Cyberwar Reality: It’s All About the Payload…

Twenty years or so ago, malware (then known only as “viruses”) were generally bits of code that inserted themselves into applications, and when run, replicated themselves to other applications, and were destructive to the systems they operated on. Your applications would become infected to the point of not functioning, and/or your entire hard drive could simply be wiped out.

Eventually, some genius of malware authoring figured out that it was a pointless endeavour to simply vandalize a victim’s computer – why not start secretly acquiring data from those computers for profit? Malware evolved into keyloggers and screen scrapers (to collect password data), and data miners (for acquiring credit card numbers and banking information). This methodology has grown to the point where these malware applications have been reclassified with specific labels such as “ransomware” (malware that holds your computer hostage until you “pay up”), “vandalware”, “creepware”, or simply just “crimeware.”

I receive calls every other day from people who want me to heal (clean) their infected computers. Recent statistics have indicated that 431 million web users worldwide in the past year were hit with some variety of malware (http://www.symantec.com/content/en/us/home_homeoffice/html/cybercrimereport/). The report also revealed that more than a million people are victimized by cybercrime every day, averaging 14 new victims every second. Mobile device attacks are also on the rise. The report suggests that US losses to cybercrime in the past year are estimated at $32 billion. While many of these malware attacks could have been easily preventable with basic security software, a lack of preparedness on the part of users to have updated patches and security software installed (and updated) is mostly to blame.

The problem is even worse in the corporate world, where enterprise servers and employee desktops can be out-of-date on patching by as much as 6 months to a year.

In the near future, authors of malware (or some organization delivering malware) are going to unleash a seriously malicious payload that will start destroying data on machines and corrupting the operating capability of personal and corporate computers. The frivolity towards security by users and corporations will leave us completely vulnerable to such attacks.

In 2004 and 2005, I was a guest on several radio shows discussing computer security, or the lack thereof, and the inevitable fact that at some point in the near future, sophisticated malware will become destructive once again rather than just gathering and ransoming your data. Feedback from these shows was less than receptive – or simply ignored – and is largely ignored today.

In the future the tools that crimeware creators and malware authors have produced and used to mine your personal data will be easily modified to destroy your data. Ransomware is just the first step (I recently witnessed the destruction of data, and corruption of the operating system on a computer infected with ransomware – just by the action of cleaning the malware from the system). The fact that so many (431 million) personal computers have been compromised in the last year alone – and could very simply be wiped out by malware if it were configured to do such – will be an inevitable modulation of malware technology – and the near mythical term “Cyberwar” will have become reality. The daily discovery of zero-day exploits, and the overabundance of vulnerable unpatched Windows PCs has created a wide-open playing field for those who wish to control you. The recent and successful attacks on corporations and the specific targeting of defense contractors presents and even scarier scenario – were the payloads more destructive.

We really don’t know when this reversion to destruction will start to appear, but it will be the logical next step in the progression of malware design. The sophistication in the design of malware such as evidenced in Aurora, Stuxnet, and Shady Rat will only become even more villainous in its raison d’etre when certain organizations decide to use malware as a tool of war.

People and organizations know what needs to be done in order to prevent this from happening, but rarely do anything proactive to ensure their safety. Unfortunately, it will take a few tragedies involving these destructive payloads to deliver a wake-up call.

Cheers……

Advertisements

Media Sanitization – Easier, Faster, and Good Enough for Most of Us

Often, we’re told that if we are looking to secure data on hard drives or removable media, that we must encrypt that data. This will ensure that if our laptops or thumb drives get lost or stolen, or even when we are travelling abroad, that our data will be secured from prying eyes.

Well, if that is truly the case, then why are we expected to jump through so many hoops when it comes to media sanitization? Are we just looking to wipe the data from a drive, and then repurpose it to another user for further use? What is the value of the data (classification)? If we’re just looking to turn over the drive for re-use, then why are basic media sanitization standards so complex?

Government restrictions aside, the most accepted method of “wiping” a hard drive for re-use includes first writing all zeros to the drive and then writing random or pseudorandom data to the drive.

This is just too damn slow.

And, today’s media sanitization documentation reads like a conspiracy theorist’s manifesto:

See: http://forums.anandtech.com/showthread.php?t=2040453 – FOR PARANOIA

So, what if we just encrypt the entire hard drive with a randomly generated key that never gets stored anywhere? Isn’t total drive encryption an already accepted method to secure our sensitive data from thieves and spies?

Of course, this is not an original idea:

As Bruce Schneier (noted security blogger and author of “Applied Cryptography”) states, “…. either a fully encrypted computer is secure — or it’s not. If it’s not good enough to consider the data gone – (if you encrypt the drive and destroy the key) – why depend on it to keep your data secure while it’s on your desk or wherever?”

—————————————–

There are several applications dedicated to the function of media sanitization. The most popular of these, and an accepted standard in the security community is a freeware program called, “Derek’s Boot and Nuke” (DBAN). While DBAN offers many methods to wipe a hard drive, it can take hours, and even days (depending on the size of the drive) to complete even the most basic hard drive wiping functions.

But, if we simply just encrypt the drive – a single pass encryption with a random key (or even a pseudorandom key) using a cryptographically secure algorithm – our data will be as secure as though it were wiped with a fancy multi-pass application.

Here’s a solution to the speed issue: Boot a linux kernel and run OpenSSL.

OpenSSL is native to the linux 2.6 kernel, so all one needs to do is a run linux live-boot from CD or USB drive, and then run OpenSSL from a command prompt.

The OpenSSL command-line binary that ships with the OpenSSL libraries can perform a wide range of cryptographic operations.

First, let’s look at some algorithm benchmarking in this arena. OpenSSL developers have created and included a benchmarking suite directly into the OpenSSL binary. It’s accessible via the “speed” option. It tests how many operations it can perform in a given time, rather than how long it takes to perform a given number of operations.

From the command prompt, run: openssl speed

There are two sets of results. The first reports how many bytes per second can be processed for each algorithm, the second the times needed for sign/verify cycles. Here are the results on an 2.16GHz Intel Core 2.

The ‘numbers’ are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md2               1736.10k     3726.08k     5165.04k     5692.28k     5917.35k
mdc2                 0.00         0.00         0.00         0.00         0.00
md4              18799.87k    65848.23k   187776.43k   352258.73k   474622.63k
md5              16807.01k    58256.45k   160439.13k   287183.53k   375220.91k
hmac(md5)        23601.24k    74405.08k   189993.05k   309777.75k   379431.59k
sha1             16774.59k    55500.39k   142628.69k   233247.74k   288382.98k
rmd160           13854.71k    40271.23k    87613.95k   124333.06k   141781.67k
rc4             227935.60k   253366.06k   261236.94k   259858.09k   194928.50k
des cbc          48478.10k    49616.16k    49765.21k    50106.71k    50034.01k
des ede3         18387.39k    18631.02k    18699.26k    18738.18k    18718.72k
idea cbc             0.00         0.00         0.00         0.00         0.00
rc2 cbc          19247.24k    19838.12k    19904.51k    19925.33k    19834.98k
rc5-32/12 cbc        0.00         0.00         0.00         0.00         0.00
blowfish cbc     79577.50k    83067.03k    84676.78k    84850.01k    85063.00k
cast cbc         45362.14k    48343.34k    49007.36k    49202.52k    49225.73k
aes-128 cbc      58751.94k    94443.86k   111424.09k   116704.26k   117997.57k
aes-192 cbc      53451.79k    82076.22k    94609.83k    98496.85k    99150.51k
aes-256 cbc      49225.21k    72779.84k    82266.88k    85054.81k    85762.05k
sha256            9359.24k    22510.83k    40963.75k    51710.29k    56014.17k
sha512            7026.78k    28121.32k    54330.79k    86190.76k   104270.51k
sign    verify    sign/s verify/s
rsa  512 bits 0.000522s 0.000042s   1915.8  23969.9
rsa 1024 bits 0.002321s 0.000109s    430.8   9191.1
rsa 2048 bits 0.012883s 0.000329s     77.6   3039.6
rsa 4096 bits 0.079055s 0.001074s     12.6    931.3
sign    verify    sign/s verify/s
dsa  512 bits 0.000380s 0.000472s   2629.3   2117.9
dsa 1024 bits 0.001031s 0.001240s    969.6    806.2
dsa 2048 bits 0.003175s 0.003744s    314.9    267.1

You can run any of the algorithm-specific subtests directly:

For instance, to test rc4 speeds:

openssl speed rc4

————————————

For the purposes of wiping data from a hard drive that would be unrecoverable from the average computer user, nearly any of these algorithms would be sufficient. But, if you are slightly paranoid (but not bound to government restrictions), RC4 should be sufficient (and benchmarks the fastest). Remember, we’re talking about sanitizing a personal or a corporate hard drive for the possibility of repurposing it – not hiding confidential secrets from potential “Enemies of the State.” The DoD standard of grinding a physical drive into metallic crumbs, and then heating up the fragmented bits into a molten lava is still the most secure method of hard drive sanitization where top secret data is concerned. The reasoning behind this is that rendering the drive into base metal slag will thwart most attempts to recover data through forensic analysis – even utilising an advanced technique to recover magnetic data on the drive called, “Magnetic Force Microscopy”.

But, to date, no one has proven that data that has been wiped with a randomized single pass can be recovered by Magnetic Force Microscopy, or any advanced methodology (this doesn’t rule out that certain advanced *and expensive* technologies to recover data really exist).

So, here’s how to wipe (or rather randomly encrypt) your data storage device:

————————————

Wiping the entire hard drive with an OpenSSL encryption routine:

After booting with a live linux distro, run from the command prompt:

#!/bin/bash

dd if=/dev/random bs=1k count=1 | openssl enc -kfile /dev/fd/0 -in /dev/zero -rc4 -out filename

This will create a file and just keep filling it with data until the partition or drive is full.

You can simply delete the file after the operation is complete:

rm -f filename

If you feel the need to use another algorithm, replace “rc4” with your algorithm of choice.

You might also use a linux kernel module random number generator known as “frandom”: https://wiki.archlinux.org/index.php/Frandom (there are some good benchmarking comparisons to other methods of drive wiping at this site).

Simple tests using this method of sanitization vs. the accepted standard drive-wiping applications show it to be (in some cases) 60 times faster.

Remember, the point of this is that if full drive encryption is considered “secure” for travel, loss, and theft, then it should be considered just as secure for media sanitization.

Book Review: “Program or Be Programmed” by Douglas Rushkoff

Book Review:
Program or Be Programmed – Ten Commands for a Digital Age
by Douglas Rushkoff

Every once in a while, a visionary comes along who sees the big picture. And, even rarer still – that visionary is able to offer real-world solutions to tough problems. Douglas Rushkoff is just such a visionary. In, Program or Be Programmed – Ten Commands for a Digital Age, Rushkoff dissects our reliance on the digital age in which we live with philosophical clarity. In this small treatise, Rushkoff covers topics ranging from how social media has transformed social norms, to the metamorphosis of old advertising supplying in-your-face-with-no-choices TV commercials, and how today we can actually filter and accept only that advertising we choose to view.

The actual and underlying premise of the book is that we need to understand programming – or we are simply being programmed ourselves. That most computer users understand little of the “how” behind how an application works, presents a problem of age-old significance. We certainly don’t have to understand how an internal combustion engine works in order to drive a car, but when that engine breaks down, we would be far better off knowing a little bit of how it functions when talking to the repairman. Rushkoff isn’t saying we all have to become programmers – but that we understand a modest quantity about the engine under the hood of our digital machines.

I’ll refrain from spoiling the fruits of this book – there are gems of wisdom throughout. Like another reviewer wrote, “Rushkoff writes a book with only sentences that have meaning.”  The book is a very forward look into the future of social interaction, knowledge acquisition, and how the digital age heralds a re-wiring of our biological thought processes.

Anyone who is trying to figure out what the hell is happening with our newly-embraced digital society, today and in the future, should read this book.