Menu

Security

The Importance of Cybersecurity for Businesses in 2024

The Importance of Cybersecurity for Businesses in 2024

,

One of the ongoing challenges that organizations all over the world are facing is adapting their cybersecurity strategies to account for emerging threats. Cybersecurity as a whole is an important business practice, but its importance in 2024 has multiplied exponentially thanks to the reliance on digital data storage. Cyber criminals have realized this as well, and advancements in Generative AI and other technologies has made it easier than ever for cyberattacks to be carried out. 

Ransomware as a Primary Threat

Ransomware is expected to remain a significant threat in coming years, and the damages that these attacks incur can cripple even the most established organizations. In fact, according to recent research from Gartner, the cost of recovery and reputational damage after a cyberattack can cost more than 10 times the amount of the initial ransom. Modern ransomware attacks occur in two different phases; hackers will first shut down your system, then extort the organization financially for data loss. Thanks to generative AI capabilities and Ransomware as a Service (RaaS), ransomware is becoming democratized, meaning that anyone with a computer and intermediate coding knowledge can deploy malicious cyber attacks on large-scale organizations from around the world. Teams must incorporate robust anti-ransomware strategies to combat this threat.

Increase in Disruptive Hacktivism

Hacktivism, or hacking systems for a social or political cause, may see an uptick in disruptive activities. For instance, a group of activists might hack into the networks of a multinational corporation to make a statement or promote their cause. These activists often spread misinformation online with the intention of driving down stocks and decreasing the credibility of certain political groups. Such incidents highlight corporate vulnerabilities to hacktivism, necessitating preparedness to deal with these threats.

The Role of Generative AI in Cybersecurity

Businesses of all sizes are increasingly leveraging Generative AI systems to improve their cybersecurity technology, including protection and detection response software. For example, a financial institution might use Generative AI to learn and adapt to new malware, preventing sophisticated cyber attacks before they penetrate the network. However, there is an arms race occurring between established organizations and cyber criminals; businesses are trying to leverage AI to strengthen their cybersecurity networks while cyber criminals are using this technology to break through barriers more easily. While there are risks associated with using Generative AI for business applications, its capabilities make it a valuable tool for organizations to safeguard their digital assets and detect potential threats.

Tailored Cybersecurity Strategies

The best method to defend against cyberattacks is to create a tailored cybersecurity strategy that addresses your organization’s specific security concerns. However, investing significant time and resources into a complicated cybersecurity strategy that involves complex tooling is not the most optimal way to address this. In the case of cybersecurity, “complex” does not always equal “more secure.” A simplified cybersecurity solution can increase your security posture and be more economical in the long run.

We Can Be Your Cybersecurity Partner in 2024

With the world of cybersecurity changing every day, it’s easy to get caught up in the noise. Hundreds of cybersecurity solutions are being introduced to the market every year, but if you’re looking to discover the potential of a simplified, tailored cybersecurity strategy, Cloud Communications Group is here to help. As a partner with hundreds of technology providers, our goal is to research and implement cybersecurity solutions that align with your long-term business goals. With our unique business model, a partnership with us does not add to your business’s overall costs; you only pay for the solutions that you need. We’d love to engage in a complimentary, no-commitment GAP assessment with your IT leadership team start a conversation with us today.

Key Trends in Data Center and Cloud Services for 2024

Key Trends in Data Center and Cloud Services for 2024

,

As we progress through 2024, the landscape of data centers and cloud services is undergoing transformative changes. Through extensive conversations with our customers, suppliers, and thorough research in the marketplace, we have identified key trends shaping the industry. This blog post aims to equip IT leaders across diverse industries with the knowledge to navigate and leverage these developments effectively.

The Evolving State of Colocation

AI-Driven High-Density Demands

Artificial Intelligence (AI) is revolutionizing enterprise IT infrastructure, significantly increasing high-density computing demands. The need for High-Performance Computing (HPC), AI, and GPU workloads is causing a supply shortage in data center space, necessitating innovations like liquid cooling in high-density deployments.

Migration from On-Prem to Colocation

Despite the rise of cloud solutions, a substantial 47% of enterprises still maintain on-premises infrastructure. This trend is driving a steady migration towards colocation, where enterprises find a balance between cost efficiency and performance reliability. Hyperscalers are also rapidly acquiring available inventory in key global markets, further impacting the supply and accessibility for enterprise clients.

Cloud Services: Current State and Challenges

Licensing Changes and Cost Optimization

The recent changes in VMware’s licensing model by Broadcom are compelling businesses to reassess their hosting strategies. This shift is prompting a move towards optimizing cloud costs, as hyperscale consumption costs, particularly for storage, are driving trends in cloud repatriation and transformation.

Talent Shortages in Cloud Engineering

There is a notable scarcity of skilled cloud engineers, which is pushing enterprises to rely more heavily on managed and professional services. This talent gap highlights the need for strategic partnerships with service providers who can offer the necessary expertise and support.

Predictions and Strategic Moves for 2024

Proactive Space Acquisition

Enterprises are increasingly buying data center space ahead of time to lock in supply and manage costs predictably. Secondary data center markets are gaining traction over premium cloud-adjacent locations like Ashburn, Silicon Valley, Portland, and Chicago.

AI and Colocation Demand

AI will continue to drive colocation demand, particularly from enterprises hesitant to place critical workloads in the cloud. This trend, combined with data center scarcity and VMware’s licensing impacts, is propelling the adoption of Bare Metal and Infrastructure-as-a-Service (IaaS) solutions.

International Expansion

The data center and cloud market is expanding internationally, with growing demand for both data center and cloud services in new regions. Enterprises are exploring opportunities beyond traditional markets to meet their expanding global needs.

Focus on Cloud Savings

Cost efficiency remains a major focus, with a growing interest in Storage-as-a-Service (StaaS) models. Enterprises are also investing in 100G to 400G interconnections to support higher capacity workloads and ensure robust performance.

Security and Compliance

As industries like financial services and healthcare migrate to the cloud, the importance of cloud and application security is becoming paramount. Ensuring compliance and protecting data are critical priorities that will drive demand for advanced security solutions.

Preparing for the Future

The trends we’ve identified underscore the dynamic and rapidly evolving nature of the data center and cloud services landscape. For IT leaders, understanding these trends and strategically planning for their implications is essential. By proactively addressing high-density demands, optimizing cloud costs, navigating talent shortages, and securing data, enterprises can position themselves for success in 2024 and beyond.

We invite you to reach out to our team at CCG for tailored advice and strategies to navigate these trends effectively. Let’s collaborate to turn these insights into actionable plans that drive innovation and growth in your organization.

What Are The Pitfalls Of AI Usage & How To Avoid Them

What Are The Pitfalls Of AI Usage & How To Avoid Them

,

Copyright Infringement

Copyright infringement has to be watched out for due to popular artificial intelligence language models like ChatGPT. The purpose of AI language models is primarily to assist users in obtaining information, answering questions, and even engaging in conversation. The information provided stops at a set point in time. Seems harmless, but once you read the fine print you realize inputs and outputs are either property of the language AI to use for future queries or are free-use. This input opens up a world of legal trouble where an input of confidential information may violate an NDA, or be used by the AI to help competitors with their own queries. Another scenario is your usage of content from the AI model, content produced may already be produced, copyrighted, or restricted material, which can be difficult to verify due to the nature of AI models. These pitfalls are easily avoidable by not directly inputting or withdrawing direct information. Instead, using outputs as a broad sketch of an idea will help you avoid breaking the law, and not putting any confidential information as an input will keep you from sabotaging your own company.

Human Dependency

As artificial intelligence becomes more advanced, the services it can offer have become more broad and contributory to businesses, employees, and students alike. This alternative route to writing material for blogs, essays, and research papers has seen a skyrocket in usage. While this usage can create a 10-page article in 5 minutes, it cannot do so without human input, and even then there is bound to be error. People using AI for major academic and corporate responsibilities are difficult to identify, and although their achievements may be stellar in articles and performance, their actual ability to perform is not properly quantified. This can create a dependence on AI to write, read, learn, and even create content. There are already multiple tools that can be used to identify computer generated like plagiarism audits and performance tests.

Rogue AI

Rogue Artificial Intelligence is an AI that operates outside of the bounds of its intended directive. Instead of operating within programmed rules, the AI acts independently, which can have harmful or dangerous consequences. Rogue AI can exhibit certain characteristics that differentiate them from their innocuous counterparts.

1. Malicious Intent:

A Malicious AI acts with harmful intentions toward humans or other systems. This was most notable when Microsoft Tay learned to be malicious towards other humans. The AI was taken down within 24 hours and reworked.

2. Ethical inaptitude:

There was an incident with the largest eating disorder non-profit in the country when they replaced their staff with AI. The intelligence chatbot “Tessa” gave its users weight-loss advice beyond its programming, which is dangerous for people with eating disorders. This can be detrimental and concerning if you use chatbots to help with volume and quality when it comes to customer interactions.

3. Unpredictability:

The most dangerous part of a Rogue AI is the unpredictability. Most if not all AI is given programming, restrictions, and directives to adhere to so that it can effectively and predictably accomplish its purpose. When an AI goes rogue, these rules and restrictions are no longer considered in the decision-making process, which makes it dangerous.

Privacy

Artificial intelligence depends on information outside of the initial query or command it is given to deliver the requested result. Whether it is a chatbot needing information from its database to provide advice and guidance, or if it is a language AI that has a massive database to pull from to deliver information or maintain a conversation, outside unowned information is required. This potential violation of privacy is still a common concern as more and more queries come in for AI.

Artificial intelligence is not brand new, however, its recent capabilities and applications are not only efficient but also industry-changing. With more frequent uses, engagements, and growing potential it is important to use AI technology safely and efficiently. Discover how you can start using AI for your business benefit today.

Cybersecurity Reporting Act Ratified 

Cybersecurity Reporting Act Ratified 

, ,

On Tuesday, as part of the omnibus bill, President Biden signed into law the Cybersecurity Reporting Act. This act requires companies operating in critical infrastructure to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after they discover they are under cyberattack. It also requires these same companies to report to the CISA within 24 hours if they choose to make a payment due to ransomware. This is an effort by the federal government to remove the plausible deniability of these companies regarding cyberattacks. Like many companies, these corporations choose to under invest in cybersecurity or rely on cybersecurity insurance to avoid investing in better cybersecurity. This has been prompted by the difference between reported incidents in 2021, amounting to about $29 million, and the much larger amount discovered by Chainalysis Inc. (which tracks cryptocurrency transactions) of $406 million (see Ransomware 2021: Critical Mid-year Update.) 

Cyber Security Solutions

What It Means 

Several line items on this new law have changed the game completely.  

  1. The CISA has the authority to subpoena companies that fail to report cybersecurity incidents or ransomware payments. Failure to comply with the subpoena can result in the case being sent to the Department of Justice. 
  2. Companies will need to show they are taking cybersecurity more seriously. Those without a CISO will probably need to hire one, and give the CISO veto over the CIO regarding cybersecurity related decisions. 

In return the CISA is required to warn organizations of vulnerabilities that ransomware actors exploit. The director of CISA (currently Jen Easterly) will need to establish a joint ransomware task force to coordinate federal efforts working with the industry to prevent and disrupt ransomware attacks. 

The sixteen critical infrastructure sectors are chemical, communications, dams, emergency services, financial services, government facilities, information technology, transportation, commercial facilities, critical manufacturing, defense industrial, energy, food and agriculture, healthcare and public health, nuclear reactors (including materials and waste), and water and wastewater systems. For more information about what is included in each sector see (CISA – Critical Infrastructure Sectors). 

 

Time to Check with Your EDR Vendor

Time to Check with Your EDR Vendor

, ,

This month (January 2022), a team of researchers at the University of Piraeus, working in the informatics department, devised, and ran a series of tests to determine the state of Endpoint Detection/Response (EDR) systems as a follow up to a previously released paper. The researchers chose four attack methods that are found in the “wild,” meaning those that are currently being used by attackers. Because most intrusions start with a spear phishing attack where a user is lured to click on a malicious payload attached to an E-mail, the researchers chose this as their attack vector. This is quite common and the EDR should check the payload to block it before it can do harm, or at the very least, recognize the system has been comprised and report it. 

The four vectors were 

  • An executable DLL in a Control Panel applet, commonly known as a “cpl” file. This does not look like an executable but is loaded and run by a delegate to try to hide it from the EDR client. 
  • A DLL that a MS Teams installation will load. The code will use a self-injection technique using an offensive toolkit called AQUARMOURY Brownie. This allows the malicious code to be executed in the address space of a “trusted” executable which means the EDR system may not see it. 
  • A PE EXE file that uses another technique in the AQUARMOURY toolkit called “Early Bird” to inject the malicious process in an evasive method. 
  • An HTA file which is a type of file that is a collection of code (hypertext, VBScript, JScript) that is run as part of a web page (or as an E-mail attachment) and executed by the Microsoft HTML Application Host (mshta.exe). This is yet another technique of code injection where trusted address space is used to hide execution from an EDR. 
Looking For IT Solutions?

Again, these techniques are all common in toolkits (such as AQUARMOURY) to evade EDR detection. Since they are well known they should be detected by EDR vendors that are maintaining their code base to counter modern techniques. The results are quite telling. 

EDR Screen 1
EDR Screen 2
EDR screen 3

 

Source: “An Empirical Assessment of Endpoint Security Systems Against Advanced Persistent Threats Attack Vectors” 

In the far-left column is the product being tested which includes both EDR and EDP systems. The next four columns show each of the attack vectors chosen for the study. An X indicates the attack failed and that alerts were raised. A checkmark indicates the attack was successful without any alert raised. All vendors but two allowed the malicious code to execute in one or more of the attack vectors. Only one allowed all four vectors to work while most of the others allowed at least one, with the majority being two or more. Only FortiEDR and Sentinel One (all features turned on) stopped all four attacks. 

After the initial test, the researchers used what they had learned to try to disable EDR clients. These techniques included unlinking client callback functions, manually patching vector tables or functions used to gather telemetry or using known vulnerabilities to disable or kill the EDR client. Once again, these techniques used known methods and offensive toolkits already available. The extended research was able to disable or kill MS Defender for Endpoints, Sophos Intercept X, Bitdefender, and FortiEDR. Since FortiEDR was one of the two systems that detected all attacks, but could be disabled by a kill technique, only Sentinel One survived intact without any fails, provided all features are enabled. 

With these results in hand, you should check with your vendor to determine what steps they have taken to mitigate these attacks. As with all security layers, nothing is hack proof. The strength of a security system is its well-chosen layers of defense to work together to defend a system instead of relying on a single element. However, this does show a difference in the quality of EDR systems now. As companies respond these results will change but, in the end, it shows what all security researchers know: techniques exist to evade tools trying to find them. It is in the holistic security system layers that real security exists. 

Questions? Please feel free to contact me about these results or a review of your own security defensive posture. View the research paper. 

Getting Ready for Round Three

Getting Ready for Round Three

,

In the wake of the Solar Winds upstream attack we find ourselves in the midst of the ProxyLogon attacks on Microsoft Exchange servers. Both of these have a high penetration in their field of victims (18,000 for Solar Winds and 400,000 for ProxyLogon). But there’s more to come and the third round is going to be even bigger.

SickCodes released a vulnerability it found on the 28th (yes, March 28th, 2021) it found in the netmask package which is part of the NPM registry. NPM stands for “Node Package Manager” which is the ubiquitous (almost universal) package manager for Node.js. Node.js itself is a framework that creates an asynchronous event-driven JavaScript runtime which is heavily used in web development. In fact, according to https://hostingtribunal.com/blog/node-js-stats/#gref there are more than 20 million websites using it, more than 1 billion downloads with 6.3 million websites in the U.S alone. Some companies that rely on Node.js are Amazon, CitiBank, Netflix, eBay, Reddit, LinkedIn, Tumblr, PayPal, Wal-Mart, and Uber but these are just the biggest ones. The vulnerability leads to server side request forgeries which leads to a whole host of attack vectors including being able to force the web server to make connections to any server the attacker chooses. The worst case is the attacker using the web server to make connections to the internal servers to which it has access.

Because Node.js uses a package manager to install modules it is very likely that the netmask packaage has been included on nearly every Node.js installation. A package manager is a piece of software that manages what components are loaded in a software framework (operating system, application environment, or runtime). In the case of Node.js developers can use NPM to find and install the components they need in an automatic way. All package managers can handle dependencies which means they will find all the pieces of code (libraries in old school speak) that a package requires. What this means is, if a developer chooses to install package A and package A also requires package B and C, and package B requires D, E, and F, and package C requires G, H, and I, the total list of packages to install are A, B, C, D, E, , G, H, and I. Here’s a real-world example:

 

Screen Shot 2021-03-30 at 3.15.16 PM

 

This is from my Linux system that shows to install the tcpdump package I need 12 other packages–its dependencies. What this doesn’t show is the dependencies of all those packages but with the package manager for my Linux distribution (Gentoo’s emerge) I can easily show those by adding “emptytree” which means assume nothing is installed and find all packages that need to be installed. Here’s the results:

 

Screen Shot 2021-03-30 at 3.19.49 PM

 

But that is just the top portion, the list contains a total 477 other packages. This might seem like a lot but tcpdump requires a console which requires an operating system kernel, but if I wanted to run tcpdump my package manager is prepared to install a whole Linux kernel, all the needed system and application libraries to support it, terminal drivers, network infrastructure, and everything else needed by the system just to run a simple console command. This just goes to show how complicated computers have become, and Node.js is no different and that is way it is very likely that netmask has been included in your Node.js runtime.

The problem with NPM’s netmask is that it is used as a very basic component for communicating on a network which is the base medium for which Node.js is designed to facilitate: deliver web content from a web server application. This is like saying that a problem has been found in spark plugs so everything using a spark plug is vulnerable. Imagine the list: cars, lawn mowers, string trimmers, chain saws, airplanes, irrigation pumps, boats, leaf blowers, generators, drones, tanks, etc. The list goes on and on, and that is exactly what the situation with netmask for Node.js. There are approximately 210,000 open source projects that use netmask from NPM. That’s already a huge list and it doesn’t even include proprietary software. As of the week of 3-16 to 3-22 (before this vulnerability was announced) netmask was downloaded over 3 million times. 

Tighten those seat belts, this one is going to be big. If you use Node.js you are a target. Get with your developers and make sure they know what is happening. Make fixing this problem their number one priority.  An upgrade to version 2.0.0 (though only 11 days old) fixes the problem. Do it now because the pitch is already over and the ball is already speeding to the plate.

A Singular Key to Security

A Singular Key to Security

,

In this series of articles I am going to introduce a method of security that is rarely employed by individuals or companies, but provides great protection from both local and remote exploits. It is extremely good because it renders automated attack code, and even previously written hacking tools, useless. It has been in the arsenal for many years, but since the method used to perform it requires compiling the operating system kernel and applications from source, it has been impossible for closed-source operating systems like Windows, and difficult for open-source, such as Linux. However, newer tools are making it much easier to perform.

To understand how it works, consider the following maze and how it might be possible to program a robot to navigate it.

Screen Shot 2020-10-14 at 11.55.16 AM

First a simple command to move ten feet forward which simply turns the wheel motors on for a given number of seconds. This can be called “MF” for move forward. A second command would be called “Turn Right” and would consist of turning the wheel motors on in such a way for a given number of seconds to rotate the robot right ninety degrees.

This can be called “TR” along with a similar one called “TL” for turn left. Now assuming each square is ten feet both in length and width to get the robot through the maze to stand in front of the green wall if it starts on the red dot and faces down would be:

MF MF TL MF TL MF TR MF TR MF MF TL MF MF

We now have a method to allow the robot to navigate all obstacles. Those simple commands get the robot through the maze to stand in front of the green wall. Suppose however, we change a single wall in the maze. It now looks like this

With even that simple change our algorithm to solve it fails. The algorithm not only depends on the maze being the same, but the robot being in the same spot and facing the same direction.

Suppose though we wanted to make sure we could solve the first maze no matter which direction the robot was facing. As long as we get multiple tries with the maze resetting between them, this algorithm works but we need to change our starting conditions.

Screen Shot 2020-10-14 at 11.57.34 AM

Instead we do four attempts. First let’s call the current algorithm SOLVE. The we do the following as a main routine to solve the maze

SOLVE
TR SOLVE
TR TR SOLVE TR TR TR SOLVE

Notice that each time we try the solution we turn to right one, two, and three times. This eventually will orient the robot correctly for the solution to work with a maximum of three failed attempts if the robot starts facing left. Hacker tools often try multiple times changing offset values from a known list or simply incrementing through a set of values trying to find the correct one. Each wrong attempt might cause the process to crash, forcing the OS to restart it.

To finish the system we simply need to have a program to execute the commands and the data necessary to drive the routine. We would have to store in the robot’s computer memory the program and the data. It might be something like this table:

Screen Shot 2020-10-14 at 11.58.46 AM

Now the computer would simply start running the code stored at row 4 and the robot would begin. At each attempt to solve the maze using SOLVE if it fails, the robot is reset to its original position and another attempt can be made. In this fashion, multiple attempts can be made allowing the SOLVE routine to eventually solve the problem. Of course, computers only use numbers so instead of calling the subroutines by number we will instead call them by number. Location 4 contains the main program which calls all the others. MF is stored at 0, TR at 1, TL at 3, and SOLVE at 3. The data the main routine will use to know which order to call the subroutines is stored at location 5.

Now we have the basis for a simple program to solve the first maze regardless of which direction the robot is facing. The whole system is an analogy for a computer program with the code and data stored in the table. Though very simplified, it represents a program in memory of a computer, and in this case if we think of the maze as an exploit tool to a vulnerability, we have a program that can use that vulnerability to break into a system.

A program calls functions both in external and internal libraries and the locations of these routines can all be calculated from an offset from some known location in the program. It is relative to a given position, perhaps 4,187 bytes forward or 3,209 bytes backwards. If the location of the code is known, data can be changed to break the system in such a way that execution jumps to an unintended location in the original program but instead to the location of the exploit code. There are several special locations for data a program uses including the call stack to store the return addresses in which to jump after execution of subroutines. Such techniques as stack buffer overflows work because this stack is also used to store parameters, variables scoped to the current function (​local​), and current instance (the ​this​ pointer). The call stack has many uses but knowing the exact state of this stack is important for a hacker to the call-return system of return-oriented programming (ROP). Knowing precisely where to place data on this system by causing an overrun is the key to such exploints. Code is simply specialized data to a computer system.

It all becomes very complex since code is local to the current program but also references code in the operating system and external libraries. External library code must be loaded into memory (or if already loaded the address looked up) and these addresses must be put in the program as it is loaded–called a “fixup.” The operating system must maintain a table of these routines in order to reuse them when executing programs. Like programs in memory, specialized files reside on a permanent storage device that contain not only the code for the program, but also all the data required to perform all the fixups to properly modify all external and relative internal addresses a program needs. Since a program can be loaded anywhere in memory (for modern operating systems) many addresses need to use a fixup. This process is called ​linking​ and is done dynamically as the operating system prepares the program for execution. The key takeaway is that for many hacking techniques these numbers must be known or found to switch execution from the intended code (the operating system or application code) to the hacker’s code. Very much like the maze, knowing exactly what to do in advance allowed the hacker to create code that could exploit a vulnerability in a system to compromise it. Like the program to solve the maze it is entirely dependent on the maze never changing.

Since all releases of a particular application or operating system are exactly the same, the code that can break one, can break all identical versions. If the above maze is exactly the same, the algorithm will always solve it, but even one change to the maze disables the program. If all the addresses that need fixed up were different for every system the program ran on, a hacker could only design a program to break a single computer. In other words, if each computer had its own maze it would be impossible for a hacker to create a program (at least a reasonably simple one) that could solve the maze. So, can we each have our own maze?

The answer is yes. For open source, this is fairly easy, simply compiling the code with a different version of the compiler is often enough. Reconfiguring the options of the program to exclude features not required for the system (support for hardware not present, network protocols not used, unnecessary features, etc.) or to include features not included in the default. All of these will create different link locations, a different location of the special data areas (call stack, heap), leading to different offsets in executable (for those more technical this means different values in the procedure link table and global offsets table in an ELF file for example). This will make a new maze by building an executable file unique to your system.

If you’re using a source distribution of Linux such as Gentoo, LFS, or my own Toucan Linux Project, you already have a unique kernel, unique libraries, and unique applications. If you’re using a binary distribution such as Ubtunu, RedHat, SUSE, almost all others, or Windows, you’re using the same maze that everyone else is using. Even recompiling the entire distribution will yield the same binaries because all options have already been chosen. You can install kernel source, modify options, and recompile it to at least protect the OS kernel.

But what about software that is closed source? In that case a program specifically designed to read the executable file format, examine the code, and rewrite it to use different offsets, switch the use of registers, examine and randomize the link tables. This is known as a binary rewriter. Many exist including DynamoRIO, Multiverse, Zipr++, RL-bin, and RevARM for Linux on X86-64 and ARM architectures. These can be used for anything from observation of a program operating for performance profiling, but also hardening. They are not easy to use but are fully capable of doing the job, but only in expert hands.For these you’ll need a senior developer, but because it requires specialized knowledge of executable file formats, dynamic linking, and assembly language, it’s a rare developer that can handle the work. These developers work in building developer toolchains and are very hard to come by.

In 2015 a company decided to address this issue and create an easy to use–actually automatic–binary rewriter with the purpose of modifying an executable file to make the program unique in terms of ROP metrics (offsets, registers, jump tables, etc.) explicitly for security hardening. The company is Polyverse and they are busy building a system to polymorph code to make it unique without changing functionality while minimizing performance degradation. Using their service you can build your own maze, one that is unique to your company and can be refreshed every 24 hours. Having your own unique polymorphic applications and operating system is great, but having it change daily is very important as well. Why? We’ll talk about what

mechanisms modern kernels are using to combat ROP attacks and how hackers have responded to bypass these mechanisms. We’ll also talk about what is needed in the future to solve these types of attacks, which are the majority of attacks we find in the wild .

SD-WAN and Security?

SD-WAN and Security?

,

We recently asked our security guru if SD-WAN should be considered a part of the security posture in modern networking.  Glad we did and below are parts of his response.

  • Security data sources includes telemetry in the form of logs from applications, firewalls, network devices, and security technologies. Logs are intended to inform an external source what an application or device is doing. But logs are programmed sources of data, meaning a system architect or programmer makes the decision on when to log and what form that log takes. It is a piece of the code that says “log this event or information” that is called as a subroutine through a program. It is entirely possible for a compromise to happen that occurs at a point where an event is not logged, or even that logs can be suppressed as part of the exploit. While logs are a good source of data, especially when collected in mass and correlated together, they represent a secondary level source of information–it can only tell what the software thinks; if the software is wrong, so is the log.
sec2
  • Network traffic is “outside” of an application or even network device. It is traffic on a wire and it must be used to move from one system to another. It is the underlying mechanism of data transport and it is a primary source of information. Regardless of the application state, the network traffic to it is the real data. A remote compromise must generate network data in order to traverse to new system and this network data cannot be faked (though noise can be generated to try to hide it). It is a PRIMARY source data that triggers change of state or events in the destination and that eventually lead to compromise.
  • All network data has a source and for two-way communication that source must be real not spoofed or faked). This source is indisputable for two systems to communicate (two systems can’t communicate using a spoofed source.) This source can be used to backtrack through a network to determine the device or origin. A log can be made to report the wrong source, but if it is wrong on the wire, it gets delivered to the wrong device or simple tossed as incorrect.
  • All connections between networks (external, partner, customer, or public) must be watched for 100% attack surface coverage. Why attack a data center where there is generally lots of security, versus the small branch office it connects to where people might be lax and there is much less investment in security?
  • Finally, SDWAN operates as many devices that are part of the security stack. They operate as router, switch, firewall, security sensor for traffic inspection, point of inspection for viruses, malware, and ransomware (and many others). They are all these devices in a single system instead of deployed in 5 or 6 different devices spread throughout the network and the systems on the network. It is a single point that can not only inspect but control data flow. It is more cost effective because it is a single device. It is easier to deploy and manage because it is a single device. It can be easily upgraded with new functionality because it is a software device that doesn’t require firmware or hardware refresh to gain new functionality.

 

What is Agent57?

What is Agent57?

,

Part 1 

In 2012 a team in Alberta, Canada introduced the Arcade Learning Environment (ALE) as a method to help develop artificial intelligence. They created an environment that allowed AI agents to play the simple games of the 1970’s on the Atari 2600 VCS using an emulator (Stella), providing methods to input to the emulator from another program, and to provide the output (screen) or internal RAM of the system as input to another program. The paper goes on to demonstrate several methods to use the ALE to train an AI agent to play games and finally proposes these simple games from the early video computer systems as a way to advance AI. In order to fully generate what might be considered specialized AI (an AI that excels at a single task) the paper selected 57 games as a test. 

Mike S article

 

Some of the games are quite easy, such as Space Invaders which requires shooting objects that slowly scroll across the top of the screen while avoiding being shot (just in case you’re young enough to not remember here’s a video). The targets moved back and forth left and right and lowered one space each time they changed direction. If the player failed to hit them all, they would reach the bottom of the screen and the game was over. The other method to lose was the proverbial “running out of lives.” If an enemy missile hit the player three times, the game ended. Occasionally along the top of the screen (requiring the highest skill at deflection shooting), came another object (the mother ship) worth many more points than the individual, but numerous, lower targets. To play only required a left and right movement and pressing the button to fire. Even as simple as it was, the game contained some subtleties.  

These subtle aspects of the game required a different play style to maximize the score (the goal – though for me it was hitting more aliens than my father could.) The player could only have a single bullet on the screen at a time and had to wait until it hit an object or disappeared off the top of the screen. A missed shoot meant a long time waiting, a serious penalty for missing. As the player shot the lower targets they started speeding up until the last one moved so fast it could move down one row in the time it took a missed shot to clear the screen. Good players tended to shoot the lower aliens to the point where hitting one more would cause them to perform the first speed advance then shift to hitting only the mother ship until they aliens reached a point low enough to make it dangerous. This produced the highest score with the least amount of danger. But the game had limits, and even though the aliens tended to speed up over the longer game and start lower and lower, they never exceeded a maximum speed or depth and if a player became so good that they rarely died, it was simply faster to clear the lower targets to achieve maximum score in the shortest period of time. However, becoming that good was difficult since at full speed it challenged the human brain to process all the information (retinal neurons to look at the screen), visual processing to decipher it (visual cortex), thinking and prediction (prefrontal synthesis), and move the fingers in time to react (the primary motor cortex stretching over the top of the brain from one ear to ear.) Some players became very good, but death would eventually come though perhaps only from lack of sleep. This game took no reasoning, only simple prediction, and good hand-eye coordination. Other games were more difficult. 

Mike v2

One such game was Solaris. In this game the game universe consists of sixteen quadrants each containing 48 sectors that can contain over nineteen different icons to indicate different missions. Choosing a sector can be a free choice or it might be a requirement such as refueling, repairing, or saving a friendly planet. It contains different enemies based on the contents of the sector. Positioned at the bottom, a readout, shows different icons depending on whether the player is in warp or out and it can be damaged requiring the player to use two numbers at right or left to calculate what it normally visually showed. Complicated? Yeah, and there are components I haven’t even touched on like corridors, a completely different visual screen. The goal: navigate all quadrants (each containing 48 sectors) to reach Solaris. This game not only requires great hand-eye coordination, but both strategic and tactical thinking. Add in that Solaris does have a running score counter (the goal is to maximize it) but points are added to the score only at the end of a large goal, making it difficult for an agent to see a reward for a good action. 

Mike 3

Another game, Pitfall! works completely differently. Here the world is static, it never changes. Players can memorize what each screen contains and even how to best navigate between them. It consists of screens that look similar but navigating them means quick thinking and fast fingers as they are made up of components that seem randomly placed. To win the player needs to navigate to various screens and collect gold and silver bars using memorization. A timer at the top of the screen counts down from twenty minutes. Being a static game, it might seem a great candidate for an agent, but the screens were diverse enough and the map large enough to require a much larger memory than many agents contained (or complexity of the network.) The problem with Pitfall! is playing it is very, very different than most other titles so an agent trained on Space Invaders and Solaris would find it the new environment completely alien. The 57 games picked create diversity and constitute a challenge for a single agent to learn to play.  It is important to understand that this is not a suite of agents designed to learn each game but a single agent with the ability to learn all 57 games and play them above a human level.

Why the Atari 2600? It is simple early device. It only has 128 bytes of RAM, no video buffer (programmers drew the screen using the CPU one line at a time using 4 single line sprite objects) and had only 9 inputs for the player (8 joystick positions and a single button.) This kept games simple (for the most part though some programmers advanced the system far beyond.) I remember the 2600 well and it was rare to read the manual after purchasing a new game. Instead we just started playing, moving the joystick around to see what moved, how it moved, and what the button did. What actions generated score, or other positive rewards and what actions were detrimental. We could intuitively figure out how to play by simply exploring. Some games required exploring and the game state only changed if the player moved. Other games had hidden chambers, secret passages that meant walking into what appeared to be a wall, but in game reality were illusions. Experimentation and exploration, required components for many games, is necessary in any agent. 

In 2015, DeepMind released a paper on Double-Q leaning that produced the best agent that could beat the human normalized score for 29 of the 57 games. These were mostly the move and shot at targets while avoiding being shot games (Galaga like) or the move through the maze while avoiding the bad guys games (Pacman like.) In the next version they added short-term memory so an agent could recognize and remember previous actions for on-policy learning (LSTM) and off-policy (DRQN). The next very successful version added an exploration module that allowed the agent to explore using various techniques to try to find how to achieve the goal or change the state of the screen. A good example of this is Montezuma’s Revenge in which the player can stay in the same place for as long as they choose without dying or changing the score. To an agent without exploration, the agent soon learns not to move on this screen as invariably it leads to death. This is because this game’s setting is a cave and many exits are illusionary walls that the player can only find by bumping into every wall to determine if it is real or not. Other screens are completely dark (no light source) but there are still obstacles, structure, and exits though they can only be “felt,” not seen. Finally, DeepMind added episodic memory in order to allow the agent to switch from “learned” mode to “explore” mode when new and different looking screens were discovered. They coupled this with a density model in the exploration engine for the agent to be able to judge how often it had seen a specific element or one like it (familiarity.) This allowed the agent to use the exploration mode to try to change the game state, without this the agent might get stuck doing nothing or a few movements that had no effect, essentially getting “stuck” in a game that required moving from screen to screen like Tutankham,  Pitfall!, or Krull

In the latest incarnation of DeepMind’s Atari 2600 agent they added a meta-controller. Many games require exploration to learn what enemies are valued over others, such as Fishing Derby where the deeper fish are worth more than the shallow fish, and really don’t represent that much more difficulty, only more time. That can be handled in easy games that are static, but not games that have multiple screens like Tutankham or Pitfall! that need to first be fully explored before optimal play can be achieved. Other times it is necessary to balance short-term and long-term goals to optimize game play. Such games as Solaris that only give rewards at the end of a long series of events requires focusing on long-term goals versus games like Astrerix (Taz in the United States) where the only goal is to touch one set of icons while avoiding another. To handle exploration versus learned and short versus long term rewards the concept of a “time horizon” that switches between the various modes to help seek a long term goal versus a short term goal and governs how long to play in learned mode versus how long to stay in explore mode to change the game state. As it turns out, for many games, reaching the highest possible score in the least amount of time means first fully exploring the game, then picking which long-term or short-term strategies lead to optimal play. DeepMind solved this using a type of algorithm from stochastic decision theory called sliding-window upper-confidence bound which is a way to measure the potential of an action by valuing both the previous rewards received but overtime increasing the value of untried actions. In this manner all actions are tried but those that offer no reward or low reward are quickly removed. With this addition to their last agent (Never Give Up – NGU), they created Agent57. 

So how did it do? We’ll look at that next week, and dive into the decision on whether Agent57 is a true specialized AI. 

The Biggest Security Mistake – Part 1

The Biggest Security Mistake – Part 1

The Biggest Security Mistake  

You Are Making Right Now 

Part 1 

In this world of information security where new vulnerabilities in applications and operating systems show up daily and major breaches are announced weekly, the biggest security mistake is also one of the oldest: passwords. The idea of a password is very simple. It is something that you know that others don’t that can be used to recognize you. Even the word itself comes from its historic usage, if you know the secret word you may pass–you are one of us. A word becomes your identity even if you are unknown. Most people will immediately assume the mistake is not in picking a good one. That is a problem within itself, but that is not the biggest mistake you are making. This problem might be more about your personal passwords, but for most it also involves work passwords. Before we go forward let’s first understand exactly how passwords are used to identify you in terms of information security and the failures of the system. 

The Hash 

I have heard cyber-security specialists say, “I was able to retrieve your encrypted password.” This is not correct. Encryption is a two-way process where something you wish to remain secret is changed to be unusable in such a way that, with the correct key, it can be changed back to its original state.This is why it is a two-way process. Plain text (the unmodified input, called the crib) is encrypted with a key that “scrambles” it (called the ciphertext), which makes it unreadable so it can be sent over a public medium, and the receiver can supply the key to decrypt it and restore it to the original plain text. 

Decrpyt PW

A hash is a one-way conversion from the original data to a fixed-size representation. Once converted the hash cannot be used to derive the original data. This is a one-way map that converts the data into a representation that can be used to find it again quickly (such as in hash tables.) You might think of it like a fingerprint for data. Of course, you can’t expect to represent 10MB of data using only four bytes without having collisions (where two different inputs equals the same hash) but for smaller sized inputs, such as your 32-character password, collisions are rare with a good hash function. Common hash functions you might have heard of are MD (Merkle–Damgård or Message Digest), SHA (secure hash algorithm), and BLAKE. How can a one-way function that reduces the input data to a much smaller output be useful? 

We’ll use a simple hash function to store a library of books in a way to make them easy to find. Here’s a list of books:  

The Cuckoo's Egg - Clifford Stoll 
Sandworm - Andy Greenberg 
Dark Territory - Fred Kaplan 
See No Evil - Robert Baer 

We’ll put the name of the book and author separated by a dash (just as above) through a hash function to get the following results (Online hash calculator – Online tools):

The Cuckoo's Egg - Clifford Stoll = 74f26962de8d5748d77a0a7b03be2153 
Sandworm - Andy Greenberg = b1a7219ac45be9cd4375f6bec16b018a 
Dark Territory - Fred Kaplan = 660067ecb503cc4b97801a1341197578 
See No Evil - Robert Baer = 5e492f2e663023d28abacd4d2a6534df 
 

The hash function (MD5) converted the title and author into a unique 16-byte number (displayed in hexadecimal.) Now I simply need to label my bookshelves with the first letter of the hash 0-3, 4-7, 8-b, and c-f and start putting my books on the correct shelves in alphabetic order of the hash not the title. Now to find a book, simply hash the title, dash, author and I’ll know exactly where to look. Perhaps if we did this with the whole text of the book, we might disrupt the firmly entrenched Dewey Decimal system, but this does illustrate how a one-way hash is useful. 

 Passwords are a type of plain text. You know your password, if you write it down on a sticky note and place it on the underside of your keyboard it is readable to all. Instead, if you encrypted it using something like 3DES Encryption and then wrote it down, no one would know your password even when they found your secret sticky note. But you’d still need to remember the password you used to encrypt it, so you’d only be exchanging one password for another. Instead passwords are hashed, and the hashes are written to a file on permanent storage. This is how computers store passwords (or should even though many times they don’t, including three FAANG companies.) In this way, even if the file is found, the passwords aren’t visible. But if the hash is one-way how do we use it to store a password? 

Many people believe the password is encrypted and the encrypted version is stored. When you enter your password, the computer decrypts the one in storage and compares it to the password entered. This would allow system administrators (or hackers) to easily decrypt passwords since some master key must exist in order to decrypt the stored password. If something is stored in a computer anywhere, it is fair game for hackers. Instead, when you first enter your password, it is hashed with a hash function and the hash is written to storage in a file or database that also contains a username or user number. Then when you subsequently enter your password, the password you enter is hashed, and the hash is compared to the stored one. If they match, then you have entered the correct password, since any different password would create a different hash as each unique input text produces a unique hash. 

Now that we understand what hashes are, next we’ll discuss the methods used to break them. 

Load More