m not familiar with their pen-test toolkit, so can’t comment on the details of their findings.

David Harley
Small Blue-Green World