Category: securitycommunity

Keep An Eye On Google ‘Security’ Projects

There are quite a few Google projects of which some are focused on security(there are many more projects, but these are the ones that could be cybersecurity. The explanation which is in italics- i.e. copied from theGoogle project webpages):

https://opensource.google.com/projects/

Abseil   Abseil  an open-source collection of library code.   also at https://abseil.io/

Abseil C++ code is designed to augment the C++ standard library. In some cases, Abseil provides pieces missing from the C++ standard; in others, Abseil provides alternatives to the standard. Abseil is not meant to be competitor to any standard library code; we’ve found that many of these utilities serve a purpose within our code base, and we now want to provide those resources to the C++ community as a whole.  

AdaNet  Fast and flexible AutoML(Machine Learning) with learning guarantees  also at https://github.com/tensorflow/adanet

AdaNet is a lightweight TensorFlow-based framework for automatically learning high-quality models with minimal expert intervention. It uses the AdaNet algorithm by Cortes et al. 2017 to learn the structure of a neural network as an ensemble of subnetworks while providing learning guarantees. Importantly, AdaNet provides a general framework for not only learning a neural network architecture, but also for learning to ensemble to obtain even better models.

Angular – a web application framework for mobile, desktop, and web. also at https://angular.io/

Angular is a development platform that aims to make web development feel effortless, focused on developer productivity, speed and testability. Applications built with Angular can be deployed to mobile devices and desktops as websites and native applications.

Apache Beam – unified model to define and execute processing pipelines. also at https://beam.apache.org/

Apache Beam provides an advanced unified programming model, allowing you to implement batch and streaming data processing jobs that can run on any execution engine. It is easy to use with Apache Apex, Apache Flink, Apache Spark, and Google Cloud Dataflow among other distributed processing back-ends.

badssl.com – memorable site for testing clients against bad configs – also at Apache Beam

badssl.com has a suite of subdomains with various HTTPS configurations. These can be used to test browsers and other TLS clients to see how they behave when they encounter sites with various security-sensitive issues on the web.

Bazel –  a Build System for fast and correct builds – also at.  https://bazel.build/

Bazel is Google’s own build tool. Bazel has built-in support for building both client and server software, including client applications for both Android and iOS platforms. It also provides an extensible framework that you can use to develop your own build rules.

Blockly -Open Source Library for adding drag and drop block coding to apps. also at https://developers.google.com/blockly

Blockly is a library for adding drag and drop block coding to an app. This is primarily used for computer science education, but can also give users a way to write their own scripts or configuration for an app. Blockly has libraries for Web (JavaScript), Android (Java), and iOS (Swift/Obj-C).

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs. also at https://boringssl.googlesource.com/boringssl/

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don’t recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

Bullet Physics SDK – Real-time collision detection and multi-physics simulation  for VR, games, visual effects and robotics. also at http://bulletphysics.org/

The Bullet Physics SDK is a professional open source collision detection, rigid body and soft body dynamics library written in portable C++. The library is primarily designed for use in games, visual effects and robotic simulation. The library is free for commercial use under the zlib license.

Portable laser range-finders and simultaneous localization and mapping (SLAM) are an efficient method of acquiring as-built floor plans. Generating and visualizing floor plans in real-time helps the operator assess the quality and coverage of capture data. Building a portable capture platform necessitates operating under limited computational resources.

Cauliflower Vest – A recovery key escrow solution. also at https://github.com/google/cauliflowervest

The goal of this project is to streamline cross-platform enterprise management of disk encryption technologies. The project initially started with end-to-end Mac OS X FileVault 2 support, and later added support for BitLocker (Windows), LUKS (Linux), and Duplicity.

Cauliflower Vest offers the ability to:

  • Automatically escrow recovery keys to a secure Google App Engine server.
  • Delegate secure access to recovery keys so that volumes may be unlocked or reverted.
  • Forcefully enable FileVault 2 encryption.
  • Sync BitLocker recovery keys from Active Directory.

Chromium – A safer , faster, and more stable web browser. also at  https://www.chromium.org/

Chromium is the web browser that Google Chrome is built on. It is meant to feel lightweight (cognitively and physically) and fast. When released, it brought a sandbox security model, minimalist user interface, and tabbed window manager that many other browsers have since adopted.

Copybara – A tool for transforming and moving code between repositories. also at https://github.com/google/copybara

Often, source code needs to exist in multiple repositories, and Copybara allows you to transform and move source code between these repositories. A common case is a project that involves maintaining a confidential repository and a public repository in sync.

Copybara requires you to choose one of the repositories to be the authoritative repository, so that there is always one source of truth. However, the tool allows contributions to any repository, and any repository can be used to cut a release.

 

dart – a language designed to be productive, stable, and free of surprises. also at https://www.dartlang.org/

Dart is a programming language developed at Google and approved as a standard by Ecma. It is ideal for web development and can be transcompiled to JavaScript, but can also be used to build server, desktop, and mobile applications. Dart is designed with a ‘batteries included’ philosophy and minimizes magic, such as automatic type coercion in order to avoid surprises when developing large applications.

deepMind lab a customizable 3D platform for agent-based AI research. also at https://github.com/deepmind/lab

DeepMind Lab is a first-person 3D game platform designed for research and development of general artificial intelligence and machine learning systems. It provides a suite of challenging navigation and puzzle-solving tasks that are especially useful for deep reinforcement learning. Its simple and flexible API enables creative task-designs and novel AI-designs to be explored and quickly iterated upon.

Dopamine – A research framework for fast prototyping of reinforcement learning algorithms. also at  https://github.com/google/dopamine

Dopamine is a TensorFlow-based research framework for fast prototyping of reinforcement learning algorithms. It aims to fill the need for a small, easily grokked codebase in which users can freely experiment with wild ideas (speculative research).

fastlane – automate building and releasing iOS and Android apps. also at https://fastlane.tools/

fastlane allows you to automate the complete release process of your iOS and Android apps. It handles tedious tasks like generating screenshots, dealing with code signing and releasing your application.

Firebase SDK – An app development platform to develop high-quality apps. Also at https://firebase.google.com/

Firebase is an app development platform that provides integrated tools to help you build, grow and monetize your apps. The Firebase SDK enables access to the Firebase services in an intuitive and idiomatic manner on several platforms.

FlatBuffers – A serialization library for games and other memory constrained apps. Also at  http://google.github.io/flatbuffers

FlatBuffers is an efficient cross platform serialization library for C++, C#, C, Go, Java, JavaScript, PHP, and Python. It was originally created at Google for game development and other performance-critical applications. It allows you to directly access serialized data without unpacking/parsing it first, while still having great forwards/backwards compatibility.

Flutter – Build apps for iOS and Android from a single codebase. Also at Flutter

Flutter is a mobile app SDK for building high-performance, high-fidelity apps for iOS and Android, from a single codebase. The goal is to deliver apps that feel natural on different platforms, embracing differences in scrolling behaviors, typography, icons, and more.

FontDiff – tool for finding visual differences between font versions. Also at Flutter

FontDiff is a utility for testing fonts. When you modify a TrueType or OpenType font, FontDiff generates a PDF showing the typeset text both before and after the change. You can use this PDF to easily review the changes and spot any errors caused by a font switch.

FontView– demo app displays fonts using a free stack. Also at https://github.com/googlei18n/fontview

FontView is a little demo app that shows the contents of a font file. It opens *.ttf, *.otf, *.ttc, *.otc, *.pfa, and *.pfb files. To render text, FontView uses open-source libraries.

Forseti Security – Open source tools for Google Cloud Platform(GCP) Security. Also at  Forseti Security

Forseti Security helps you secure your Google Cloud Platform organization.

Keep track of your environment

Gerrit – web-based code review system for projects using Git. Also at https://www.gerritcodereview.com/

Gerrit is a highly extensible and configurable tool for web-based code review and repository management for projects using the Git version control system. It allows teams to discuss code, serve Git as an integrated experience within the larger code review flow, and manage workflows with deeply integrated and delegatable access controls.

Go – open source programming language to make it easy to build simple, reliable and efficient software. Also at https://golang.org/

Go is expressive, concise, clean, and efficient. Its concurrency mechanisms make it easy to write programs that get the most out of multicore and networked machines, while its novel type system enables flexible and modular program construction. Go compiles quickly to machine code yet has the convenience of garbage collection and the power of run-time reflection. It’s a fast, statically typed, compiled language that feels like a dynamically typed, interpreted language.

Google Cloud datalab

 

Kritis – open source solution for securingyour software supply chain for Kubernetes applications, by enforcing deploy-time security. Also at https://github.com/grafeas/kritis

Kritis (“judge” in Greek), is an open source solution for securing your software supply chain for Kubernetes applications. Kritis enforces deploy-time security policies using the Google Cloud Container Analysis API, which uses Grafeas underneath.

MOE: Make Open Easy – Synchronizes, translates, and scrubs source code repositories. Also at  https://github.com/google/moe

MOE is a system for synchronizing, translating, and scrubbing source code repositories. Often, a project needs to exist in two forms, typically because it is released in open-source, which may use a different build system, only be a subset of the wider project, etc. Maintaining code in two repositories is burdensome.

mtail – extract whitebox monitoring data from application logs for collection in a timeseries database. Also at https://github.com/google/mtail

mtail is a tool for extracting metrics from application logs to be exported into a timeseries database or timeseries calculator for alerting and dashboarding.

It aims to fill a niche between applications that do not export their own internal state, and existing monitoring systems, without patching those applications or rewriting the same framework for custom extraction glue code.

 

Open Images Dataset

OpenScience Journal –   An app that allows one to gather information using the sensors in the Android phone. Also at https://makingscience.withgoogle.com/science-journal/

Science Journal allows you to gather data from the world around you. It uses sensors to measure your environment, like light and sound, so you can graph your data, record your experiments, and organize your questions and ideas. It’s the lab notebook you always have with you.

OpenWeave – open source implementation of Weave network app layer, secure communications backbone for NEST products. Also at OpenScience Journal

OpenWeave is an open-source implementation of the Weave network application layer, the secure, reliable communications backbone for Nest products.

At Nest, we believe the core technologies that underpin connected home products need to be open and accessible. Alignment around common fundamentals will help products securely and seamlessly communicate with one another.

Outline – an open source VPN software released by Jigsaw March 2018. also at https://getoutline.org/

The Outline software allows for the creation of a personal or corporate VPN server on a cloud provider of the user’s choice, with minimal effort. Once set up, Outline server administrators can share access with other users, who can connect to the VPN using Outline clients developed for Windows, macOS, iOS, Android and ChromeOS. Outline uses the Shadowsocks protocol (shadowsocks.org) for communication between the client and server.

Stackdriver – Monitors, logs, and diagnostics for cloud applications. Also at https://cloud.google.com/stackdriver/

Google Stackdriver provides powerful monitoring, logging, and diagnostics. It equips you with insight into the health, performance, and availability of cloud-powered applications, enabling you to find and fix issues faster.The Stackdriver agents and libraries are open source projects.

Upspin – experimental framework for sharing files securely. Also at https://upspin.io/

Upspin is an experimental project to build a framework for naming and sharing files and other data securely, uniformly, and globally: a global name system of sorts.

It is not a file system, but a set of protocols and reference implementations that can be used to join things like file systems and other storage services to the name space.

 

 

https://bugs.chromium.org/p/project-zero/issues/list

I have included several machine learning(ML) projects which I believe can be used to create many programs (including security based),  the future in security is in AI, of which ML is a piece of it.

There is an interesting article in Wall Street Journal:

Google’s Enemies Gear Up to Make Antitrust Case

The article goes into a case Yelp and TripAdvisor are making that Google is using it’s position as search engine to place it’s own services ahead of Tripadviser and Yelp.

I wonder if they know about these 70 projects on the Google projects list of which 27 have security implications in my opinion:

Abseil, Adanet, Angular, Apache beam, badssl.com, Bazel, Blockly,  Dart, Deepmind, Dopamine, Fastlane, FlatbuffersSDK, Flatbuffers, Flutter, Fontdiff, Fontview, Forseti Scurity, Gerrit, Go, Kritis, MOE(make open easy),mtail, Opensciencejournal, Openweave, Outline, Stackdrivers, Upspin

It definitely looks to me that Google is building a larger organization, does this mean that they should be broken into pieces? Maybe this was why the Sherman Antitrust act was created and passed by Congress in 1890. This law declared illegal all combinations “in restraint of trade”.  (from http://www.ushistory.org/us/43b.asp)

Google is building a future AI power house, that will make today’s search power  seem like a mouse versus a tiger.

 

Burnout in Infosec Means All is Lost?

Thotcon (Chicago’s Hacking Conference)  thoughts…

Saw several good Cybersecurity presentations while one of the keynotes “Josh Corman” discussed the burnout of the infosec opsec community.  This is a problem for our industry as I have discussed before in past posts.  It has to do with the 3 following topics:

1. Workload  to most infosec people is 50-60 hours minimum on a regular week, and more during emergencies.  Josh mentioned 80 hours as a regular work week for many  this high workload leads to exhaustion.

2. What happens when there is no relief and it is a constant way of life to say you will work 80 hours a week forever???   Now we get to a negativity or cynicism. The constant pressure is creating a kind of relief psychology of defense by cynicism.

3. Efficacy or reduced effectiveness due to constant pressures.

What was really on Josh’ mind was the increasing number of suicides by a number of his friends.

Picture is a moment during Josh’ lecture on White hat motivations.

So Josh would like to do something about this phenomenon.  He gave an example of a Psychologist saying that the other profession with similar characteristics is nursing (high workload, and cynicism leads to lower efficacy).

He also said to not follow the herd and do not put down your fellows/ colleagues.

Above is a picture of the beginning of the second day where the Thotcon organizer was having some fun in a Wookie costume.

The main problem is to get more help so that infosec people will not burn out completely and do things that we all will regret.  Another problem is that infosec people are hard to find (or at least competent ones).

So the true issue is to get resources and eyeballs, attention of the C-suite, and generally a different level of attention.

Believe it or not for companies this is taken care of in GRC – Governance, Risk, and Compliance.

GRC – Governance, Risk, Compliance

Governance is different than just IT department run by CFO, or the CEO. The issue with Governance is that the goals of the organization are kept in mind (which is not just the mind of one person). It is the codification of the goals. WRITTEN goals and thus the group of people in charge of GRC can work toward this written goal using Risk and compliance as a way to manage things. So, the staffing of the IT department (which includes opsec or infosec) is a risk to be measured. You should not have a single person running the IT department, nor should you have 80 hours of work for 1 person. For 80 hours of work, there should be 2 people.

Setting up GRC in an organization might take a while, but once set up it can help an organization manage the compliance and regulatory risks by giving a proper Governance controlled by the people who are supposed to run the company with proper human resource goals as well.

Review of “Anon” movie

In the spirit of a lighter fare this Sunday.

Watching Anon (again) it is an interesting futuristic movie with a video recording of everything. Apparently everyone has a recording method and Clive Owen the actor, playing Sal Frieland is an investigator that needs to find a murderer. Apparently there is a hacker that goes into other peoples recording devices to kill some people.  This hacker(a woman) also has no digital record.

<<<Lots of Anon spoilers here in this post.>>>

The digital recording of this hacker is apparently so good that digital recordings of this woman are edited out of the library. As Sal sees the woman on the street, later the image is removed from the record.  The main library seems to be hacked by this uber hacker.  As more and more actions occur Sal notices this anomaly  more frequently.

Apparently the hacker built an algorithm to erase all images and recordings of herself in all other people as they walked by and saw her.

The Uberhacker also can edit real life records and add moving images (a train) into events as they happen.

To catch the hacker Sal has to try and hire her .

Sal’s colleagues perform a sting operation and are able to find all of her proxies (12 of them) to handle  all of the ways she covers her tracks. The Uberhacker tries to have an anonymous life, and does not go out unless having to.

 

There is a lot of sex and violence(lesbian, regular) in this movie,  Shooting with a revolver point blank and the  hacker does not seem to have any remorse. Also the interesting thing is the victims do not defend themselves, as they have no guns or any other weapons.

Later the commissioner is more upset of the uberhacker anonymizing rather than the murders themselves. Quote” I don’t care the victims no longer exist” I care that she doesn’t.

Another colleague:” Anonymity is the enemy”, we have to find out how she does it.

 

Sal has to meet her again(uberhacker) and she explains that she started erasing her life at eighteen.  (more sec scenes)

— Stopped midway —

First thoughts, it is an interesting Sci-fi movie with some new ways of running the future using video embedded in all people.   It seems that sex and violence is too easy to insert in these movies. I wonder if there isn’t a better way to make a murder and investigation more interesting. Less blood and certainly less sex scenes might actually invoke more thoughts as to what could be happening.  Anyway it starts out ok, as a murder-investigation-hacking.

why is this important? Because movies sometimes become reality, ever heard of:” Life is stranger than fiction?”

—-

The tale gets a bit strange when Sal sleeps with the uberhacker. she of course now looks closer at Sal while deleting all the just created sex scenes.

But most interesting the guy who was keeping an eye on Sal (Lester) she killed him.

She then records a messge for him saying that if you try and find me I will kill you.

His other colleague came in and said that Sal let her escape and kill his buddy.

“Go home” take some time off.

When Sal is in his apartment uberhacker really goes to work, after he has a short conversation with her (via text) she now oroceeds to create a nightmare scenes for him, starting with a guy punching him, a dog attacking, and then she does something even worse by erasing all of Sal’s memories of his son’s accident and all memories of his son.

Now things really get interesting when Sal’s building is on fire (in his head only)

Then  she starts to add scenes where there is no traffic in a busy intersection. Which creates an accident.

Now his boss comes back to discuss the situation, and while he is in the neighborhood Sal gets arrested for shooting his neighbor and gets placed under house arrest.

Sal has to go outside and punch his overwatch agent with his eyes closed.

His boss said they will hire more hackers.

then as Sal finds the uberhackers apartment she claims that she did not kill Lester.

He claims the hacker was hacked, and his boss says you can’t prove this.

That is the problem – nothing proves anything since it can be manipulated.

Sal us placed under double house arrest now.

She placed a loop in his eyes while creating a false officer down, allowing Sal to get back to her apartment while noone is looking and following.

Except the hacker(Cyrus) that hacked the uberhacker was there too, once a shootout happens Sal kills Cyrus.

Sal’s boss was mad that the uberhacker was released.

uberhacker explains that she created an algorithm that creates microfractions of her life and stores it in everyones record. so that no one sees her.

Near the final scene uberhacker(Anon) explained this to Sal and said that the killer had to find him and her so that Sal could help her kill him. “That was close” says Sal.

What do you have to hide?  Anon said nothing in particular, I just don’t want to be seen.

So this movie makes an interesting twist of a standard murder mystery which happens to show corruption in the government and police forces (a recurring theme in many movies).

While also setting up an interesting Sci-fi  of the recording and hacking methods. Of course making a movie which pretends all of these things happened is easier than actually making a world that records everyone’s movements everywhere.

Thankfully we were not subjected to hours and hours of monotony in most people’s lives in this movie. Cooking and using lavatories were not important in a short movie that had to flip through the scenes quickly.  Besides the storage requirements for all, and the actual privacy  concerns of all seems to have been glossed over.

My most interesting point for this movie was when the bureaucrats decided it was better to control people than find out who performed blatant crimes. Also in this system they did not audit themselves, so the system was rife with corruption.

Auditing yourself may have its uses.

The Enemy Has Say With Your Best Plans

In the field of Cybersecurity we have to do a lot of basic things: as discussed in Behavioralscientist.org

So what is your plan?  Firewall, Antivirus, IT people vigilance, updating devices and software…

What are your enemies’ plans?

When your enemy actually interacts with your employees it  shows.

There are always business level threats (where employees are spoofed) or  (vendors are spoofed).

Do you have a new device with Machine Learning? (a basic type of AI (Artificial Intelligence).  Then the enemy will do something to counteract that.

Adversarial Machine Learning.  It will go against your ML goals, and will try to eventually corrupt your goals by adding faulty data and thus changing your assumptions of the data set.

Another way to use Adversarial Machine learning is to use this method to ‘teach’ your ML to get better  results. It turns out that some ways of GAN (Generative Adversarial Networks) do just that.

For Example:  “Adversarial Machine Learning at Scale” paper from Cornell University   First sentence:

“Adversarial examples are malicious inputs designed to fool machine learning models.”    

Improving the ML learning models if done right. This method has not been used by criminals, as they are still figuring out how to incorporate this in their attacks.

So they may not use this as an adversarial attack, instead they may devise ML attacks which will be hard to distinguish and will become better faster.

Ian Goodfellow (the guy who created GAN – Generative Adversarial Networks) has used the adversarial nature to make a better AI algorithm. Where has this already worked?  Initially he was looking for a Security reason within the AI world, and when he created GAN, it was obvious that he was making AI better.

Who would have known, but AI is creating new images of cats that are entirely  ‘fake’ or better ‘artificial’. the algorithm created a new type of cat picture where needed.

Meow Generator ML algorithms that design cat pictures.

So what does this really mean? Fake pictures of people, animals and other items will start to proliferate.

It remains to be seen how this aspect of AI is actually going to be useful.

Do you want to test ML for Cybersecurity?

We are developing new tests for AI and ML – contact US to discuss.

Headless OpenVAS install

I needed to run OpenVAS (OpenVAS stands for Open Vulnerability Assessment System) the Linux based vulnerability management software on a virtual machine, which means it does not have its own monitor that one sits at to see this screen:

OpenVAS is made by Greenbone, “which develops OpenVAS as part of their commercial vulnerability management product family “Greenbone Security Manager” (GSM). “(from their main web page:)

OpenVAS was developed out of the Nessus code base since 2005, now at github.  The developer of Nessus decided to make Nessus closed source(proprietary) in October of 2005, so openVAS was created and initially named GNessUs.

Why am I talking OpenVAS today? Because I was tasked to install it on a virtual system.

So, one has to install OpenVAS (or update on some Linux distributions since it is already installed by default).  So I work with Kali Linux,  since I use a lot of other tools that are built into the distribution. I wanted to keep some familiarity and so run OpenVAS on Kali Linux.

What are you installing? Several pieces that will need to run on the virtual machine:

As you can see in the image above the Greenbone Security Assistant is software that connects to the OpenVAS Manager and Scanner to run the scans to the targets. OpenVAS uses NVTs(Network Vulnerability Tests) to run the scans. Up to this point (3/18/2019) there are over 49600 tests. CVEs now number 115906.

So in a standard kali Linux install one has the OpenVAS version that comes with it, so to use OpenVAS you have to upgrade Kali first using the following commands:

apt-get update && apt-get install openvas

So now that you have the latest version on your machine how are you going to access OpenVAS? since you cannot sit at the monitor of a virtual system (or what is called a headless install).

 

After some (actually a lot) of review online and some tinkering I found it useful to know some systemd.  And it just so happens that systemd has several configuration files in a few directories:

/etc/systemd/system/*

/run/systemd/system/*

/lib/systemd/system/*

 

The one that is important and relevant for OpenVAS is the /lib/systemd/system directory.

In here there are 3 files that are of importance:

Openvas-scanner.service

Openvas-manager.service

Greenbone-security-assistant.service

What we have to do to make the installation complete is to replace the ip address of the virtual machine to the greenbone-security-assistant.service file.

Specifically

change it in this manner, run the following command(changing <your ip> to the virtual system ip address):

Sed –e ‘s/mlisten=<your ip>/127.0.0.1/g’  greenbone-security-assistant.service

Example the virtual system ip address is 192.68.0.1  so this is what should be run:

Sed –e ‘s/mlisten=192.168.0.1/127.0.0.1/g’  greenbone-security-assistant.service

After running this command you have to run the following:

Systemctl  daemon-reload

(these commands need to be run with root permissions(sudo))

So once the ip address is entered in command line, and the systemd file .service file reloaded you can restart the gsad  and then log into the web interface assuming you already set up the users.  To access the Greenbone-security-assistant program enter the following in your browser:

https://192.168.0.1:9392

From there you will have to learn how to create scans and more.  But at least it is working remotely.

There is also a small issue with this procedure, it is not supported by Greenbone, they want you to install the Greenbone community edition

The security feed is more stable than the community feed (the free version) and has encrypted transmissions.

Contact us to discuss