Schneier on Security

Clive Robinson • March 10, 2021 10:52 AM

Hmm,

“the second vulnerability, which used a malformed voicemail that, when interpreted by the server, allowed them to execute arbitrary commands.”

If I’m reading that correctly then a media file which should only be “data” is getting treated as an “executable” in some way.

I know Adobe had a bit of a reputation for that sort of nonsense, and Google a few yeard back got hit with a graphics library in Android where sending a picture attached to an SMS could be disasterous.

I would have thought that if this is what is happening to Exchange then MS would have wised up about it by now…

Clive Robinson • March 10, 2021 4:30 PM

@ lurker,

Were they expecting this?

I would very strongly suggest they were, but I don’t have evidence other than very circumstantial at best.

That is I suspect other US entities were aware of it at some point and either gave a “heads up” or a “Leave Alone” message to some one senior.

Have a look at @John Mosby above @Bruces,

I have long believed that they give the NSA a few weeks’ notice to do basically what the Chinese did

And the general tone of several people since SolarWinds brcame the ill wind from the east.

Clive Robinson • March 11, 2021 6:30 AM

@ Cincinnatus, ALL,

With regards your question, I’m going to answer it in a bit more depth as there is a lot many realy do not realise both from a defenders and attackers point of view.

So your question,

I’m mystified as to why this wasn’t the case before.

It rather depends on your outlook, previously as defenders we have realy just considered the two end points of the attacker spectrum line,

1, Covert APT.
2, Overt crook.

Obviously a spectrum exists between these two points from the unseen to the blindingly obvious. But we’ve more or less considered these points independently of anything else. In part because “to the attackers we have seen” that has been the two basic MO’s.

Thus as we think furthet there are actually two things to consider about individual attwcksr,

1, Defender scope.
2, Attacker objectives.

Both of these should evolve with both time and experience, but as defenders we tend not to see it that way which raises the “Why?” question. That is we know what we get to see as defenders by “observation” should improve by the “evolution of our tools”.

But there is a problem, with Covert APT our tools pick attacks up long after the fact. That is weeks, months or even years after the deployment of the zero day.

Simply because we had no idea what to look for and the “network noise/anomalies” were so far down in the grass you’ld have to be digging dirt (HumInt) to find them. Butvas importantly the lack of human resources to investigate.

Consider the predecessors of Stuxnet Duqu and Flame, they were not discovered untill long after they were first deployed by the attackers. But when they were sufficiently recognised as the integration of commonalities got above a threshold to attract interest, the AV companies then started to investigate. Primarily they looked back through their Data Base of files previously reported by customers, but untill that point unlooked at by the AV Companies staff.

Thus the attackers trail was spotted eventually after there was suficient aggregated noise. Because those AV DB files are a form of “Collect it all” they could in effect “go back and forth in time” and rerun “observational” histories looking for clues. But this time “with building knowledge” of what “Network Noise/anomalies” to look for as expressed in the AV DB file records. Thus over a relatively short period of time the AV companies could look for further “noise/anomolies” improving their tools very rapidly but very much long after the sound of hoof beats was a distant memory…

I don’t know why but I suspect dor some the assumption was if you were sufficciently covert the “noise/anomalies” of your Zero-Day would remain hidden, thus would go on indefinately staying down in the grass below some noise floor.

However anyone who has done even rudimentary “Signal Processing” knows what happens to “signals that look like noise” when you sufficiently average them in a time synced manner. The level of the attack signal rises (by n) and the level of the signals uncorrelated with the Zero Day attack go down (1/sqr(n)). The better the time sync on the Zero Day signal and the more otherwise independent other incoming sources you have the faster not just the first signals you found of the Zero Day rise but also new signsls correlated with the Zero Day attack. You can then go back with this new information as a “matched filter” to get more signal information and so on through several iterations.

Covert attacks based on “Low Probability of Intercept”(LPI)[1] do not remain covery long when you can “go back in time” repeatedly with “Collect it All” databases. A lesson I’m not entirely sure many people get in the right way.

So that kind of makes it appear that the proper use of a Zero Day is effectively a “one off” if you want it to remain undetected for serious “Covert APT” work[2].

But actually that is not true, we know from cryptanalysis that you can send the same message twice under different keys, if you take care to ensure the meta-data of the message remains likewise uninteligable.

Thus a smart “Covert APT” attacker will not just “randomize” the Zero Day it’s self but all things related from the start/source of the attack and also remove or randomize all artifacts from the attack.

Such behaviour does put Covert APT attacks under the noise, but if done well keeps them there.

Whilst an examination of early AV history shows past attackers have realised this and attacked accordingly, “we do not appear to be seeing it with Covert APT”

Thus you should ask yourself the question,

“Are such “Advanced Covert APT”(ACA) attacks NOT happening, or is it a case that as defenders we are blind to them?”

Factor that in and the answer to your question is probably “The defenders can not see ACA attacks, even though ACA attacks are probably happening”.

Further think on who are best positioned to carry out ACA attacks… Well it’s not China, Iran, North Korea, or Russia when you consider the real tangible physical layer of the Internet. That is they are in effect on the edge of the web not it’s center, nor do they straddle major traffic choke points… Those positions fall to the US at the center, and the UK and Australia on the major cable choke points, with other Five-Eyes of Canada and New Zeland at the “spill over” of satellite choke points. The Extended Five-Eyes in Europe and other parts of the world cover the nodes that are becoming the new through traffic choke points.

For the US’s “Four Horsemen of the Cyber-Apocalypse” of China, Iran, North Korea, Russian, they do not have traffic passing through their boarders so they have to “reach out” beyond or “drag in” traffic to get that sort of access to get the benifits.

But what benifits?

There is a long list, but two to think about are,

1, To enumerate target traffic.
2, To inject faux traffic.

It’s no secret that Sys/Net Admins profile their traffic just inside their gateway with automated tools. They then perform a form of automated signal processing that looks at the space between valid traffic and what the admin sets their noise floor at to avoid to many false poditives.

So to be covert you need to be either up in the valid traffic or well down in the noise floor. As indicated being in the noise floor is not the best place to put Covert traffic if you have a choice. If you can enumerate a targets traffic without them becoming aware of it, then the opportunity to hide in valid traffic becomes possible. So being able to see a targets traffic “passively” as the Five-Eyes do gives a massive advantage over those who have to use “active” techniques to “reach out / drag in” traffic inside their boarders. Both of which are quite “noisy” things to do but potentially have been seen from time to time with Boarder Gateway Protocol manipulatons etc. Which as the are obvious fairly quickly just by shear traffic flow “hitting the end stops” are in effect very noisy as they trip alarms. So most nations can not operate safely inside their jurisdictions as the Five-Eyes can, so effectively they have to “go out” in various ways if they want to do “passive” observation[4].

The other advantage the Five-Eyes have over other nations is the ability to not just inject false traffic but intetcept and respond to any returns. So if they are between you and their target, thay can fake as much traffic from you as they want and you will not be able to see it on the wire with your IDS etc as it will never get to you[5].

With at best week authentication but mostly no authentication on traffic, the likes of the NSA can make their false traffic, look just like the traffic you expect to see, in any way most IDS boxes can not differentiate or detect. Thus the NSA et al, can slip through their attack unrecognised. Not by trying to be unseen by crawling through or under the grass but by simply putting on a “sheep skin” and looking just like any other member of the flock in plain sight, thus passing unnoticed…

For obvious reasons these are not the things the NSA, GCHQ or other Five-Eyes or Extended Five Eyes want you thinking about.

Because as a potential target site you might decide to significantly update the way you not only run your IDSs but how you authenticate, not session traffic/comms but actuall individual transactions within a session with authentication they can not fake. As they would loose a major benifit of “being at the center of the web”…

They kind of got a bad hit when the “HTTPS for All” gained traction, so they had to develop other methods, in which week authentication significantly helped. If we now tighten up authetication correctly then they get another hit they do not want.

It should be obvious but nobody is realy doing it, perhaps it’s time for another “Why?” question…

[1] Now for the “dirty little secret” that some do not want generally known. Digital Signal Processing(DSP) techniques to pull “signals out of noise” generally only work if you know what the signal looks like, or atleast part of it or you have a sufficientky accurate time reference. So you can have a “matched filter” do “time synchronizing” and a number of other things (see work on Spread Spectrum techniques). So the concequence of this is[2],

[2] Generating the same signal twice is effectively as fatal to your Zero Day attack, as is using an OTP Key Stream twice or more, as it enables what is an “attack in depth” which is the same as a Signal Processing function just from a different “knowledge domain”[3]. Now oddly this was “known knowledge” back from the earlier days of computer viruses, but for some reason the Zero Day finders/attackers “we see” do not appear to realise this and thus do not change their behaviours accordingly… Or more correctly… “The defenders are only seeing those attackers that do not take care to randomize their attack signals sufficiently”. Which is in effect the missing piece of the puzzle you might be loojing for.

[3] If you look at past job adverts for the type of people both GCHQ and the NSA wanted back last century, you would see they were looking for rather more “Signal Processing” people than would be needed for normal DSP activities, thus they needed them for something else. Ironically they were “building a message in depth” about their intended activities via the job ads

[4] There is only one way to avoid creating “reach out / drag in” noise, and that is to do neither activity. Instead you “go to” where you can “passively” observe the target. All though no real evidence of such longterm observation by the four horsemen has been given by the primary Five-Eyes we do know that Russia has been caught atleast once or twice doing this short term to the likes of the IOC agencies so we assume other targets as well. The US has hinted that both Iran and North Korea have done similar but no evidence as such has been given. As for China the US has for the past few years been following a “Reds under the bed” campaign and maligning not just Chinese citizens but citizens in both the US and other countries that have Chinese ancestors. So in effect the US have so stired up the mud that nothing about Chinese activities can be easily distinguished as Fiction or Fact.

[5] Whilst there is nothing you can do with detecting people forging traffic from you by observation on the wire at your gateway, there are other things you can do. One of which is proper authentication not of the communications channel, but by proper authentication of all transactions which unfortunately requires a shared “Master Secret” and “non deducable by others” derived sesion/instance secrets. As is becoming obvious with attacks on the likes of random number generators and authentication protocols the NSA, GCHQ and presumably other Five-Eyes are actively doing such things.

Clive Robinson • March 12, 2021 7:32 AM

@ Fed.up,

We are overdue for disruptive tech.

Well I realy do not think it’s going to be homomorphic encryption on chip or in firmware, software etc.

Let’s think what encryption is all about,

1, Use minimal workfactor to obfuscate information.

2, Make workfactor maximal for eavesdroper.

So if you take a OTP, the work factor required is in two parts,

1.1 Make the pad of random numbers
1.2 Use the pad to encrypt information.

The first can be done by sitting there and quite laboriously throwing a pair of dice, use them to looking up an alphabet char in a 6×6 table and type it in to a process that converts it to a pad.

Fairly simple to do and labourious because the throwing of the pair of dice is “the non-deterministic or random” input required. Again using the pad is fairly trivial but tedious. So the real work factor is the “randomization” process which is about as near to a one way function as you could hope for and should be also as near non-deterministic as you could hope for.

That one-way non-determanistic function is where all the security of the OTP comes from. However use a pad twice and it cancels out leaving two plaintexts XOR’d together which has little workfactor to seperate[1].

If instead of the reversable XOR function we use ADD and SUB an interesting property arises.

Because the encryption is “addative” you can do basic addition and subtraction on the encrypted “ciphertext” which keeps the correct value when the ciphertext is decrypted. So it gives you one of the basic homomorphic encryption primitives.

Whilst that demonstrates the possabilities it has an issue.

That is you can “change the encrypted data” but you can not “use the encrypted data” because you can not “test it’s value”.

When you think about how to do a simple “compare” –which is normally the equivalent of a SUB statment– you realise just how difficult homomorphic encryption can be.

Because to test/compare raises the workfactor of encrypting whilst decreasing the work factor by a great deal for an attacker, thus the securoty margin plumets.

Thus whilst homomorphic encryption is an academics “life long work” to come up with a system, users on the other hand will see large electricity bills and low work efficiency and wil not be happy.

That’s a fairly steep hill to push a rock up and I’m realy not sure many people will want to meet the grade.

[1] So the OTP “Goes from hero to zero” in the encryption game with easily made often trivial mistakes. Which is one of the reasons it’s not particularly liked. Another is that the size of the OTP you have to securely transport in advance is large, that is large enough to cover you conceivable needs untill the next secure transport.

Clive Robinson • March 12, 2021 6:09 PM

@ SpaceLifeForm,

Things are not making sense.

Well as I don’t subscribe or have javascript I only get the first few paragraphs of the WSJ article (and it’s never been worth paying for it, unless there’s a panic buy on loo paper 😉

But the time line they give does not make sense to this tired brain…

But as for attack code looking like POC code, well that is not of it’s self suspicious, people see the faces of jesus in clouds and on burnt toast when they want to…

You kind of need independent view points otherwise you are beyond “trusting” and into the equivalent of “quasi religious belief” and where I come from that sort of “faith” is seen to be not to far from “hearing voices from god” or “kissing the ring of the glourious leader”.

So in the words of the film to Miss Connie Swail, “Just the facts ma’am”…