Exim, Internet Mail Software, Flaw Causes Problems

Needless to say a flaw in an older version of Exim (4.92.1) had a serious problem or flaw that became CVE-2019-15846:

I like to point out some problems that come up that are interesting… This Software is needed in Mail servers and is not obviously known to most people. But if a company does have it now needs to be upgraded.

Notice there were many releases of this software before someone found the vulnerability , here is the CVE information from Bugtraq:

Description- Exim before 4.92.2 allows remote attackers to execute arbitrary code as root via a trailing backslash.

 

Bugtraq has an interesting explanation :

"Zerons" and Qualys discovered that a buffer overflow triggerable in the
TLS negotiation code of the Exim mail transport agent could result in the
execution of arbitrary code with root privileges.


 

So it seems that hackers found the flaw and it was patched quickly… But the administrators still need to install and update. So as usual here is the weak point – administrators which are already stressed have to do some off-hours updates sooner than later.

Contact Us to discuss

 

 

 

China Attacks and We Do? Nothing for most part

Chinese Hackers Eye US Cancer Research:

https://www.technewsworld.com/story/86211.html

This is another outrageous attack on our companies and institutions as Chinese APT  hacker groups appear to be linked to stealing information from Cancer research

 

Here is a news story about espionage by Chinese paid doctors. NBCnews story about 3 scientists removed from  MD Anderson Cancer Center

FireEyE  published a report on how the Chinese

Focused attacks in healthcare to steal medical research

FireEye was the company that documented and released the Unit 61398 (China military attacking World targets since 2004) report about the APT1 group.

Since 2006 Mandiant (today a FireEye company)  has observed APT1 compromise 141 companies in 20 major industries.

 

So it is obvious to all people who keep up on these things, that China has stolen or can have access to many companies as many times as they want:

“Once APT1 has established access, they periodically revisit the victim’s network over several months or years and steal broad categories of intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership agreements, and emails and contact lists from victim organizations’ leadership.”

 

So I want to ask now why would the Chinese even want to embark on this type of method to interact with the world?  Do they think they will make friends over the long term?  Are they interested in making friends? Or are they obsessed with history? The history of the Boxers rebellion and the general weakness of the Qing dynasty until the dynasty came to an end in 1911.  The weakness of the Qing dynasty and teh early days of the republic caused all kinds of things to happen which the western governments took full advantage of.

So this stealing and taking is just payback? Yes in part. It is also a fulfillment of Confucius philosophy and his understanding of Tian (or heaven), specifically the fact that only the Chinese can be close to heaven.  It does not even have to be pure Confucius thought as long as the interpretation has been accepted by most people.  Including one of the 3 great Confucian  philosophers (Xunzi) that rejects that humans are innately good.

So if the Chinese thinking is completely different than yours that is because their books are written with different philosophies.

 

It actually does not matter the exact thinking the Chinese have, as we will not understand it anyway.  We should not try to find nuance in Confucian philosophy, all we need to do is understand that thinking is different and we have to modify our strategic thinking.

Look at the PLA  hierarchy:

and where the unit 61398 is in the hierarchy.

The main thing I see in this diagram is a dictator and his government structure. everything else is just a confirmation of his rule. Can an underling find a few words in Confucianism to say we can do XYZ? I am sure it can be found.

 

We have to ‘try’ to deny the freewheeling rip-off artists so that we can keep our IP(Intellectual Property) as long as possible.

 

Today it is health care information, tomorrow it will be whatever is the latest technology or service to be stolen. The Chinese do not have a judiciary equal with the Chinese Communist Party(CCP). The CCP is always going to run everything in China. There are no checks and balances, there is only full power by the person on top. This to me is the definition of dictatorship.

So if we have a complaint with them, there is no court that will adjudicate with them in a position of power, unless we have power as well (military or Cyber).

So what we need is our own Cyber power, defensive and offensive. That is my suggestion to fight back against China.

As it is we do nothing as you can plainly see in the news stories.

Contact me to discuss

Why is China Trying to Steal our Stuff?

First thing I think of (being of a certain age) when someone asks why: Why ask why? Answer: Try Bud Dry!(Silly old Budweiser commercial)

So why do we need to ask why? Because it would be good to know why we are consistently being attacked by this region of the world.  It is always good to know your opponent.

In this case _we are the people_ with computers, financial information, Intellectual property, health information, and really anything that can make money (Credit Cards, information that can be used against competitors).

So money is one motivator, but hackers have other motivations, just like Anonymous like Jeremy Hammond hacktivist received a 10 year sentence. As noted in this NYpost story.

“Some breaches in Hammond’s life had been a challenge. He’d search the code on websites he wanted to target, combing through the symbols and letters of computing languages for security flaws to exploit. He’d create user accounts on the sites, and then test for ways in. It could take months of trying, and sometimes he gave up.”

“He considered hacking a means of social justice, and he did it in secret while pursuing civil disobedience and protest in public, as well.”

So hacking can be a social justice act or even a kind of civil disobedience.

Now what if you had a state apparatus with the massive resources?

Hacker News article from 2015

There are some very interesting points in this article:

CHINESE CYBER WARFARE UNITS
According to McReynolds, China has three types of operational military units:
  • Specialized military forces to fight the network — The unit designed to carry out defensive and offensive network attacks.
  • Groups of experts from civil society organizations — The unit has number of specialists from civilian organizations – including the Ministry of State Security (its like China’s CIA), and the Ministry of Public Security (its like FBI) – who are authorized to conduct military leadership network operations.
  • External entities — The unit sounds a lot like hacking-for-hire mercenaries and contains non-government entities (state-sponsored hackers) that can be organized and mobilized for network warfare operations.
According to experts, all the above units are utilized in civil cyber operations, including industrial espionage against US private companies to steal their secrets.

It means that the Chinese have discarded their fig leaf of quasi-plausible deniability,” McReynolds said. “As recently as 2013, official PLA [People’s Liberation Army] publications have issued blanket denials such as, ‘The Chinese military has never supported any hacker attack or hacking activities.’ They can’t make that claim anymore.

The hackernews article got the information from “The Science of Military Strategy”(SMS) 2013 PLA document.

So the strategy of the Chinese is bare for all to see – they have hundreds or thousands of people in cyber warfare units.

The SMS authors also focus heavily on the central role of peacetime “network reconnaissance”—that is, the technical penetration and monitoring of an adversary’s networks—in developing the PLA’s ability to engage in wartime network operations. As the SMS puts it, since the technical principles underlying successful penetrations of an adversary’s systems are essentially the same whether the objective is reconnaissance or active disruption, at the appropriate moment “one need only press a button” to switch from reconnaissance to attack.

So now we have a stated goal of Chinese Cyber warfare units to run constant surveillance and prepare for eventual war or otherwise goals that will steal or destroy information.

This SMS ‘plan’ is in line with what China thinks of itself as New English Review article by Brandon Weichert mentions:  The concept of Tianxia the “All under the heavan”. boils down to

The choice made by all peoples to have only one political system that is the top of the world. they believe that just like in the Warring States Period the weaker competitor will give way to the more ideological and correct with the Chinese belief that the Chinese emperors possessed the mandate of heaven concept, all of the world had to pay tribute to the emperor as a symbol of his supremacy. Thus, going back to antiquity, the borders of China were fungible; always waiting for China to gain the strength needed to push to those farthest edges of the world map and bring barbarianism and chaos to civilized order.

In the narrative, China is the growing power and the US is in decline (status quo) , so the Chinese political and ideological purpose of reconnaissance  of the networks of the world. Until the systems are ready to be attacked in  the time of conflict (whenever it actually occurs).  The key with analyzing Chinese actions is to look at them from the eyes of an Asian viewpoint – not Western history examples( like Thucydides trap).

So the reason China is doing everything it can to steal our stuff is to  become a bigger power than us so that they can order us around. And because it was always meant to be that way. All old Chinese competitors were assimilated and folded into the Chinese ‘heaven umbrella’.

Remember  the mongols(Kublai Khan)? They actually conquered the Chinese 1279. But it ended in 1368:

“The Chinese always resented the foreigners and in the end revolted and drove them out. A Chinese orphan Hongwu, a peasant soldier who gave up banditry to become a Buddhist monk, led the revolt and founded the Ming dynasty in 1368.”

After that the results of the Mongol invasion has almost completely disappeared inside today’s China.

but the Mongols were always foreigners in Chinese eyes.”

Have you also noticed that all the previous kingdoms in the warring states period are all forgotten (except maybe in some movies).

there is a definite arrogance to the Chinese. As if the new upstart (USA) which only started in 1776 is such a young country and really does not belong in the top spot.  I.e. it is the impudent upstart which needs to be brought a peg or two down. And any method will do (stealing is ok).

 

If you think about it the “all under Heaven”  is a great motivator for young hackers in China trying to hack and steal all our IP (Intellectual Property).

 

Another point: The CCP (Chinese Communist Party) has complete control over major aspects of the country. There is no rule of law in China, only rule of CCP.  I.e. if CCP wants to take your property then it does.   As Drake Long discusses in his post  on the power and control of China. The CCP of which the general secretary runs the party and the President (Xi  Jinping) runs China, and Xi Jinping has complete control over China.

“China has no rule of law” says Drake.

Whatever the true Party leader says goes.

“Those observing the anti-corruption campaign could liken it to whack-a-mole: there is little changing of bureaucratic rules, instead it is a targeted campaign against high-profile politicians. This illustrates the absurdity of it all. China’s corruption is systemic, owing to the lack of legal constraints and judicial independence in its government.”

There is no accountability, all that has happened with Xi’s anti-corruption campaign is he has solidified his dictatorship.  So what happens in a dictatorship? There are mostly yes men (no women).  Everyone  else gets ‘dealt’ with.

What happens to foreign companies?

With little rule of law, they will be gobbled up inside China: “Now we are beginning to see the fruits of that relationship, which is an increasingly worrisome one. With little rule of law, foreign companies will see more of their partners unexpectedly gobbled up by Xi’s Communist Party.”

You can see where this is heading, since there is no rule of law inside China, each minister/bureaucrat can do anything they want as long as it is under the aegis of Xi’s goals. This means stealing money and information is a go. In fact it is a state-sponsored activity.

We better learn to prepare ourselves and our companies to defend against the cyberwar already being fought on the Internet.

ZeroDay on Webmin What Does That Mean?

First of all one needs to know what a ZeroDay means, as well as webmin.

Webmin is easier to explain.  If you go to webmin.com then this explanation:  “Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. ”  are the first 2 sentences.

Yes but what does it mean?

Here is the configuration page:

So webmin is software that allows a system administrator to more easily administer Websites, DNS configuration, file sharing, and more. In short it makes it easier to administer and run a Unix or Linux server.

 

So many Unix(or Linux) systems run this Webmin software to make life easier for the IT person. But then there along comes a Zero Day just like many before this one, Oversitesentry 12/15/15 post.

Belkin router zero day blogpost from 11/8/14

 

Fireeye and Kaspersky software hit with Zero day blogpost 9/8/15

 

Lastpass password manager ZeroDay flaw blogpost 07/27/16   

So as you see this is a recurring theme for all kinds software, including security software. Or administrative software like Webmin?

Zero day means that there is a vulnerability out there that can hack your computer AND there is NO patch to  fix it.

Check out this image:

 

 


It shows how after a vulnerability is introduced(t-v) and the exploit is released in the wild(t-e), now we have a Zero Day vulnerability. At this point an exploit can hack the software with anyone that runs exploit code and the infrastructure to make money (like ransomware).  So these Unix and Linux machines that have Webmin admin software are now vulnerable until Webmin can create a patch(t-p). Then once the patch is released is the administrator has to install the patch.

 

How long will it take for the patch to be released and installed? sometimes it is 30 days, and sometimes 60 or longer.

 

Update on 8/20/19:  Duo Security Inc. released the following

“On August 17, the developer of the popular Webmin and Usermin Unix tools pushed out an update to fix a handful of security issues. Normally that wouldn’t generate an avalanche of interest, but in this case, one of those vulnerabilities was introduced intentionally by someone who was able to compromise the software build infrastructure used by the developers.”

So this ‘zero-day’ was actually  a self-inflicted wound of sorts. it lookds like 1.930 the latest version is free from the vulnerability or backdoor code. Please patch your systems.

 

Let me know if you need help discussing this.

 

 

 

 

What I got out of BlackHat and DEFCON

First I must say I did not go to Las Vegas, all I did is hunt the Internet for pieces of information and did not copy completely,  but edited to make it easier to understand when reading only (versus giving presentation within the hall):

“Controlled Chaos” the Inevitable Marriage of DevOps & Security   (Kelly Shortridge and Nicole Forsgren)  is an interesting and thought provoking presentation.

This presentation is listed at this page: https://www.blackhat.com/us-19/briefings/schedule/

Here is the relevant information in the presentation:

What are the principles of chaotic security engineering?

  1. Expect that security controls will fail & prepare accordingly
  2. Don’t try to avoid incidents – hone your ability to respond to them
  3. What are the benefits of the chaos/ resilience approach?

Time to D.I.E. instead of the C.I.A. triad, which is commonly used as a model to balance infosec priorities.

CIA first – Confidentiality – Integrity -Availability

Confidentiality: Withhold info from people unauthorized to view it.

Integrity: Data is a trustworthy representation of the original info.

Availability: Organization’s services are available to end users

But these are security values, not qualities that create security. Thus we need a model promoting qualities that make systems more secure.

D.I.E. model: Distributed, Immutable, Ephemeral

Distributed: Multiple systems supporting the same overarching goal.  This model reduces DOS attacks by design.

Immutable: Infrastructure that doesn’t change after it’s deployed and servers are now disposable “cattle” rather than cherished “pets”. The infrastructure is more secure by design – ban shell access entirely and although lack of control is scary, unlimited lives are better than nightmare mode.

Ephemeral: Infrastructure with a very short lifespan(dies after task). Where ephemerality creates uncertainty for attackers (persistence=nightmare). I.e. installing a rootkit on a resource that dies in minutes is a wasted effort.

Optimize for D.I.E. reduce your risk by design and support resilience

So what metrics are important in resilient security engineering?

TTR is equally as important for infosec as it is for DevOps.

Time Between Failure(TBF) will lead your infosec program astray.

Extended downtime is bad (makes users sad) not more frequent but trivial blips.

Prioritizing failure inhibits innovation

Instead, harness failure as a tool to help you prepare for the inevitable

TTR>TTD – who cares if you detect quickly if you don’t fix it?

Determine the attacker’s least-cost path (hint: does not involve 0day)

Architecting Chaos

 

Begin with ‘dumb’ testing before moving to ‘fancy’ testing

  • Controlling Chaos: Availability
  • Existing tools should cover availability
  • turning security events into availability events appeals to DevOps
    • Tools: chaos Monkey, Azure fault analysis, Chaos-Lambda, Kube-monkey, PowerfulSeal, Podreaper, Pumba, Blockade

 

  • Controlling Chaos: Confidentiality
  • microservices use multiple layers of auth that preserve confidentiality
  • A service mesh is like an on-demand VPN at the application level
  • Attackers are forced to escalate privileges to access the iptables layer
  • Test by injecting failure into your service mesh to test authentication controls

 

  • Controlling Chaos: Integrity
  • Test by swapping out certs in your ZTNs all transactions should fail
  • Test modified encrypted data and see if your FIM alerts on it.

 

  • Controlling Chaos: Distributed
  • Distributed overlaps with availability in context of infrastructure
  • Multi-region services present a fun opportunity to mess with attackers
  • Shuffle IP blocks regularly to change attackers’ lateral movement

 

  • Controlling Chaos: Immutable
  • Immutable infrastructure is like a phoenix – it disappears and comes back
  • Volatile environments with continually moving parts raise the cost of attack
  • Create rules like: “If there is a write to disk, crash the node”
  • Attackers must stay in-memory, which hopefully makes them cry
  • Metasploit Meterpreter and webshell: Touch passwords.txt & gone
  • Mark Garbage files as “unreadable” to craft enticing bait for attackers
  • Possible goals: Architect immutability turtles all the way down

 

  • Controlling Chaos: Ephemeral
  • Infosec bugs are stated-related so get rid of state, get rid of bugs
  • Reverse uptime: longer host uptime adds greater security risk
  • Test: change API tokens and test if services still accept old tokens
  • Test: inject hashes of old pieces of data to ensure no data persistence
  • Use “arcade tokens” instead of using direct references to data
  • Leverage lessons from toll fraud – cloud billing becomes security signal
  • Test: exfil TBs or run a cryptominer to inform billing spike detection

How should infosec and DevOps come together and develop all of these concepts?

Has to be done as a cultural “marriage” cultivate buy-in for resilience and chaos engineering.

This is a marathon not a sprint and changing culture : change what people do , not what they think.

———————————————

There are a lot more suggestions, but the main themes that I took out of this presentation slides is that you can make your defense more resilient and tougher by making it a little bit chaotic.  I.e. Immutable and ephemeral are some good concepts to think about and use in your infrastructure. Every environment is different and will require co-ordination and rethinking of how things work, but it is good to work some of the concepts into your environment.

Here is a great piece of thinking: Don’t keep your systems up as long as possible, as it is also a security risk (besides patching and other issues).

Using  short lifespan hardware with frequent rebooting (relatively – like every day for example) makes the attacker’s life much more difficult. Of course patching requires some rebooting, but monthly or quarterly reboots are not frequent enough.

Also here are some links from DEFCON

First the Media presentation  webpages: https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/

(I always include the full link instead of Media.defcon.org link so one can see where it will go)

First I look at the Speaker’s bio and quick overview of the presentation given at this link: https://www.defcon.org/html/defcon-27/dc-27-speakers.html

Then I download the information freely available on the Internet.  I will have more posts on the presentations at DEFCON and Blackhat.