Web hosting

Saturday, October 27, 2012

More Security Analysis, Deception Training, and Bugs

One of the things that I've learnt over time is that no matter what the circumstance your first instinct should be that people will lie to you during an investigation. As has been discovered by various other people though there are a multitude of ways (many are arguably pure 'pseudoscience' while others may have some merit) in which to (hopefully) detect the veracity of someone's claims. More often than not though I've found that you need to use a variety of methods in order to determine what's actually going on. While some methods of lie detection are well known and have been extensively researched, it's also clear that people have been trained on how to 'beat the box' and depending on your industry you may have even be taught these techniques as part of your training.

However, as is the case with true 'Stealth Technology' (For true/actual (not 'low visibility' as is the case with current generation technology) stealth craft there is a 'hole' that is left in space in the space that it occupies) sometimes it's fairly obvious when someone has been 'trained' (It's worse and can be borderline comical when they they have only been recently, been poorly 'trained', or have been retrained halfway through an investigation/interrogation because their responses change drastically all of a sudden. Moreover, while some people may be trained in one particular method of lie detection evasion it is often clear that they haven't been trained in other ways. Another problem is when someone (or a group of people) is trained by one source only. In these cases, the way they attempt to deceive you is often very simliar with regards to patterns of behaviour and physiological response across that entire sample. Depending on the type of deception involved the actual true root cause/motivation may not be immediately obvious (I once recall two separate programs. One was a highly sophisticated program that relied on advanced technological analysis of physiological behaviour and another was based on holding an egg. Both measured stress levels and worked fairly well but both also suffered from the same problem. Namely, you couldn't determine the source of the anxiety. It could have been because they were lying or it could have simply been because of the local ambient environment.). You can use surveillance/bugging as another means of lie detection but that's fraught with it's own difficulties (legal as well as technical).

It's ultimately a case of intuition, analysis, negotiation, and a general sense of thoroughness and awareness when it comes to techniques with regards to deception training. The more data points ('equipment' can come from a variety of sources but you should know that even COTS smartphones have the ability to run 'spectral analysers' now) you have to measure/examine though the more likely you will be successful. 


One thing that really needs to be thought about though is whether or not they know what they are saying is untrue or not though. There is a long history of legal precedent which states that eyewitness testimony can be problematic. This is due to many differing reasons including the impact caused by the stress of the incident, external (and vested) interests, and even just poor memory. Moreover, if you (or they) do consider using drugs or other additives the reliability of the testimony can be questionable and may not be possible to enter in a conventional setting.


Voice biometrics as a means of authentication is something that I (and others) have thought about previously. The obvious attacks are simple such as playing back a recording, or using continuous speech analysis to be able to develop a voice synthesiser so that you can create whatever pattern is required. Obviously, the only way to really know whether or not it is effective is to test it...


A closer approximation/variation of what I was talking about with regards to behavioural/cognitive fingerprinting.


Interestingly, such technology/concepts are now being used to protect critical infrastructure as I originally intended. One thing that needs to be thought of though is that the higher the level of the abstraction the more easily it can be abused. For instance, it's easier to change the permissions of a particular file or folder than recreating a bit stream of data with a correct CRC that is clock synchronised to a particular frequency.

Have been thinking further about cyberwarfare/intelligence. There seems to be very little reason for there to be officially sanctioned missions (Traditional intelligence operations tend to have a fairly low percentage of covert operatives/NOC's (though much higher in particular cultures) but given the nature of the Internet and the underlying protocols (perhaps we should think about building non-repudiation mechanisms into/on top of existing protocols/networks?) and the fact that it is possible to mis-direct your investigator via 'Anti-Forensics' I see very little reason why you would opt for this norm. I suspect that the number of non-sanctioned operations will be inversely proportional percentage wise when compared to physical operations.).


After all, even if you are just conducting pure scouting missions what benefit would it be to make it known to your opponent that you are conducting such an operation? Perhaps the only real reason why you would have 'declared operations' may be to reduce the chances of a counter-attack (if they somehow believe that your activity may be grounds for retaliatory action). It may also help to develop training by having people work against real world systems (training missions help both attacker and defenders by establishing configurations/patterns of attack though I suspect that you may only have such missions between allies though. The biggest problem is if there is an actual breach or if a third party decides to interlace their attack between the actual operation itself though... (A proper logging procedure on critical systems it would be 'helpful' in distinguishing between a 'sanctioned' attack and one that isn't of course.)(I've been thinking of using MPLS VPN's and other forms/types of VPN's as a means of developing virtual online battlegrounds. I've also been playing around with the concept of using particular border gateways/trunks as a way of establishing virtual geographical boundaries.))


If you've ever been involved with hacking (either as a 'actor' or as a 'watcher') then you'd realise that motivations can vary drastically. Another thing you'd realise is that in many firms and most jurisdictions laws/legal frameworks for dealing with incursions/breaches aren't particularly well developed. Factor in issues relating to health, regionality, and extradition and you have the potential for mayhem.


There doesn't seem to be enough of a distinction between 'levels of hacking'. At the moment, those who break in 'for fun' are often stuck in the same situation with corporate spies (if/when they are caught). Admittedly, there are systems which should never be touched (health, defense, infrastructure, intelligence, and so on...) I suspect that there will be need to be several layers. 

I've been exploring the notion of 'damage' (CVSS may be one particular measure of this but we may need to develop other/more distinct metrics in light of some of the dangers we're facing especially with regards to critical infrastructure and the physical and very widespread impact that they may have.)

As I discovered during my experiment ('Convergence' document) reporting security holes doesn't necessarily result in a response or a guarantee of remedial action. For critical infrastructure (there already are fairly strict controls/requirements that need to be adhered to if you are a defense contractor though the White House has recently tried to pass updated cyber legislation) I suggest that we provide amnesty (maybe even a possible reward) to anyone (internal or external to the organisation) who is willing to point out existing holes if they, 'play by the rules' (no data breach and maintain confidentiality). If the company doesn't take action (or if the reporter prefers), a third party (an anonymous 'Wikileaks' or media release is one possibility though not the cleanest/ethical) that people can go to get the problem fixed.


Don't know why some people are bothered with regards to UEFI, Windows, and the ability to be able to boot alternative operating systems (x86 isn't so much of a problem as is the ARM platform). As with the cash/currency industry it's a cyclical game of defense and offense. Moreover, there already appear to be cracks in the system already. If you are interested in learning more about this, I suggest you read up on computer forensics, reverse engineering, low level programming, and system architecture.


The strongest anti-tampering solutions have tended to be those that tended to require some form of network connection and a form of repeated/secure authentication. Even then, they're generally considered 'fiddly' by many people and may even impact on sales. For instance, take Football Manager 2009. An extremely popular series but it was hobbled by a sub-standard backend infrastructure to backup their copyright protection mechanism. So much so, that subsequent patches have removed the need to activate altogether and have a copy of the original disc in the drive.


Have being examining Stellar Wind, Trailblazer, and Thin Thread operations at NSA further. Problems with these programs seem to be familiar based on what I've been reading. Even though their 'setting' may be unique they suffer from many of the same problems that more 'standard' organisations have. Reading between the lines, it seems as though there may have been staffing (too many specialists or generalists but not enough people to bind/bring the whole thing back together), project management, and perhaps even a lack of overall support/input...


Countries most at risk against cyberware/intelligence are those who are making the transition from developing to developed or who are already developed but have a 'trusting' culture. We won't discuss who these particular cultures are but some of them have recently acknowledged these problems need to be addressed.

Something to do for those with some spare time...


If you are on a system but don't have administration rights but need to quickly wipe/sanitise unallocated space, just use 'dd' or 'fsutil' to create zero'd files of varying size and repeatedly copy them to wipe your space. Defense includes better use of quotas though this is rare in a SOHO setting.

Ironic that some of world's stealthiest/low visibility (in terms of both classification as well as RADAR cross section, etc...) projects give off enormous sonic booms...


There are design alterations that can be made of course but like the F-117 Nighthawk this may result in severe degradation of aerodynamic performance.


My bugs of the week.

Leadtek WinFast PVR2
Sound not coming through on 9 GEM (AC3 sound). Need to install AC3Filter and re-install program to re-register/configure sound filters. Don't need to necessarily do a LiveUpdate. Possible to download the program and re-install to get things running properly again (discovered because I was having MTU issues with one of their regional servers and had to manually select a new server to download from). Validation of characters in filenames not handled properly. When filenames have a '/' character in recorded filenames recording not allowed. Tried a shell escape, didn't work, but perhaps they should have considered just substituting/removing these characters?


Possible Bug. Can have multiple songs simultaneously. Namely, one that is controlled by the user interface and another that is running in the background . Have discovered that it can sometimes be down to another program on the system that is responding to signals from handsfree controller. Removing conflicting (or re-configuring) programs can help to fix the problem. When this isn't the problem restarting program is another workaround. Believe that it is only under very unique circumstances this happens though. Dig further when have time or when it crops up again.

Unhandled exception (seems to be problem across the board for this program actually though I don't have the absolute latest version admittedly) if no channels setup and you attempt to watch. Would be nice if it automatically prompted you setup channels when required to do so. 'C:\Temp' folder is not setup properly which is required for buffering of Live TV. Threading not handled well in some situations. Deletion of channels can result in stalls in user space even on high end hardware. Need to do some work on auto configuration. Video wasn't coming through initially required some 'tweaking'.

Doesn't allow to remove files from list without stopping transcoding process. Move files through queue but current filename doesn't refresh accordingly and results in blank filename. Sometimes state/progress of transcoding process just doesn't update properly or program window just doesn't work at all when switching between windows. Hopefully, this doesn't have anything to do with my experiments with ThrottleStop and clock modulation to maintain a stable thermodynamic environment.

Tor Browser Pack
Thought portable Tor program was virtually industructable. Not so, recently had some trouble building a secure circuit. May have been due to file corruption (removing and re-extracting files seemed to fix the problem). Would be nice to see some file integrity checking on launch if this is the case (I tried on at least half a dozen occasions at different time intervals via different systems/connections)).

HP ProCurve Switches
Some dialogue boxes have sentences that don't wrap around properly. Looks awkward but is obviously non-critical problem.


- as usual thanks to all of the individuals and groups who purchase and use my goods and services

Quick Beef Stew Recipe, Random Stuff, and More

This is the latest in my series on quick, easy, and tasty meals:   http://dtbnguyen.blogspot.com/2017/11/chinese-style-congee-jook-recipe...