Richard J. Bocchinfuso

"Be yourself; everyone else is already taken." – Oscar Wilde

FIT – MGT5156 – Week 8

Essay Assignment

You are the CISO of a large company. Using your own machine as an example, tell me how you would harden your own machine and how you would harden machines across the company, using ideas garnered from this class.

 

Final Exam

FIT – MGT5156 – Week 7

Discussion Post

Desktop Virtualization
Discuss whether desktop virtualization is a panacea.

No, virtualization (desktop or server) is not a panacea. While complex, attackers can exploit hypervisor technology by virtualizing an operating system and running the malware at a level below the virtualized workloads, at the hypervisor layer. This approach makes the malware very hard to detect and operating system agnostic. (Ford, 2018) This type of malware has become know as a virtual-machine based rootkit (VMBR). A VMBR installs a virtual-machine monitor (VMM) underneath an existing operating system (guest os or virtual machine) and hoists the original operating system into a virtual machine. (King & Chen, 2006)

Virtualization can be very helpful for malware analysis. Virtualization can provide isolation, it can create a trusted monitor so the hypervisor can watch how the system works preventing the hypervisor from being tampered with, and it can allow for rollback or disposable computing which can be very useful for malware testing. (Ford, 2018) While countless benefits are derived from virtualization, the hypervisor is just software, and like any other software, it can have vulnerabilities. If the hypervisor were to be exploited, it could provide an attacker with low-level system access which could have serious, widespread implications. Successful exploitation of the hypervisor would give the attacker full control over everything in the hypervisor environment, all virtual machines, data, etc. (Obasuyi & Sari, 2015)

The “cloud” makes extensive use of virtualization technologies. (Ford, 2018) For example, Amazon Web Services (AWS), is built on the Xen hypervisor. Given the security concerns mentioned above and associated with the hypervisor, you can see the concern given the scale and multi-tenancy of cloud providers. (Vaughan-Nichols, 2015) Let’s face it the cloud is one giant honeypot; it’s hard to say “if” and more likey “when” will a low-level exploit happen in the cloud. Only time will tell.

To bring it back to desktop virtualization I might argue that the security concerns with desktop virtualization exceed the security concerns with server virtualization, for one reason, linked clones. The use of linked clones is quite common in desktop virtualization, but with all virtual desktops sharing common executables and libraries, malware can metastasize with each virtual desktop instantiation, and this would not require a compromised hypervisor, but rather a compromised master image. The other thing which we need to consider is transparent page sharing and the potential manipulation of EXEs and DLLs in memory at the hypervisor level and the impact it could have.

References

Ford, R. (2018, June 11). Virtualization. Retrieved June 11, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTYvQ1lCNTI4ME0xMFYxL0RhdGEvbW9kdWxlLnhtbA

King, S. T., & Chen, P. M. (2006). SubVirt: Implementing malware with virtual machines. Paper presented at the , 2006 14 pp.-327. doi:10.1109/SP.2006.38

Obasuyi, G. C., & Sari, A. (2015). Security Challenges of Virtualization Hypervisors in Virtualized Hardware Environment. International Journal of Communications, Network and System Sciences, 08(07), 260-273. doi:10.4236/ijcns.2015.87026

Vaughan-Nichols, S. J. (2015, December 04). Hypervisors: The cloud’s potential security Achilles heel. Retrieved June 13, 2018, from https://www.zdnet.com/article/hypervisors-the-clouds-potential-security-achilles-heel/

 

Discussion Response 1

I enjoyed your post, would like to offer up some food for thought.

There are lot’s of good reasons for Desktop Virtualization, the catalysts that I see typically revolve around centralized command and control, with the desire for centralized command and control often being aided by regulatory and/or compliance requirements. Five or so years ago we were seeing a huge push towards desktop and application virtualization on platforms like Citrix Xen Desktop, Citrix Xen AppA, and VMware View but this trend seems to have slowed, it’s not hard to understand why.

Let’s look at a few of the challenges with desktop virtualization. From a security perspective, you now have the east-west traffic to be concerned, this is the traffic taking place on the same physical hardware, not ingressing or egressing the physical hardware (north-south traffic) so network security protocols don’t really work. This was a general hypervisor problem which has been addressed, but a concern nonetheless. Next, we have the unpredictable performance profile of end-user usage, one user performing an I/O intensive process has the ability to impact all other users on that physical system. Then there is the con of centralization, the risk, a shared component outage has a much larger blast radius. All of these contributing factors make desktop virtualization fairly costly.

New technologies like SasS and browser-based apps, the rich user experience of HTML5, the ease of cross-platform development, the BYOD push, etc… seem to have slowed the desktop virtualization craze. Desktop virtualization is still happening, but it seems to have slowed. I use virtual desktops all the time for remote access or to run thick apps, but the virtual desktop is used more like an application rather than as a day-to-day shell from which I work. IMO as long as there is Java and the umpteen versions of Java, compatibility issues between apps and Java version, etc… we will have a need to use the virtual desktop to solve these issues. VDI also allows us to take think client applications and quickly centralize them, although I know many people who have done this who wish they just did an app rewrite rather than spending the time build VDI.

I agree with the VirtualizedGeek, that DaaS is a better solution than VDI for those of us need a cloud-based Windows desktop. (VirtualizedGeek, 2014) The article is a bit dated and today many of us use AWS Workspaces or another DaaS solution for this very reason. I also agree with Ben Kepes that “Desktop as a Service is last year’s solution to last decade’s problem.” (Kepes, 2014) The bottom line is the move toward mobile and web apps will continue so while VDI may not be dying I don’t expect it to flourish.

References

Kepes, B. (2013, November 06). Death To VDI. Or DaaS. Or Whatever It’s Called This Week. Retrieved June 17, 2018, from https://www.forbes.com/sites/benkepes/2013/11/06/death-to-vdi-or-daas-or-whatever-its-called-this-week/#3e4c3295096a

Rouse, M. (2018, June 17). What is east-west traffic? – Definition from WhatIs.com. Retrieved June 17, 2018, from https://searchsdn.techtarget.com/definition/east-west-traffic

VirtualizedGeek. (2014, February 18). VDI is dying so what now? Retrieved June 17, 2018, from http://www.virtualizedgeek.com/2014/02/vdi-token-ring/

 

Discussion Response 2

Enjoyed the post, great read as usual, always like the emotion in your writing.

I have one rule about technology, it is to never make a technology decision based on “saving money”. When the primary value proposition is “you’ll save money” it almost always tells the story that there is no other value proposition that is meaningful enough to be a motivator. I have yet to meet someone who made the decision to implement VDI for cost savings that are happy they made the decision. I have met those who had to do it for regulatory and compliance purposes who likely spent and continue to spend more on their virtual desktop infrastructure than they would have spent deploying desktops, these folks still may not be happy but they are committed to the technology to solve a business problem that they have yet to find another solution to.

Desktop virtualization has been around for a long time, Citrix the undisputed leader in the space started in 1989 with the development of their protocol called ICA (Independent Computing Architecture). In the late 1990s Citrix release MetaFrame 1.0 to match the release of Microsoft Terminal Server. Citrix capitalized on the weakness of Microsoft RDP protocol and MetaFrame and the ICA protocol became the defacto standard for multi-tenancy at scale. The mainframe and mini-computer world was used to multi-tenancy but Citrix had brought multi-tenancy to the micro-computer and Wintel platform. This market pivot actually has close parallels to the cloud pivot we are seeing in enterprise computing today. In the 90s and early 2000s consumers listened to vendors, today consumers listen to the community, the biggest voices are those consuming the platform at scale, fortunately for Citrix this wasn’t the case as they rose to market prominence. There is no doubt that today Netflix holds as much weight on a new user using AWS as AWS itself, Netflix is the 900-pound consumer gorilla and their lessons learned are consumer lessons, not the lessons of AWS who want you on the platform. The Netflix lessons are extremely relevant to the cloud, but they are also relevant to a move to multi-tenancy in any way, VDI being one example. I think we are quickly moving past the days where “a guy with a huge handlebar mustachio with a cape on the back of a wagon” can espouse a cure-all. And for those willing to buy, well, in today’s day and age it feels more like natural selection than someone being bamboozled.

Here are some of the publically available Netflix lessons with some personal commentary. I love these lessons learned and I use them in different contexts all the time. (Netflix Technology Blog, 2010) (Townsend, 2016)

  1. Dorothy, you’re not in Kansas anymore. It’s going to be different, new challenges, new methods and a need to unlearn much of what you are used to doing.
  2. It’s not about cost savings. Focus on agility and elasticity.
  3. Co-tenancy is hard. Architecture and process matter more than ever.
  4. The best way to avoid failure is to fail constantly. This is one that many enterprises are unwilling to accept. Trading the expectation of uptime for the expectation of failure and architecting to tolerate failure.
  5. Learn with real scale, not toy models. Buying a marketecture is not advisable, you need to test with your workloads, at scale.
  6. Commit yourself. The cost motivator is not enough, the motivator has to me more.
  7. Talent. The complexity and blast radius of what you are embarking on is significant, you need the right talent to execute.

The consumption and effective use of ever-changing and complex services require us to think differently. Netflix consumes services on AWS and because they don’t have to build hardware, install operating systems, build object storage platforms, write APIs to abstract and orchestrate the infrastructure, etc… they can focus on making their application more resilient by building platforms like the Simian Army (Netflix Technology Blog, 2011) and other tools like Hystrix (Netflix Technology Blog, 2012) and Visceral (Netflix Technology Blog, 2016). The biggest problem with technologies that seemingly make things simpler is that the mass-market consumer looks for cost saving, they look for things to become easier, to lessen the hard dollar spend, to lessen the spend on talent, etc… and they don’t redirect time or dollars to the new challenges created by new technologies, this is a recipe for disaster.

References

InfoQ. (2017, February 22). Mastering Chaos – A Netflix Guide to Microservices. Retrieved June 17, 2018, from https://youtu.be/CZ3wIuvmHeM

Netflix Technology Blog. (2010, December 16). 5 Lessons We’ve Learned Using AWS – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/5-lessons-weve-learned-using-aws-1f2a28588e4c

Netflix Technology Blog. (2011, July 19). The Netflix Simian Army – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/the-netflix-simian-army-16e57fbab116

Netflix Technology Blog. (2012, November 26). Introducing Hystrix for Resilience Engineering – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/introducing-hystrix-for-resilience-engineering-13531c1ab362

Netflix Technology Blog. (2016, August 03). Vizceral Open Source – Netflix TechBlog – Medium. Retrieved June 17, 2018, from https://medium.com/netflix-techblog/vizceral-open-source-acc0c32113fe

Townsend, K. (2016, February 17). 5 lessons IT learned from the Netflix cloud journey. Retrieved June 17, 2018, from https://www.techrepublic.com/article/5-lessons-it-learned-from-the-netflix-cloud-journey/

 

Essay Assignment

In an essay form, develop an example of an XSS vulnerability and an exploit which displays it. You will be expected to include a snippet of code which illustrates an XSS vulnerability and also provides some general discussion of XSS vulnerabilities.

 

Web Vulnerabilities Module Assignment

FIT – MGT5156 – Week 6

Discussion Post

Discuss how testing of ani-malware should be conducted.

The only absolute rule seems to be, don’t conduct anti-malware testing on your production systems. Testing of anti-malware should be performed in an isolated malware testing environment, and care should be taken to ensure that the system is completely isolated. For example, if you construct a malware test lab using a hypervisor and virtual machines, but keep the virtual machines on your production network, well, let’s say that’s not isolated. If correctly set up and configured hypervisors and virtual machines can be a testers best friend.

The Anti-Malware Testing Standards Organization (AMTSO) had developed and documented all sorts of testing guidance from Principles of Testing to Facilitating Testing. The key here is that the testing method must be safe and it must use methods which are generally accepted (consistent, unbiased, transparent, empirical, etc.) (AMTSO, 2018)

The use of generally accepted tools and toolkits for malware research, testing and analysis can easily overcome certain testing obstacles, allowing the analyst to focus on the testing methodology rather than the acceptance of a specific testing tool or platform. Safely conducting testing and ensuring that you are not endangering yourself and others is the burden of the analyst; the complexity of the technologies being used to construct isolated environments and the malware itself can make this complicated, so there is plenty of room for error.

My two favorite toolkits for malware testing are:

  • Flare VM (Kacherginsky, 2017) is essentially a PowerShell script that used BoxStarter and Chocolatey to turn a >= Windows 7 machine into a malware analysis distribution by quickly loading all the tools you need to do malware analysis.
  • REMnux is a Linux distribution for malware analysis and reverse-engineering. Like Flare VM, REMnux contains a set of tools to perform malware analysis and reverse engineering. Because REMnux is built on Linux (an open source operating system), it can be deployed using an install script like Flare VM or via a virtual machine (VM) image which packages the OS and tools making it easy to download, deploy and use.

There are a plethora of security-focused Linux distributions like Kali LinuxBackbox Linux, and the distribution which I use, Parrot Linux. All of these Linux based security-focused distributions offer some of the tools required for malware analysis, but none are focused on malware analysis like REMnux.

Anti-malware is a requirement; it is the last line of defense. Simple malware scanners, heuristics, activity/anomaly-based detection, is not enough. Next generation anti-malware and real-time scanning and discovery is a necessity. Malware can be identified using real-time detection technologies by monitoring activities like:

  • Attempts to alter restricted locations such as registry or startup files.
  • Attempts to modify executables.
  • Opening, deleting or editing files.
  • Attempts to write to or modify the boot sector.
  • Creating, accessing or adding macros to documents.

Not all anti-virus and anti-malware is created equal. avtest.org conducts independent analysis on the efficacy of anti-virus and anti-malware solutions, services like this can be an excellent resource for those looking to make the right decision when selecting anti-virus and anti-malware solutions.

I love this quote: “People have to understand that anti-virus is more like a seatbelt than an armored car: It might help you in an accident, but it might not,” Huger said. “There are some things you can do to make sure you don’t get into an accident in the first place, and those are the places to focus because things get dicey real quick when today’s malware gets past the outside defenses and onto the desktop.” (Kerbs, 2010)

References

Adams, J. (2016, June 8). Building a Vulnerability/Malware Test Lab. Retrieved June 6, 2018, from https://westoahu.hawaii.edu/cyber/building-a-vulnerability-malware-test-lab/

AMTSO. (2018, June 6). Welcome to the Anti-Malware Testing Standards Organization. Retrieved June 6, 2018, from https://www.amtso.org/

Kacherginsky, P. (2017, July 26). FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed! « FLARE VM: The Windows Malware Analysis Distribution You’ve Always Needed! Retrieved June 6, 2018, from https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html

Kerbs, B. (2010, June 25). Krebs on Security. Retrieved June 6, 2018, from https://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

REMnux. (2018, June 6). REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware. Retrieved June 6, 2018, from https://remnux.org/

Williams, G. (2018, June 6). Detecting and Mitigating Cyber Threats and Attacks. Retrieved June 6, 2018, from https://www.coursera.org/learn/detecting-cyber-attacks/lecture/xE8ns/snort

 

Discussion Response 1

Good post. IMO it’s essential when discussing anti-malware to consider attack vectors. While anti-malware heuristics are getting better, aided by deep learning, the primary attack vector remains the user, and it seems unlikely that a change in trajectory is on the near-term horizon. Attackers use numerous attack vectors, and when I think about the needle used to inject the virus I think about examples such as:

  • Spam: Where email or social media are the delivery mechanism for malware.
  • Phishing, Spear Phishing, Spoofing, Pharming: Where attackers impersonate legitimate sources or destinations to trick unsuspecting victims to sites that capture personal information, exploit them, etc.

I use the examples above as a way to convey that exploitation often begins with the exploitation of an individual, this happens before the malware infects their system. A lack of knowledge, skill, vigilance, a sense of trust, etc. are all too often the root cause of an issue.

I just recently started taking a Coursera course called “Usable Security” and one area they focus on is HCI (Human-Computer Interaction). They stress how important it is for the designer to make the safeguards understandable and usable, not by the minority of experts but by the majority of casual users. They use two specific examples, at least so far. The first example is a medial cart with a proximity sensor. On paper, the proximity sensor seems like a great idea, but it turns out the doctors didn’t like it, so they covered the proximity sensors with styrofoam cups making the system less effective than the prior system which required the doctor to lock the computer after their session and a reasonable login timeout. The second is the SSL warning system in Firefox, the warning you get about an expired or unsigned certificate, sighting that most people don’t know what this means and add an exception without much thought.

Over the years I have observed the situations like the above with anti-malware software. The software slows the system down, do the tech user disables it or the anti-malware software reports so many false positives that the tech user disables it. The bottom line is there no replacement for human vigilance. I wonder if we can get to a place where the software can protect the user from himself or herself. Whatever the solution, I believe it will need to be frictionless, we aren’t there yet, but maybe someday.

References

Golbeck, J. (2018, June 10). Usable Security. Retrieved June 10, 2018, from https://www.coursera.org/learn/usable-security University of Maryland, College Park

Texas Tech University. (2018, June 10). Scams – Spam, Phishing, Spoofing and Pharming. Retrieved June 10, 2018, from https://www.ttu.edu/cybersecurity/lubbock/digital-life/digital-identity/scams-spam-phishing-spoofing-pharming.php

 

Discussion Response 2

All good points.  Seems almost inconceivable that a tester would be testing something for which they have no knowledge, but of course, we know this is often the case (and this goes way beyond anti-malware software).

You bring up a good point regarding what the tester is testing for. I think we have seen the era of “total security” products that cover everything from firewall to anti-malware, this is likely born from necessity and the need to move from reactive defensive anti-malware focused on scans to provocative strategies which attempt to keep the malware out rather than just focusing on detection and remediation after the fact. I think we are seeing systems emerge today which leverage data mining and deep learning to better protect users. With the level of sophistication being used in both malware and anti-malware I can’t imagine the role of the tester getting any easier. We live in interesting times and on a positive note, I think we can anticipate that they will only get more interesting.

 

Discussion Response 3

Good post. We’ve certainly seen some leaders in the security field have their ethics and motives questioned, most notably Kaspersky Lab (Volz, 2017). I have to admit in the case of Kaspersky Lab it’s hard to not wonder if this isn’t just a bunch of legislators who may have a bigger struggle with ethics and motivation than Kaspersky Lab does, this is a slippery slope. We live in a global economy and having read what Kaspersky Lab volunteered to do, I can’t wonder if this move may have some marketing flare associated with it. avtest.org has consistently rated Kaspersky Lab anti-malware among the best in the industry (AV-TEST, 2018). Is it possible that the Kremlin could have an influence on Kaspersky Lab? I suppose it is (Matlack, Riley & Robertson, 2015), but do I think this was the motivation for the legislation, not likely.

References

AV-TEST. (2018, April 06). AV-TEST – The Independent IT-Security Institute. Retrieved June 10, 2018, from https://www.av-test.org/en/award/2017/

Matlack, C., Riley, M., & Robertson, J. (2015, March 19). Cybersecurity: Kaspersky Has Close Ties to Russian Spies. Retrieved June 11, 2018, from https://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-kaspersky-has-close-ties-to-russian-spies

Volz, D. (2017, December 12). Trump signs into law U.S. government ban on Kaspersky Lab software. Retrieved June 10, 2018, from https://www.reuters.com/article/us-usa-cyber-kaspersky/trump-signs-into-law-u-s-government-ban-on-kaspersky-lab-software-idUSKBN1E62V4?utm_source=applenews

 

Essay Assignment

How does anti-malware software detect viruses? What techniques are available, and how do they differ?

 

Viruses and Virus Detection Module Assignment

FIT – MGT5156 – Week 5

Discussion Post

Wow, week five already! The long weekend helped me get caught up and break the cycle I’ve been on, yay!

While not the latest in malware I decided to discuss WannaCry (also known as WCry or WanaCryptor). (Hunt, 2017) The reason for my choice is I have personal experience with this self-propagating (worm-like) ransomware. I have spent the last year working on various projects to mitigate the potential impact of ransom malware like WannaCry. In this post, I will explain the ransomware approach that WannaCry took, as it does not differ that dramatically from most recent ransomware. I will also talk a bit about some of the projects that I have been involved in, some of my customer’s concerns and some mitigation strategies like WORM (Write once read many, 2018) and Isolated Recovery (Korolov, 2016) that I have helped automate and implement for customers.

A simple explanation of WannaCry is that it encrypts files, rendering them useless and demands a ransom be paid in bitcoin, of course, to have the files decrypted.

Some basic information on WannaCry (Berry, Homan & Eitzman, 2017):

  1. WannaCry exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol (also known as CIFS of Common Internet File System). (Microsoft, 2017) For our purposes, we can consider SMB and CIFS are synonymous, but in the interest of education the SMB protocol was invented by IBM in the mid-1980’s and CIFS is Microsoft’s implementation of SMB.
  2. The WannaCry malware consists of two key functions, encryption, and propagation.
  3. WannaCry leverages an exploit called EternalBlue (NVD, 2017) to exploit the vulnerability in Microsoft’s SMB protocol implementation.
  4. What makes WannaCry and other ransomware attacks incredibly dangerous is that once on a corporate network they begin propagating using vulnerabilities in sharing protocols like SMB. It’s difficult to firewall these protocols because they are heavily used by users to share data across secure networks.

Ransomware attacks like WannaCry, NotPetya, and Locky created serious concern across many enterprises who store terabytes and petabytes of data on shares which are accessed using the SMB protocol. Organizations started thinking about how they could mitigate the risk of ransomware and what their recovery plan would be if they were hit with ransomware.

Many customers who share data on the Windows server platform leverage the VSS (Volume Shadow Copy Service) to take snapshots and protect / revision data. The idea of a snapshot is it is a point-in-time copy which a user can rollback to. Developers writing malicious software understand pervasive mitigation techniques like the use of VSS snapshots and they address them. Crafty developers of malicious software use vssadmin.exe to remove VSS snapshots (previous versions) so a user can’t rollback to an unencrypted version of the file(s).  (Abrams, 2016)

The obvious risk of having petabytes of data encrypted has created questions regarding the vulnerability of enterprise NAS (Network Attach Storage) devices from manufacturers like DellEMCNetApp, etc… Enterprise-class NAS devices provide additional safeguards like filesystems which are NTFS, no hooks to vssadmin, read-only snapshots, etc… so the protections are greater, but corporations are still concerned with zero-day exploits so additional mitigation approaches are being developed. Backing up your data is an obvious risk mitigation practice, but many enterprises are backing up to disk-based backup devices which are accessible via the SMB protocol so this has raised additional questions and cause for concern. A model called “Isolate Recovery” which leverages an air gap (Korolov, 2016) and other protection methods to ensure that data is protected, this is more of a programmatic implementation of a process then it is a technology.

Example Topology
[HOST] <-> [NETWORK] <-> [SHARED STORAGE] <-> [NETWORK] <-> [BACKUP TARGET]
Note: This is a simple representation but what is important to know here is that the HOST, SHARED STORAGE and BACKUP TARGET (could be a disk-based backup target or a replicated storage device) are all SMB accessible.

Example Isolated Recovery Topology
[HOST] <-> [NETWORK] <-> [SHARED STORAGE] <-> [NETWORK] <-> [BACKUP TARGET] <-> [NETWORK] <-> /AIR GAP/ <-> [ISOLATED RECOVERY TARGET]
Note: In this case, there is a tertiary copy of the data which resides in an isolated recovery environment which is air gapped. This paradigm could also be applied with only two copies of the data by air gapping the backup target, little tricker, but it can be done.

From a programmatic process perspective, the process might look something like this: https://gist.github.com/rbocchinfuso/a8b688546fad294d04281ab6eb632bfd#file-isolatedrecovery-md

A WORM (write once read many, not work as in virus) process is triggered via cron or some other scheduler or trigger mechanism might look something like this: https://gist.github.com/rbocchinfuso/b78a8a3a41021fc0df9c/#file-retentionlock-sh
Note:  This script is specific to WORM on a Data Domain disk bases backup device and leverages a feature called Retention Lock. The atime (access time) (Reys, 2008) of the file(s) is changed to a date in the future which places the file in WORM compliant mode until such date, once the date is reached the file reverts back to RW and can be deleted or modified.

References

Abrams, L. (2016, April 04). Why Everyone Should disable VSSAdmin.exe Now! Retrieved May 29, 2018, from https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/

Air gap (networking). (2018, May 27). Retrieved May 29, 2018, from https://en.wikipedia.org/wiki/Air_gap_(networking)

Berry, A., Homan, J., & Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved May 29, 2018, from https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

Hunt, T. (2017, May 18). Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware. Retrieved May 29, 2018, from https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

Korolov, M. (2016, May 31). Will your backups protect you against ransomware? Retrieved May 29, 2018, from https://www.csoonline.com/article/3075385/backup-recovery/will-your-backups-protect-you-against-ransomware.html

Reys, G. (2008, April 11). atime, ctime and mtime in Unix filesystems. Retrieved May 29, 2018, from https://www.unixtutorial.org/2008/04/atime-ctime-mtime-in-unix-filesystems/

Microsoft. (2017, October 11). Microsoft Security Bulletin MS17-010 – Critical. Retrieved May 29, 2018, from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

NVD. (2017, March 16). NVD – CVE-2017-0144 – NIST. Retrieved May 29, 2018, from https://www.bing.com/cr?IG=F94DFB39323448E6A46972AE19E1BB95&CID=304F78623FEB653F3DCF739C3E166483&rd=1&h=Dh-3S1QaiFT9tJkWNYeBAluFO8Y9ylpehdjBtEs6kAU&v=1&r=https://nvd.nist.gov/vuln/detail/CVE-2017-0144&p=DevEx.LB.1,5527.1

Write once read many. (2018, April 10). Retrieved May 29, 2018, from https://en.wikipedia.org/wiki/Write_once_read_many

 

Discussion Response 1

Good post on a very relevant and current topic.   IMO this trend will continue, the replacement of ASICs and RTOS with commodity ARM/x86 architecture and Linux makes it a lot easier for someone to create malicious code that can exploit routers across multiple manufacturers like Linksys, MikroTik, Netgear, and TP-Link.  I remember 20 years ago when if you wanted to go fast you used an ASIC and an RTOS like VxWorks, but x86 got so fast that ASICs no longer made sense for most applications, the ability to commoditize the hardware with a general purpose OS like Linux drove down cost and increased release velocity, a win all around.  With that said I think we may be on the doorstep fo a new cycle, we are seeing general purpose GPUs being used for everything from machine learning to crypto mining, these are essentially general purpose integrated circuits.  Power and environmental requirements are a big deal with general purpose GPUs and I believe we are on the doorstep of a cycle that sees the return of the ASIC. The TPU is is the beginning of what I believe will be a movement to go faster, get greener and more secure.

 

Discussion Response 2

Well done, as usual, well researched written and engaging exploration of different types of malware.
Response short this week because I spent most of my reading and responding time on Dr. Ford’s polymorphic coding challenge, a great exercise, wish there was more work like this.

 

Discussion Response 3

Dr. Ford’s polymorphic coding challenge

Anyone else given Dr. Ford’s polymorphic coding challenge a try?

Here is where I am:

  1. I am a Linux user so fired up a Win7 VM (suppose I could have done this in a dosbox or qemu freedos session, like Dr. Ford suggested, but been so long since I worked in 80 columns I find it unbearable).
  2. Used Bloodshed Dev-C++ w/ MinGW as C compiler.
  3. Got this far but I think I am missing something because obviously, the hex signature is the same for each .com file. Feel like this should not be the expected behavior.

Source Code: https://gist.github.com/5859ee8be77fd188f78b64eaa8538c62#file-hello-c

YouTube video of the compile, execute and hex signature view of hello0.com and hello1.com files: https://youtu.be/2vQOS4E1JB0
Note: Be sure to watch in 1080p HD quality.

I am not sure how I would alter the hex. I believe the hex code at the top of the stack needs to be what it is, the hex code for “Hello World!” just maps back to the hex for the ASCII characters.

When I look at hello0.com, hello1.com, etc… with a hex viewer the hex is the same, as you would expect. Does anyone have any thoughts on this? I would think a virus scanner would pick up this signature pretty easily.

 

Discussion Response 4

Replying to my own post with disassembled hello0.com and hello1.com files.
Wondering if this is polymorphic because hello.exe and the spawned hello?.com files have differing signatures.

> ndisasm hello0.com
00000000 0E push cs
00000001 1F pop ds
00000002 BA0E01 mov dx,0x10e
00000005 B409 mov ah,0x9
00000007 CD21 int 0x21
00000009 B8014C mov ax,0x4c01
0000000C CD21 int 0x21
0000000E 48 dec ax
0000000F 656C gs insb
00000011 6C insb
00000012 6F outsw
00000013 20576F and [bx+0x6f],dl
00000016 726C jc 0x84
00000018 642124 and [fs:si],sp

bocchrj@WIN7 C:\src\hello
> decompile –default-to ms-dos-com hello0.com

bocchrj@WIN7 C:\src\hello
> decompile –default-to ms-dos-com hello1.com

bocchrj@WIN7 C:\src\hello
> type hello0.asm
;;; Segment code (0C00:0100)

;; fn0C00_0100: 0C00:0100
fn0C00_0100 proc
push cs
pop ds
mov dx,010E
mov ah,09
int 21
mov ax,4C01
int 21
0C00:010E 48 65 He
0C00:0110 6C 6C 6F 20 57 6F 72 6C 64 21 24 llo World!$

bocchrj@WIN7 C:\src\hello
> type hello1.asm
;;; Segment code (0C00:0100)

;; fn0C00_0100: 0C00:0100
fn0C00_0100 proc
push cs
pop ds
mov dx,010E
mov ah,09
int 21
mov ax,4C01
int 21
0C00:010E 48 65 He
0C00:0110 6C 6C 6F 20 57 6F 72 6C 64 21 24 llo World!$

 

Essay Assignment

What are the financial and other models which drive malware? How do they impact the types of malware seen?

 

Malware History Module Assignment

FIT – MGT5156 – Week 4

Discussion Post

Discuss ROP and code injection.

Late yet again, probably later than I needed to be, but like Dr. Ford said this week at the beginning of the lecture, this was the week I was waiting for, and I had to get a little dirty and break some stuff.

Code injection typically refers to getting something (data) that is not machine code to run as code. Code injection tries to take control of a machine by gaining privilege, the privilege that code injection works to obtain is the ability to run binary code.

To understand code injection and buffer overflows understanding the stack is essential. Return-Oriented Programming (ROP) focuses on overwriting a buffer on the stack, which overwrites the return address and allowing the attacker to jump back onto the stack and execute an instruction, to prevent this, a few defense mechanisms have been developed. (Ford, 2018)

  • The no-execute flag marks something in makes memory non-executable. Data Execution Prevention (DEP) works by using the no-execute flag to prevent attackers from executing data as if it were code. Attackers are unable to execute code from the stack.
  • Address Space Layout Randomization (ASLR) works by randomly moving segments of a program around memory; this prevents the attacker from predicting gadget addresses.
  • Stack cookies (canaries) is a random value written to the stack immediately preceding the return address. Before the return address is executed the system checks to see if the canary has been overwritten, it the canary has been overwritten the system will trap execution.

ROP is based on the Return-to-Libc exploit technique but uses gadgets from different areas of memory to create an executable program.

ROP gadgets may look like:
0x1000b516 : pop eax ; pop ebp ; ret
0x10015875 : pop eax ; pop ebp ; ret 0x1c
0x1000ffe3 : pop eax ; pop ecx ; xchg dword ptr [esp], eax ; jmp eax
(apriorit, 2017)

While the widespread adoption of DEP which ensures that all writable pages in memory are non-executable has made classic code injection attacks difficult, ROP has become the approach for all modern attacks. Rather than injecting malicious code the attacker chains together existing code which already exists in the stack, these code snippets which are taken from the stack and are called gadgets. (TehAurum, 2015)

I was really interested in getting some hands-on experience here to see how this worked in the real world. A bit of googling and I happened across this website: https://samsclass.info/127/proj/lbuf1.htm – I fired up a Linux machine with Vagrant on my desktop and started playing.

Here is my ASLR example
Note:  I ran in debug mode to show all the commands.  Lines prefixed by the + symbol are input commands and lines with no prefix are output.
vagrant@vagrant-ubuntu-trusty-64:~$ sh -x aslr.sh
+ echo Let’s make sure ASLR is enabled
Let’s make sure ASLR is enabled
+ sudo tee /proc/sys/kernel/randomize_va_space
+ sudo echo 1
1
+ echo Let’s look at the C code that will print the esp (pointer) memory address
Let’s look at the C code that will print the esp (pointer) memory address
+ cat esp.c
#include <stdio.h>
void main() {
register int i asm(“esp”);
printf(“$esp = %#010x\n”, i);
}
+ echo Let’s compile the source code into an executable program
Let’s compile the source code into an executable program
+ gcc -o esp esp.c
+ echo Let’s execute the the binary executable esp three times
Let’s execute the the binary executable esp three times
+ ./esp
$esp = 0xd47931b0
+ ./esp
$esp = 0x5526d700
+ ./esp
$esp = 0xf7542b00
+ echo You can see that the memory address changes each time (ASLR at work here)
You can see that the memory address changes each time (ASLR at work here)
+ echo Let’s disable ASLR
Let’s disable ASLR
+ sudo tee /proc/sys/kernel/randomize_va_space
+ sudo echo 0
0
+ echo Lets’ execute the binary executable esp three more times
Lets’ execute the binary executable esp three more times
+ ./esp
$esp = 0xffffe620
+ ./esp
$esp = 0xffffe620
+ ./esp
$esp = 0xffffe620
+ echo You can see that now the memory ddress remaind the same each tiem (ASLR disabled)
You can see that now the memory ddress remaind the same each tiem (ASLR disabled)
vagrant@vagrant-ubuntu-trusty-64:~$

I pushed on to more more complex exercises; these are both excellent ones:

A couple of pointers to get started:

  1. Get Virtualbox to build your sandbox. (https://www.virtualbox.org/wiki/Downloads)
  2. Download a Windows 7 Vbox image (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/) to run the vulnserver executable you will get above on (note: get vulnserver.zip from the alternate link)
  3. Download Kali Linux for Vbox image (https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-hyperv-image-download/)

I left a bunch of stuff out like how to configure networking, getting going with Immunity Debugger, etc… but it’s about the journey, not the destination. Right?

References

Carlini, N., & Wagner, D. (2014, August). ROP is Still Dangerous: Breaking Modern Defenses. In USENIX Security Symposium (pp. 385-399).

Ford, R. (2018, May 23). Vulnerabilities: How Things Go Wrong, Part 2. Retrieved May 23, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTYvQ1lCNTI4ME04VjEvRGF0YS9tb2R1bGUueG1s

Shacham, H. (2007, October). The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86). In Proceedings of the 14th ACM conference on Computer and communications security (pp. 552-561). ACM.

TehAurum. (2015, December 30). Exploit Development: Stack Buffer Overflow – Bypass NX/DEP. Retrieved May 25, 2018, from https://tehaurum.wordpress.com/2015/06/24/exploit-development-stack-buffer-overflow-bypass-nxdep/

apriorit. (2017, June 02). ROP Chain. How to Defend from ROP Attacks (Basic Example). Retrieved May 25, 2018, from https://www.apriorit.com/dev-blog/434-rop-exploit-protection

 

Discussion Response 1

Good post, given that you were interested in tips I thought I would respond with a toolkit for playing with buffer overflows and code injection.
The toolkit (assuming you are a Windows user):

  • Code:Blocks:  http://www.codeblocks.org/downloads/binaries
    • This is a good free C IDE and Compiler
    • Note:  Grab either codeblocks-17.12mingw-setup.exe or codeblocks-17.12mingw-nosetup.zip
    • Note:  To use the debugger you will need to set it up Setting -> Debugger -> Default, and enter path to gdb32 (on my system this is  path_to\codeblocks-17.12mingw-nosetup\MinGW\gdb32\bin\gdb32.exe but it will vary, just find gdb32.exe and enter full path here).  You will also need to make sure you create a project and add .c files to the project otherwise you won’t be able to debug.
  • OllyDbg:  http://www.ollydbg.de/ or IDA https://www.hex-rays.com/products/ida/support/download.shtml
    • Both good debuggers and disassemblers that will let you view the stack.

Some code to get started with:
/* vuln.c */
#include <stdlib.h>
#include <stdio.h>
#include <string.h>

int func (char *str)
{
char buffer[5];
strcpy(buffer, str);
return 1;
}
int main(int argc, char **argv)
{
char str[517];
FILE *inputfile;
inputfile = fopen(“inputfile.txt”, “r”);
fread(str, sizeof(char), 517, inputfile);
func (str);
printf(“Returned Properly\n”);
return 1;
}

– Create a text file called inputifile.txt and place at least 517 characters in it.
– Compile and execute vuln.c
– Set a breakpoint at main() and debug to see what happens.

Play around with the size of the read or write buffer:
By Changing the value of 5 in “char buffer[5]” in func() to 517
OR
By changing the value of 517 “char str[5]” and “fread(str, sizeof(char), 5, inputfile)” in main() to 5

If you debug while you play you will start to see things happen.

Happy hacking!

 

Discussion Response 2

I’ve started doing some additional research and sandboxing because I am wondering about Return Oriented Programming (ROP) as a method to circumvent Address Space Layout Randomization (ASLR).  Need some hands-on time to really understand how gadgets can be chained given that the address space is randomized.

Doing some additional reading and experimenting to better understand the topic:

Anyway, I feel like I have a good handle on buffer overflows and ROP when ALSR is disabled.  I have played with this on Linux by disabling ASLR on Linux (sudo echo 1 | sudo tee /proc/sys/kernel/randomize_va_space) and when debugging I can see that instructions always reside in the same stack address.  OK, back to the sandbox.

 

Discussion Response 3

Sharing this link
All here is a good free sample from a Coursera and the University of Maryland that reviews much of what we spoke about this week. I found it helpful to reinforce the concepts so I am sharing with you.

https://www.coursera.org/learn/software-security/lecture/Lz5GW/low-level-security-introduction

 

Essay Assignment

Describe in detail code injection attacks and the countermeasures that exist to stop them. What future solutions are there?

 

Midterm Exam

 

Grade: 98%

FIT – MGT5156 – Week 3

Discussion Post

Discuss open source vs. closed source and security.

Another ridiculous week leads to another late discussion post, feeling like a real slacker.  Luckily things settle down next week, so I should be back on track. Apologies to my peers for my late post, yet again, all I could do this week to avoid a mental breakdown was accept a late discussion post.

Before we get started discussing the facts (or opinions of others) associated with open source vs. closed source I wanted to share some personal thoughts on this topic.  I remember installing Slackware Linux (Slackware, 2018) back in 1993, from 20+ floppies, the access to the source code, the ability to tweak or modify the kernel had me convinced that open source would eventually eclipse closed source.  After running Slackware for a few years, like many early Linux adopters I tried other early distributions like Yggdrasil (Yggdrasil, 2018) and Debian (Debian, 2018). In or around 1998 I read Eric Raymond’s essay, “The Cathedral and the Bazaar” (Raymond & Young, 2001), it was around this time that commercial distributions like RedHat (RedHat, 2018) and Caldera (Caldera OpenLinux, 2018) were beginning to take hold in the enterprise.  During this period, I worked in big pharma, and I had traded shell scripting, sed, and awk for a cross-platform interpreted open source language called Perl developed by a guy named Larry Wall. I can remember how fast we were moving now that we were building web applications with open source tech like Apache, CGI, and Perl. Security was for people who didn’t want to go fast, just hit CPAN, grab the library and go. (Perl, 2018). I highly recommend reading “The Cathedral and the Bazaar”, if not, watch the documentary called “Revolution OS”. (Revolution OS, 2012) IMO Raymond’s essay was on the money, but a little early to the market.  Raymond outlined the open source model perfectly, but we were in the age of the innovation, rapid change and resistance; today the open source, agile and the DevOps movements have allowed Raymond’s vision of the Bazaar to be fully realized, and the benefits to agility and velocity are unparalleled. As we all know from Clayton M. Christensen’s book “The Innovator’s Dilemma” (Christensen, 2016), innovators struggle to retain market leading positions, the open source world has many examples of this, first movers like Slackware and VA Linux (Tozzi, 2016) are today either niche players or gone from the market. I provide this detailed background because IMO the paradigm shifts brought about by the movement from the cathedral (closed source, rigid release cycles, etc.) to the bazaar model (open source, continuous integration, etc.) has some real and some perceived implications on security.

I’d like to point out an observation regarding security and social behavior.  People tend to watch their possessions in a cathedral with less vigilance than they would in a bazaar.  This behavior is human nature; when we feel safe we relax, when we feel unsafe we keep a watchful eye, I believe it’s this human behavior that is very impactful.

No matter how much research you do, the answer is almost always that open source vs. closed source in the context of security is a matter of preference rather than one model being more secure than the other. (Security Showdown: The Open Source vs. Closed Source Debate, 2017) Vulnerabilities exist, and there will always be those who seek to exploit them.  My personal opinion is that OSS (open source software) has a perceived attack surface by the user which is broader than that of closed source software; thus the community is more vigilant. Those who willing adopt OSS know they are moving into a neighborhood with a high crime rate, so they are more likely to lock the door. The alternative opinion is that closed source is less vulnerable because the source code is not “readily” available (Lettice, 2004), but the “security through obscurity” paradigm has been proven to be a poor one.  There are comparable examples of both open source, and closed source exploits such as Heartbleed the OpenSSL vulnerability and WannaCry the ransomware attack that targeted Microsoft Windows users. (Security Showdown: The Open Source vs. Closed Source Debate, 2017) With this said there are not many closed source operating systems or applications which do not contain some piece of open source code.  OpenSSL exists everywhere, and Microsoft Windows has had a package called SFU (Services For Unix) as an operating system option since 1999, today it allows Windows 10 users to run a full Linux distro in user mode on top of the Windows kernel and as we all know Linux is open source. While closed source software is not going away, open source code integrated into closed source by almost every closed source provider today making the perceived closed source controls are just that, perception, not reality.

To close out my thoughts here, open source vs. closed source is merely a matter of preference and perception.  I believe that the danger lies in the perception that closed source is somehow less vulnerable than open source, this perception relaxes the security posture, and the best way to prevent a breach is to be vigilant.  Linux, the open-source operating system which powers greater than sixty-seven percent of the internet along with open source applications like Apache, Nginx, etc. may be the most prominent targets, but they also may be the most well-defended targets. (Open Source vs Closed Source – Which Is More Secure?, 2017) The inability to obscure open source should remove the sense of “security through obscurity” and foster a sense of vigilance, does this always happen, no, but the premise is sound.

References

Caldera OpenLinux. (2018, May 15). Retrieved from https://en.wikipedia.org/wiki/Caldera_OpenLinux

Christensen, C. M., & Christensen, C. M. (2011). The innovator’s dilemma: The revolutionary book that will change the way you do business. Harper Business.

Debian. (2018, May 18). Retrieved from https://en.wikipedia.org/wiki/Debian

Lettice, J. (2004, Feb 13). MS Windows source code escapes onto Internet. Retrieved from https://www.theregister.co.uk/2004/02/13/ms_windows_source_code_escapes/

Open Source vs Closed Source – Which Is More Secure? (2017, June 13). Retrieved from http://www.franklinfitch.com/blog/2017/06/13/open-source-vs-closed-source-secure/

Perl. (2018). Retrieved from https://www.perl.org/

Raymond, E. S. (1999). The cathedral and the bazaar: Musings on Linux and Open Source by an accidental revolutionary. O’Reilly.

Red Hat. (2018, May 17). Retrieved from https://en.wikipedia.org/wiki/Red_Hat

Revolution OS. (2012, January 25). Retrieved from https://youtu.be/jw8K460vx1c

Security Showdown: The Open Source vs. Closed Source Debate. (2017, April 04). Retrieved from https://www.veracode.com/blog/security-showdown-open-source-vs-closed-source-debate

Tozzi, C. (2016, July 29). Open Source History: The Spectacular Rise and Fall of VA Linux. Retrieved from http://www.channelfutures.com/open-source/open-source-history-spectacular-rise-and-fall-va-linux

Yggdrasil. (2018, May 12). Retrieved from https://en.wikipedia.org/wiki/Yggdrasil

 

Discussion Response 1

Nicely done, good read. Open Source can be a confusing topic, even to those who live it daily. The guttural instinct is to assume that open source is free, like “freeware” but this would be incorrect. There is a quote from Richard Stallman the founder of the GNU (GNU’s Not UNIX!) movement that perfectly describes the freedoms of Open Source; the quote reads “Think ‘free speech’, not ‘free beer.'” The challenge with the word “free” is it does not distinguish between “free of charge” and “liberty.” The other things that further complicates open source are the number of license agreements which can be applied to open source works, they differ slightly, and the author has to know what he or she is trying to accomplish when applying these licenses to their work. Popular open source licenses include the GPL (General Public Licenses) for which there are multiple versions and controversy over each (Watch Revolution OSBruce Perens discusses the GPL at length, and Eric Raymond explains the cathedral and the bazaar at length), the MIT license, the Apache license, etc.

I agree that perspective plays a significant role in regards to security and open source vs. closed source. With regards to the attack surface, I think we have to be careful to distinguish vulnerabilities from exploits (i.e. – a piece of malware targeted at a specific vulnerability is written and released into the wild). I like your thought on hackers wanting to disassemble compiled source code to hack it, not sure if they are looking for that kind of challenge, but it’s possible. I think the reality is that today hackers target the user as much as they do the system. When you think about Linux, you think a user that understands the system, unlikely they bought their computer loaded with Debian at Best Buy, this user harder to social engineer and deliver a malicious payload. When you think about the average Windows, sure some people understand the system, but then there are my parents who click on every link they get emailed. Systems like Windows understand their demographics; they attempt to balance security and user experience, but features like “autorun” naturally make these systems more vulnerable.  The user demographics and attack surface (adoption rate, number of versions that can be impacted, etc.) matter.

Like I mentioned above, on a rainy day watch “Revolution OS” and you’ll have a great intro to open source. If you like it, I recommend “The Code: Story of Linux“.

References

AutoRun. (2018, May 10). Retrieved May 20, 2018, from https://en.wikipedia.org/wiki/AutoRun
Bruce Perens. (2018, May 19). Retrieved May 20, 2018, from https://en.wikipedia.org/wiki/Bruce_Perens
Hash, V. (2012, January 25). Revolution OS. Retrieved May 20, 2018, from https://youtu.be/jw8K460vx1c
N, A. (2014, July 23). The Code: Story of Linux documentary (MULTiSUB). Retrieved May 20, 2018, from https://youtu.be/XMm0HsmOTFI
Open Source Licenses & Standards. (n.d.). Retrieved May 20, 2018, from https://opensource.org/licenses
RobinGood. (2006, October 19). Richard Stallman – What is free software? Retrieved May 20, 2018, from https://www.youtube.com/watch?v=uJi2rkHiNqg

 

Discussion Response 2

excellent post, I would like to point out a few thoughts that I think are important aspects of open source. First, remember open source is about freedom and liberties and has nothing to do with dollars and cents. If you were to look at the market today, and all the attributed open source software I think you would be surprised by the amount of revenue that is being generated by open source software and its derivatives. It is also important to realize that while the community of open source subject matter experts dwarfs that of closed source, open source has a robust support paradigm. Let’s look at an example; I’ll use Amazon Web Services as a cloud company built almost entirely on open source. Let’s look at a prominent AWS’ service like EC2 (Elastic Cloud Compute) which is built using Linux and the Xen hypervisor, both open source projects. EC2 is just one of the dozens of AWS services built using open source, that is packaged and delivered to customers with support in a business model (the cloud) that will drive north of 20 billion in revenue in 2018. How about Nvidia and the machine learning craze? Nvidia has been a GPU (Graphics Processing Unit) leader for years, their primary customers were gamers, but the use of GPUs for AI, machine learning, and cryptocurrency mining has propelled Nvidia to new heights. Nvidia capitalized on the machine learning craze and their hardware platform by packaging their hardware with open source software; they called this the DGX-1, a turnkey platform for machine learning. What is the secret to the DGX-1? It’s packaged open source. The challenge with open source, especially in complex applications like machine learning is compatibility, what version of Nvidia CUDA code do I need to pair with my required version of TensorFlowMXNet, etc., etc. Those who don’t need commercial support, like me, build systems that closely parallel what Nvidia did in the DGX-1, and we will turn to the community for help (e.g., GitterStackOverflow), an example of a packaged machine learning system is Deepo, almost identical to how the DGX-1 is constructed. For the average enterprise where the tech is context, they may prefer to turn to Nvidia for support. Does AWS buy open source support, the answer is no, they employ people capable of debugging the source code and self-support; alternatively the Kalamazoo Credit Union may have a machine learning project, but they don’t want to be debugging the framework source code, they are likely to purchase a Nvidia DGX-1.

I don’t think I can agree with the open source training and usability hypothesis. Conduct a Google search for “learn R”, then conduct one for “learn Matlab” and see if you see a difference in the number of resources for R (open source) vs. Matlab (closed source).

On the topic of security, this is a pretty close to a religious argument, what I believe is that the weakest link in the system is the user. I also think that there is a link between the user and exploitation. All systems have vulnerabilities, the Linux kernel has more vulnerabilities than the Windows 10 by nearly a factor of 2x, but if you leave the door open and no one robs you there is an unrealized impact. Windows is a target because there is social engineering required to deliver a malicious payload, the link between the user, system usability and ability to exploit a vulnerability is a subjective measure (because I have not done the research), but I believe empirical data would support it.

References

Amazon EC2. (n.d.). Retrieved May 20, 2018, from https://aws.amazon.com/ec2/

CUDA Zone. (2017, September 30). Retrieved May 20, 2018, from https://developer.nvidia.com/cuda-zone

Dignan, L. (2018, May 17). Nvidia continues to ride AI, gaming, machine learning, crypto waves. Retrieved May 20, 2018, from https://www.zdnet.com/article/nvidia-continues-to-ride-ai-gaming-machine-learning-crypto-waves/

Gitter. (n.d.). Retrieved May 20, 2018, from https://gitter.im/

MXNet: A Scalable Deep Learning Framework. (n.d.). Retrieved May 20, 2018, from https://mxnet.incubator.apache.org/

NVIDIA DGX-1: Essential Instrument of AI Research. (n.d.). Retrieved May 20, 2018, from https://www.nvidia.com/en-us/data-center/dgx-1/

TensorFlow. (n.d.). Retrieved May 20, 2018, from https://www.tensorflow.org/

The Linux Kernel documentation. (n.d.). Retrieved May 20, 2018, from https://www.kernel.org/doc/html/latest/

Top 50 Products By Total Number Of “Distinct” Vulnerabilities in 2017. (n.d.). Retrieved May 20, 2018, from https://www.cvedetails.com/top-50-products.php?year=2017

Ufoym. (n.d.). Ufoym/deepo. Retrieved May 20, 2018, from https://github.com/ufoym/deepo

Where Developers Learn, Share, & Build Careers. (n.d.). Retrieved May 20, 2018, from https://stackoverflow.com/

Xen Project. (n.d.). Retrieved May 20, 2018, from https://www.xenproject.org/

 

Discussion Response 3

I think you hit on an excellent point here with the IKEA furniture analogy.
IKEA produces closed source furniture that requires assembly, and they provide subpar documentation. It’s been a while since I bought something from IKEA (kids not off to college yet), but given the price point, I can only imagine what the dial-in support experience is.
Let’s contrast this with the Norm Abrams and the New Yankee Workshop, what I would consider open source furniture. Norm delivers high-quality plans to a consumer who possesses a certain skill level, is willing and capable of reading the plans, acquiring the raw material, etc. If you are this individual, you get a higher quality deliverable, but it requires a generally higher level of skill as a starting point. If you don’t possess this starting level of expertise, you might lose a finger. Many people will buy from IKEA because they are afraid of losing a finger.
Microsoft is to IKEA what Linux Torvalds is to Norm Abrams, closed source vs. open source in the context of self-assembled furniture; I love it!
As a developer I read release notes, I make sure a patch won’t render a library I am using inoperable, well actually not so much anymore because I pretty much microservice everything and use containers to avoid this dependency pitfall, but the anecdote serves a purpose. Your wife is a smart Windows user, she’s the anomaly though, kudos to here for developing here own test and QA department :), the reality is most windows users upgrade with no idea what is happening, then they scramble when something stops working.

Enough has been said on the religious argument of the security of open source vs. closed source so I will leave this alone at this point. 🙂

Thanks for the IKEA idea, I will definitely be using it in the future! 🙂

 

Essay Assignment

Write an essay contrasting the security models of Linux, iOS, and Windows. Which is more secure and why?

 

OS Security Module Assignment

FIT – MGT5156 – Week 2

Discussion Post

Discuss how an attacker looks at the system.

Sorry for the late post, having too much fun at the ServiceNow Knowledge18 CreatorCon (ServiceNow, 2018) this week; heads down “hacking” some Javascript and Groovy for the past three days and just coming up for air.

What is a hacker? In the context of this class, at least thus far a “hacker” is probably best defined as a person who uses computers to gain unauthorized access.
In his 2004 essay “The Word ‘Hacker’,” Paul Graham states that the word “‘hacker’ connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not.” I much prefer this definition.

Before I begin to dig into this weeks post, I want to say how much I love Open Source and the community, but every now and again I am reminded how important vigilance is. Earlier this week, there was an article about a Python library called “ssh-decorate” luckily I make extensive use of “Paramiko” (Paramiko, 2018) and not ssh-decorate, but I could have just as easily used the “ssh-decorate” library, and my ssh creds could be sitting on some server with a .cf domain. (Cimpanu, 2018)
Open Source has created this model where people (developers like me) grab a library; they grab a Docker container, etc. from the community and they build and roll to production. The backdoors metastasize so quickly because a library like “ssh-decorate” is embedded into millions of applications.

Before I get into the research on how an attacker looks at a system, let me say that I see a system like as the best puzzle game on the planet, one that enraptures me. These puzzles can hold my attention for sleepless days fueled by heavy metal and coffee with the only goal being to solve the puzzle. I consider myself a hacker, a builder, a creator, a developer, an instigator and quite often an agitator. For as long as I can remember I loved taking things apart, learning how they work, making something new from something old and accessing systems which I had no explicit permission to access. I am obsessive (apparently a common trait) and I like to think of myself as a digital explorer and everything from RF hacking to hardware hacking interests me. It’s a great day when you’re sitting on your lawn and have control of your neighbor’s wirelessly controlled devices, like their garage door, car, etc. I like to think of myself as the neighborhood watch, teaching people about the danger that lurks around them. 🙂
If you have never seen an RF hack this is a pretty good video: https://www.youtube.com/watch?v=oGfRAbJ0u0Y
Incredibly easy to execute with the right device, the HackRF One SDR (Software Defined Radio).

Subjectively I believe that hackers regardless of motivation look at systems like a puzzle. Regardless of objectives like financial gain, espionage, FIG (fun, ideology, and grudge), other (errors, glitches, etc.) (calyptix, 2018) I don’t believe a hacker can successfully execute unless their motivation is far more intrinsic, a motivation where the journey is far more interesting than the destination. A McAfee blog (McAfee, 2018) lists seven types of hacker motivations, I agree with these as the motivation for a hack, but I think the motivation of the hacker is far more ubiquitous and foundational. Deep down the separation between a whitehat hacker and blackhat hacker is not that great, one found a legal way to satiate their desire, and one is a bit more mischevious, but the underlying motivation is the same.

In “Understanding the hacker psyche” Steve Gold states that early hackers were motivated by “beating the system”, the next generation of hackers become more destructive and finally the 21st hacker who became cyber-criminals looking for focused on financial gain. (Gold, 2011)

“Hackers have a compulsion to analyze, to explore and to be curious to the point of obsession.” (Kropko, 2015) I agree! This quote conveys who hackers are, and they look at systems as the only puzzle capable of satiating their compulsion.

References

calyptix. (2018, March 19). What Motivates Hackers? Money, Secrets, and Fun. Retrieved March 09, 2018, from https://www.calyptix.com/top-threats/motivates-hackers-money-secrets-fun/

Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/

Kropko, M. (2015, April 16). How Hackers Think: Researcher studies the hacker mind | think:blog. Retrieved from http://blog.case.edu/think/2015/04/16/how_hackers_think_researcher_studies_the_hacker_mind

Gold, S. (2011). Understanding the hacker psyche. Network Security, 2011(12), 15-17. doi:10.1016/S1353-4858(11)70130-1

Graham, P. (2004, April). The Word “Hacker”. Retrieved May 09, 2018, from http://www.paulgraham.com/gba.html

McAfee. (2018, March 16). 7 Types of Hacker Motivations. Retrieved May 09, 2018, from https://securingtomorrow.mcafee.com/consumer/family-safety/7-types-of-hacker-motivations/

Paramiko. (2018, April 19). Paramiko/paramiko. Retrieved May 09, 2018, from https://github.com/paramiko/paramiko

ServiceNow. (2018, March 09). Find Your Happy Place At Knowledge18. Retrieved from https://knowledge.servicenow.com/sessions/creator-con.html

 

Discussion Response 1

I like how you framed the perspective in which an attacker looks at the system, by stating that “an attacker looks at the system through its most vulnerable entry point.”  I think this was a tricky question because of the nuance between how someone looks at something vs. how some sees or perceives something.  I think both perspective and what attacker sees (perception) once the information is processed is are critical details.  I liked your opening because it got me thinking that different attackers will look at the system differently, their perspective and how they see the system will vary based on who they are.  Some attackers may be more adept at social engineering while others prefer writing malware.  Today we think about attackers as human beings, but this may not be the case in the future, with projects like Deephack (https://www.youtube.com/watch?v=wbRx18VZlYA) and other AI-driven attacks frameworks are adopted.  WIth AI the attacker likely looks at the target based on their motivation, like curiosity, criminal activity, etc… and then just targets the AI-driven attack.

 

Discussion Response 2

I enjoyed reading your post. Do you think the primary motivation of attackers (aka hackers) is malicious intent?  Or do we just tend to only hear about the attackers who have conducted malicious activity?  I suppose the word attacker may imply a blackhat hacker with malicious intent, but I believe that the number of hackers who are more focused on curiosity dwarf the number of hackers with malicious intent.

Maybe the answer here lies in not using the words attacker and hacker synonymously.  Paul Graham’s 2004 essay The Word “Haker” is a great read.  Great innovators have been called hackers, but they attacked nothing more than a problem no one else had or could solve.  Steven Levy’s book “Hackers: Heroes of the Computer Revolution” chronicles hackers such as Bill Gates, Mark Zuckerberg, Richard Stallman and Steve Wozniak.  OK, maybe Zuckerberg attacked our privacy. 🙂

 

Discussion Response 3

I liked your mention of pre-prod, unit and functional testing.  Based on your description doesn’t sound like you are yet doing continuous delivery and blue-green deployments?  You’ll enjoy this read:  http://blog.christianposta.com/deploy/blue-green-deployments-a-b-testing-and-canary-releases/

Regardless, when it comes to security in a world increasingly dominated by developers (“The New Kingmakers“, another great read) the vulnerabilities are entering the system really early, like this weeks issue you with the ssh-decorate Python library, how many developers were leveraging that library, how many apps were impacted, a lot.

References

Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/

 

Discussion Response 4

Very interesting perspective.  It would be interesting to contrast hacker demographics with drug lord demographics (E.g. – Gary McKinnon vs. Pablo Escobar). I haven’t done the research, but I suspect a comparison of hackers and drug lords night reveal some motivations that might provide some insight into how the wealth created through cybercrime might look different than the wealth created by the drug trade. It is my hypothesis that the primary motivations differ, curiosity being the hallmark of the hacker and survival being the hallmark of the drug lord, again I don’t have the data so just hypothesizing. With that said there’s the case of Kim Dotcom and Mega, which supports your argument. 🙂
Kim Dotcom, The Good Life: https://youtu.be/oDiili2Gs-0

Time will tell, it’s likely that the computing power and human intellect will deliver a combinatorial explosion of both good and evil.  Let’s hope there’s more good than evil.

 

Discussion Response 5

Sharing – good read based on last weeks strong password discussion
Hacker Kevin Mitnick shows how to bypass 2FA

Hacker Kevin Mitnick shows how to bypass 2FA

 

Essay Assignment

What are the vulnerabilities in the boot process? What can an attacker exploit?

 

Boot Process Module Assignment

FIT – MGT5156 – Week 1

Discussion Post

What are the implications of Shannon’s work on security?

Claude E. Shannon is referred to as the founder of information theory, a scientist responsible for classical information theory. Shannon’s paper focuses on communication referencing PCM (pulse code modulation) and PPM (pulse position modulation). In the paper, Shannon explores topics which we are all familiar with today, topics such as bandwidth and SNR (signal-to-noise ratio).

When people think about digital security in today’s world they then to think about internet security, internet security is really about the protocols, operating systems, and applications which make up the internet. As I looked at Fig. 1 – Schematic diagram of a general communication system (Shannon, 2001, p. 4), I couldn’t help but think about TCP/IP and a simple topological representation as [HOST] <-> [ROUTER] <-> [ROUTER] <-> [HOST].

All the constructs that Shannon discusses in his 1948 paper, like source and destination (host), the transmitter (router, switch, etc…), and channel (wireless TDMA, CDMA, GSM, 802.11, etc…) all still exist and continue to evolve. Shannon talks about the messages having meaning and being correlated to some system (Shannon, 2001, p. 1), TCP/IP are the protocols that run the internet, moving information using packets. These packets are given meaning using IP (Internet Protocol) header information which contains detail about the source and destination, and a TCP (Transmission Control Protocol) header which includes information that allows data to be segmented, delivered out-of-order and reassembled. This TCP/IP header information is what allows the payload (the actual data we care about) to move between source and destination.

We can surmise that Shannon’s work had a significant impact on the TCP/IP protocols that interconnect us all today. When Bob Kahn and Vint Cert wrote the paper “A Protocol for Packet Network Intercommunication” (Cerf & Kahn, 1974) in 1974, defining the protocols that would become the platform from which the internet would blossom their concepts for a packet communication network were likely rooted in the work of Shannon.

In 1945 Shannon wrote a paper entitled “A Mathematical Theory of Cryptography.” (Shannon, 1945). This paper pre-dates “A mathematical theory of communication” by four years, the cryptography paper was initially a classified document, downgraded three years later, an abridged version was published and followed by the publication of the full article after being declassified twelve years later. Shannon’s paper on cryptography introduces an unbreakable a key-based encryption scheme known as “The Vernam Cipher”. Key-based encryption (“plaintext + key = ciphertext ⇒ ciphertext + key = plaintext”) is widely used today to encrypt and decrypt data at the source and destination, ensuring it’s confidentiality and integrity while in-flight on public networks like the internet. Cryptography is pervasive, from simple applications like MD5 hashing binaries to guarantee their integrity, to PGP public and private key encryption to SSL encryption (What is SSL, TLS and HTTPS?, n.d.). With 3.9 billion (Internet Users, n.d.) people on the internet and pervasive use of SSL and HTTPS, it’s fair to say that > 50% of the world population has benefited from Shannon’s work on communications and security.

References

Cerf, V., & Kahn, R. (1974). A protocol for packet network intercommunication. IEEE Transactions on Communications, 22(5), 637-648. doi:10.1109/TCOM.1974.1092259

Collins, G. P. (2002, October 14). Claude E. Shannon: Founder of Information Theory. Retrieved May 02, 2018, from https://www.scientificamerican.com/article/claude-e-shannon-founder/

Internet Users. (n.d.). Retrieved May 2, 2018, from http://www.internetlivestats.com/internet-users/

PGP, Public and Private Keys, and How PGP Encryption Works. (n.d.). Retrieved May 02, 2018, from http://accc.uic.edu/service/pgp/how-encryption-works

Shannon, C. (2001). A mathematical theory of communication. ACM SIGMOBILE Mobile Computing and Communications Review, 5(1), 3-55. doi:10.1145/584091.584093

Shannon, C. E. (1945). A Mathematical Theory of Cryptography – Case 20878. Alcatel-Lucent. Retrieved from https://www.iacr.org/museum/shannon/shannon45.pdf

The Vernam Cipher. (n.d.). Retrieved May 02, 2018, from http://www.cryptomuseum.com/crypto/vernam.htm

What is SSL, TLS and HTTPS? (n.d.). Retrieved May 02, 2018, from https://www.websecurity.symantec.com/security-topics/what-is-ssl-tls-https

 

Discussion Response 1

The computational power of RISC based processors like GPUs, TPUs, FPGAs and other ASICs being applied to password cracking has changed the game. Massive hacks and the dictionaries of passwords which have been aggregated and shared all over the internet as a result (e.g., https://wiki.skullsecurity.org/Passwords) along with available and accessible computational power to conduct brute-force attacks has made even strong passwords vulnerable. A 12 character alphanumeric with special characters password is not as hard to crack as many people think (http://www.netmux.com/blog/cracking-12-character-above-passwords). Provision a boatload of GPU capacity from AWS for a week and you would be surprised by the number of hashes per second you can churn out.

Then there is the application of deep learning to hacking. Projects like deephack (https://www.youtube.com/watch?v=Ybyg8WL0F4o) are starting to apply algorithmic thinking and build neural networks to hack systems.

Here is a little demo I put in this weeks assignment, where I used hashcat (https://hashcat.net/hashcat/) to crack five MD5 hashed passwords: https://asciinema.org/a/R4XnaVL0hKPLLrdF04NGQaO0p

Depending on your perspective I may seem like the only crazy person with a 6 x GPU machine. My wife would live if I only hade a single 6 x GPU rig, but the rig I used for the password crack is one of my four GPU rigs. The applicability of GPUs to cryptocurrency mining and machine learning have lots of people with lots of GPU power available either on their rigs or in the cloud.
I ran the password crack demo in the video above on my latest build which I am doing burn-in on in my home office before being added to the farm: https://photos.app.goo.gl/dKKWgB2pENIbTIm33
The interesting part about building GPU rigs for machine learning, mining, password cracking, etc… requires some caution because they pull a lot of power, the components get hot, and many of them are sourced by people like me direct from low-cost component manufacturers. Without exercising caution, you can have a meltdown aka a fire.

Strong passwords are good, but I would highly encourage the use of multi-factor authentication.

 

Discussion Response 2

Ahhhhh… Analog, my younger years as a phone phreak with my TRS-80 and acoustic coupler were the best. 🙂  Long live John Draper aka Cap’n Crunch.
The blue box and black box were a thing of beauty, enable by the simplicity of the analog system.  Let’s face it if you were online in the early 80s and knew how to build a black box you built one because who could afford all those local exchange costs, let alone long distance costs.  Then you had the device (don’t remember what it was called but I remember building it and putting inline between the modem and the wall jack) which ran the analog line through a potentiometer, some resistors and capacitors to clean up the line for you 110 baud acoustic coupler to give you a little more bandwidth, the good old days.
To this day I am still a loyal subscriber to 2600 Magazine and lister of Offf The Hook, I’ve even hit some clandestine 2600 meetups in faraway lands, that’s a treat.

If you are into some leisure (true story) reading about this era I suggest a book called “Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker”.
And of course, you have to get yourself a “Free Kevin” t-shirt. 🙂

 

Terminology Module Assignment

 

FIT – MGT5013 – Week 8, Discussion 2

Discussion Post

Please post at least three (3) issues which you have learned or are taking away from this course.

Culture, culture, culture. I have always believed that “fit” is critical. The coursework helped me to formulate more in-depth thoughts on this topic. Focusing on creating a “best-fit” scenario always has been and will continue to be a focus of mine. In all honesty, I am struggling with the juxtaposition of Simon Sinek’s idea that conveys the organization as a family where leadership is like parenting (Sinek, n.d.) vs. Reed Hastings view of an organization as a professional sports team (Hastings, 2009, p. 24). These are concepts I have been thinking about a lot, and I suspect it is something that I will continue to think about for a very long time. My thought after reviewing the Netflix culture deck in the context of parenting, is that Reed Hastings believes in tough love, he parents, but does it from a place of very high expectations.

Bolster and protect the culture with best-fit scenarios (Robbins & Judge, 2018 p. 81). Use scientific tools like the Myers-Briggs Type Indicator (MBTI) or other personality-assessment instruments, as well as discussions with peers and management to assess prospective candidates and better the probability of a best-fit scenario.

Motivation. Understanding motivation is critical to creating high-performance cultures. I experienced a deep sense of personal enlightenment Herzberg’s Motivation-Hygiene (Two-Factor) Theory (Robbins & Judge, 2018, p. 102), I loved the correlation between influencers (hygiene factors) and sentiment. I am big on sentiment analysis, I love using big data and machine learning to determine sentiment so this really appealed to me.  I have quoted McClelland’s statement “that high achievers perform best when they perceive the probability of success to be 50/50”. (Robbins & Judge, 2018 p. 103) at least ten times already.

It should be no secret at this point that I love the “RSA ANIMATE: Drive: The surprising truth about what motivates us” video and pretty much anything authored by Simon Sinek.

Communication. I related to the idea of an organization as communication. This concept made sense to me because I believe my ability to communicate and the ability for people to communicate with each other is what shapes an organization. The organization is just a manifestation of how we communicate with each other, how communication shapes the culture and how people perceive the organization. Our ability to effectively communicate will have a profound impact on our organization’s culture, successes, and failures.

References

Hastings, R. (2009, August 01). Culture. Retrieved March 18, 2018, from https://www.slideshare.net/reed2001/culture-1798664

Koschmann, M. (2012, May 08). What is Organizational Communication? Retrieved April 15, 2018, from https://youtu.be/e5oXygLGMuY

Robbins, S. P., & Judge, T. (2018). Essentials of organizational behavior. New York, NY: Pearson.

RSA ANIMATE: Drive: The surprising truth about what motivates us. (2010, April 01). Retrieved March 16, 2018, from https://youtu.be/u6XAPnuFjJc

Sinek, S. (n.d.). Why good leaders make you feel safe. Retrieved April 27, 2018, from https://www.ted.com/talks/simon_sinek_why_good_leaders_make_you_feel_safe