Sunday, March 29, 2015

Why CSI: Cyber is a good thing

Welcome to the blog post for March. This happens to be very late. If you missed last month's post, don't worry you didn't miss anything since I didn't do a blog post. I paid for my laziness by donating $100 to the EFF. I'm also giving away the hat they sent as a gift. Check out the last post for more details!

WARNING: This blog post is pretty much a giant spoiler. While I don't believe in spoilers, I do respect them, so you've been warned. Go watch the show (Episode 1) and come back. 

Without any further ado, March marked the start of the new CSI spin off CSI: Cyber

Just as I expected, this ruffled SO many InfoSec jimmies. The halls of Twitter filled with echoes of DERP. It was horrible. I heard rants about Green Code, and Malworms, and Dawson's Creek, oh my! So, as curious as a cat, I decided to watch it as well. This way I can see what the hullabaloo was about.  

In case you don't have time to read this blog, I'll jump to the point right now:

TL;DR This show is a good thing for the InfoSec community. 
Because it gives us a common ground for speaking to the laymen while using examples from the show which are very real. Read on to see me break out the realism in the show.

I probably just lost half of my 7 readers with the above statement, but for those that have stuck around, please hear me out. 

We have one of the more difficult jobs when it comes translating our work into laymen's terms. As an example, many of us have an excruciating time explaining to our family members why this is not normal:

Even more difficult is trying to explain why some attachments just shouldn't be opened. The core of the problem is pretty simple. People do not understand the risk. Businesses are just starting to realize risk as major companies continue to headline the news. However, everyday people are still in the dark as to how real of a threat this is. 

At this point of the blog, I'd like to press pause and level set with everyone. I believe that the only way to build support for our security efforts is to bolster awareness of the threats so that we have buy in from end users. I've walked into too many companies as a security consultant and have been told that things from the SANS Top 20 would negatively impact culture. We need end user's to realize they need these controls. 

I hate using FUD ("Fear, Uncertainty, and Doubt"), but in some cases it is the only way to get people to pay attention. This is where CSI:Cyber comes in.

Let's pretend for a second that you are sitting down with your extended family watching CSI:Cyber. The show concludes and everyone is sitting around talking, when little Bobby Tables asks: "Mom, Dad, could someone really spy on us from the baby cam?"  

This is where mom will usually give that line about, "Of course not Bobby, it's just a movie and movies aren't real" ... but not this time! This is your chance!

You have the chance to not only give Little Bobby nightmares of cyber abduction, but to actually have a real conversation with someone about the capabilities of the bad guys. You may ask yourself, why couldn't we do that before? Well, simply put, our audience didn't have interest in the subject matter. CSI:Cyber gives us a common ground that is both engaging and entertaining. 

From here we can draw parallels to real life, real attacks. Explain that these are the reasons WHY we patch, this is WHY you don't need admin rights, this is why you shouldn't use default credentials etc. etc.

In order to do that, we need to sift through this show piece by piece and actually identify how plausible these events are. That’s coming next, but first, let’s addresses the DERP factor with a quick tangent. 

Sure this show, has its level of derp, but what show doesn't? Do you really think doctors all nod their head and say, "I concur" as they watch House. Hell, I bet real detectives will hang their head every time SVU mentions semen. However, at the same time if we were to actually depict the day in the life of a forensic investigator, the show would suck and no one would care or want to watch it. 

Let's take a day out of my life for example:

Hour 0: XYZ Company calls says they were breached
Hour 4: I join a meeting to talk to a representative from XYZ
Hour 5: Rep from XYZ has no clue what he's talking about, schedules another meeting with 'tech guy'
Hour 7: I get travel booked to goto client site:
Hour 19: I am on a plane to client site
Hour 24: I am at the client site, they stick me in an old office ... it smells, only 1 light works.
Hour 48: Still waiting for access to go take acquisitions of evidence.
Hour 72: Evidence is acquiring.
Hour 96: I'm reviewing logs ....
Hour 120: .... still reviewing logs
Hour 144: .... wtf is this system? client says oh thats our windows 2000 box we have to have
Hour 150: we finally found the guy that knows where this box is, its in an old telco room
Hour 168: Windows 2000 box acquired

............... I'm going to stop here, my life sucks ... this is why I drink.
So obviously, to keep people from developing stress, depression, high blood pressure and drinking habits like we have all developed. CSI:Cyber adds some zest ... you know kind of like these Air Force commercials. Anyhow, I'll just refer to these acts as "Good TV".

NOW Let's get into the show!

Part 1: Webcam 

The show begins with a baby getting snatched from a crib while a bunch of foreign voices are arguing through the webcam/baby monitor. This is the BEST FUD Factor EVER! We have cyber-peepers and a kidnapping. This is every parent's nightmare! I guarantee you will have the ear of anyone with a child. So let's break it down:

Later in the show we learn that the attackers could view the webcam via a Remote Access Trojan ("RAT") installed on mommy's computer which was put there by the baby daddy (remember, this is a drama!). This leads us to it definitely being a targeted attack, but I'll explain first how it could have also been un-targeted. 

First, let's tackle some of the tech. Some people didn't think that a webcam could transmit audio.
You bet'cha it can! Meet the Neewer V100!

It's less than $40, Prime Available and fully loaded, with pan and tilt (you can remotely move it, think about that for a minute), Night Vision ... and most importantly TWO WAY AUDIO! 

Now for our next trick, and why I mentioned the possibility of it being un-targeted. Let me introduce you to ShodanHQ. Shodan is the work of the brilliant John Matherly. This is an awesome project and I'm not going to do it any justice with a quick overview, but imagine it as the Google of banner grabs. This bad boy crawls the internet like Google, but it indexes what is running on all the ports. Then we can search those banner grabs for things we are interested in. Today it will be webcams.

Below are the results just from the term "netcam". At first glance we can see almost 6,000 in the US alone. This is also just from one webcam dork. There are many others.

Using the paid API and Python I was able to sift through hundreds of results in under 30 minutes and found this little girl from [Redacted, not really important to the story], USA, sound asleep. This is what I meant by un-targeted. I have no clue who this little girl is, yet here she is. As a parent this is where my stomach starts to turn, as did many of my friends who had kids who I let preview this blog. 

Now if that is not sickening, let's get kinetic. Many of these webcams are connected to the WiFi. In these administrative pages are the connection details for the WiFi such as the ESSID (WiFi name) and in some cases the BSSID (MAC address). Now ... if only there was a database that mapped ESSID and BSSIDs to a geographical map ... kind of like ...

Anyhow, remember, I digressed from my point. As we learned later in the episode, the criminals used a RAT. RAT is a real term. Short for Remote Access Trojan, or Remote Access Tool. There are plenty of these to choose. You have Dark Comet, Cybergate, Blackshades, Poison Ivy, jRAT, etc. All of them do essentially the same thing, and they do it very well. They give an attack remote access to your computer.

Feel free to read more about RATs if you're new to term: However, I am going to steal the Wikipedia list of capabilities:
  • Block mouses and keyboards
  • Change the desktop wallpapers
  • Downloads, uploads, deletes, and rename files
  • Destroys hardware by overclocking
  • Drop viruses and worms
  • Edit Registry
  • Use your internet to perform denial of service attacks (DoS)
  • Format drives
  • Steal passwords, credit card numbers
  • Alter your web browsers homepage
  • Hide desktop icons, task bar and files
  • Silently install applications
  • Log keystrokes, keystroke capture software
  • Open CD-ROM tray
  • Overload the RAM/ROM drive
  • Send message boxes
  • Play sounds
  • Control mouse or keyboard
  • Record sound with a connected microphone
  • Record video with a connected webcam
  • Show fake errors
  • Shutdown, restart, log-off, shut down monitor
  • Record and control victim's screen remotely
  • View, kill, and start tasks in task manager
This matches the capabilities of the RAT in the show. Furthermore, do you remember how the RAT got installed? The husband installed it to monitor the life of his kid by spying on his wife's computer. It is not uncommon for attackers to put a link to their RAT on YouTube advertising it as spy software to remotely monitor a spouse. Kinda like this: Something tells me this probably isn't legit. 

For the most part, once these attackers get access to your computer, they most likely aren't going to come steal your baby. Instead, what they will do is turn on your webcam and start taking pictures of you. Kind of like this one I found which was posted in a forum. This is a bot owner showing off one of their 'slaves'. This is the term the use for a botted computer.

This guy has absolutely no idea someone is taking a picture of him. Now he's obviously in his bedroom. Imagine what images our attacker could take pictures of in there and use to demand a ransom. Now, what if this was your son, daughter, wife or husband? 

If that made you angry, wait until you find out that these are mostly teenagers doing this, and on top of that, they also sell and trade access to your camera like Pokemon cards. 

One of the offers I found was 10 slaves for $1 USD. Yeah, that's 10 Cents for access to your mug. I'm not sure what I would be more offended by.

So to recap:
Technical capability of a webcam playing audio? Check!
Ability to find unsecured webcams on the internet? Check!
Getting a RAT on a spouse's computer? Check!

Congratulations. You've made it past Part 1. The rest are quick points addressing some of the dialog in the show. 

Part 2: DFIR Shenanigans 

As part of my profession (Digital Forensics, Incident Response "DFIR"), I conduct a lot of engagements helping companies establish incident response ("IR") policies and procedures. A lot of the issues companies have when trying to establishing these plans are captured in this show. Let's break them down:

"Any crime involving electronic devices is by definition cyber": Oh man! Twitter had fun with this one. At the end of the day, cyber is the term. Someone used it, it caught on, and just like APT, we are stuck with it, so let's grow up and get over it. The next trick, how does a company define a cybersecurity incident versus perhaps a physical security incident, or better yet, a general IT incident? At the end of the day, you need to define what activates your cyber incident response team actually responds to.

"The baby cam was unplugged and secured": If I had a dollar for every time I arrived onsite to a company who was nice enough to turn the server off to contain the incident .... "Please treat all hardware, including the baby cam like a dead body, don't touch it, don't move it" This line was excellent and underscored the need for first responders to be properly trained in acquiring evidence. Many companies will sometimes assign their help desk team members to this job with little training.

Here comes something fun we don't talk a lot about in the DFIR field. Testing! Our cyber sleuths start tossing evidence into these cool high speed Faraday bags which should be blocking the communication to the mobile devices. These are great to prevent the device owner from issuing a remote wipe command. That is provided they work. Make sure you take the time to test things like Faraday bags and write blockers. Nothing is more embarrassing than sticking a phone in a Faraday bag and then it rings.

"All I got is green code here" Okay, look. I don't even know what to make of this. The best I can do is guess that this is cooler than what most companies will come back and say: "Well, our AV scan didn't show anything" 

Part 3: Natal-Cam HQ

In this scene we find our analyst hero Krumitz walking the data center of Natal-Cam HQ. I really don't have to go too far into analysis here. This is a great allegory of our current state of cyber security. Krumitz asks "How long has your source code been like this?" referring a vulnerability in the company's camera software. The uneasy company rep states he was instructed to not talk to Krumitz. 

He then goes on to explain how he took [the vulnerability] upstairs but nobody listened. 

This is a huge theme in many companies. As I go around to different companies and conferences I get to talk to a lot of analysts who have the same issue. The business has difficulty in understanding the risk of vulnerabilities. This usually equates to them being disregarded in lieu of operations.  

Part 4: Password Tattoos

I'll cave here, the password thing was funny. I have seen multi-person passwords in the field before. Usually the idea is around two groups of people, each group knows a half of the password and together they can unlock a joint system. I assume this is what the criminals were doing. No honor among thieves and what not, so they used this. Each person would put in their portion and then bam, unlocked. How they all didn't know each other's secret dates is beyond me. What's really going to bake your noodle though is remember it was a 20 character password? I'll let you add up the numbers.

I'm just kidding, I won't bake your noodle ... I told you, spoilers.

Part 5: Conclusion

After breaking down the show, I want to go back and bring up the point of this blog again. This show is a good thing for the infosec community. We as infosec professionals should know what is possible and what is good TV and then to use these things this as a common ground for communicating risk and realism to the layman. Doing so will help us bridge the educational gap the laymen has in information security. Hopefully, this results in them becoming more security conscious which is all we can really ask for.