Business Continuity: Chinese Hackers

Northrup Grumman was kind enough to publish, or maybe the government was kind enough to release, a report on Chinese Cyber Warfare capabilities for the USCESRC.

Most people are apt to dismiss the report outright unless they have a direct interest in government affairs. What’s a dry cleaner in Allentown got to do with Chinese hackers? It depends. But in the interests of keeping this short, lets just say there are some implications that the disaster prepared, savvy business person should understand.

1) The Chinese are serious about cyber warfare. Probably more serious than the US. But who knows. All that matters is, the Chinese have official plans, and official doctrine, for waging cyber war against US interests. Which brings us to…

2) US Interests are government facilities and supply chain components, not your average dry cleaner or Arby’s owner. Well, think again. The Chinese might not target the dry cleaner or fast food joint, but they are targeting infrastructure, possibly large scale. That means the dry cleaner isn’t going to get deliveries, and may be without power for an extended period of time. If they’re smart, they’ve already planned for this contingency and have some money set aside, for severe accidents like the North East power outage a few years ago. Or not. Prior planning prevents poor performance. As for our fast food owner, they aren’t getting shipments either. And an extended power outage kills what limited freezer storage they have. Can’t cook it, can’t store it, and we’re running out. Anything could have done it, Chinese Hackers are just one interesting way it happens. So prepare now.

OK, so why bother bringing it up? Either businesses are prepared or they aren’t. Telling them it’s Chinese Hackers isn’t going to motivate them to better prepare.

It might.

Unlike various natural disasters that *might* occur once in a decade, we know from the report that active Chinese incursions in cyberspace are ongoing. They’re testing. Surely, the US is as well. The Chinese have even built their own operating system; no Windows 7 there. Uh, oh. Do you know how serious you have to be to build your own national operating system for increased protection? That’s serious.

So, why recommend businesses devote a little extra time on business continuity because of Chinese Hackers? Because they don’t only target the US Defense systems. They test. And if they want to know if something works, testing on the dry cleaner is a lot safer than testing on 1600 PA Ave. They target you. Especially if you’re in some sort of support capacity, like a fuel pumping station. Cyberwar is all about disruption.

Besides, the Russian crime syndicates are already targeting small businesses, so we all need to just step up preparedness a tad. Talk to your friendly local computer geek that works for beer and food. He’s cheap, and you’ll get some idea of how vulnerable your systems are. Discuss what you’d do if hackers 1) destroyed your computer 2) emptied your bank account (bank won’t cover it) 3) used your computers as a stepping stone to an assault on the US Gov. Won’t that be an interesting visit from a bunch of guys in black…

And if you want to get more serious about disaster recovery and business continuity, risk assessments, or even regulatory computer security compliance, give us a call at Digital Trust.

Digital Trust, LLC
We read government reports so you don’t have to.

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

The Problem With Full Disk Encryption

One of the fun jobs we get in security is the recovery of digital forensic evidence from hard drives. There’s a real feeling of achievement when you have teased apart the hidden files, the slack space, and the partial fragments to reveal a clear picture that proves guilt or proves innocence. The practice had become relatively standardized, until recently.

Company’s and persons of interest have been increasingly using Full Disk Encryption to protect their interests, legitimate or suspect, and there’s a problem with this.

In at least one case, the encryption requires a partial boot from the evidence disk in order to obtain an unencrypted disk on which to perform forensics. That little bit about booting from the disk is where the trouble starts. Attorney’s hate it when we boot from the disk, especially into Windows, as its normally impossible to not change the disk, which can affect the admissibility of evidence. Various techniques and equipment have been brought into the practice to get around this simple effect of changing the source data, even if you can show no important data changed, because 1) its expensive to prove nothing important changed and 2) its terribly difficult to sway a jury regarding the changed data. Case evidence comes down largely (nearly entirely) on the “do not alter the source data” side of the house.

So booting off that disk is very problematic, but not impossible to work around, if you have the time and money to perform the science dance, and there’s a possibility of convincing a jury. Once enough case evidence exists to support the maneuver, it will be much more “jury friendly”.

One of the tricks we use to avoid altering the data is a write blocker; a bit of hardware that maintains the source disk read-only. We are currently running a series of tests to determine if write blockers can be used and if the hardware dependency of some encryption utilities affects the outcome.

What would be remarkably useful is a utility for mounting encrypted disks outside the normal system, as if they were a Volume in Truecrypt parlance and not an entire disk. As part of our investigation we are talking to manufacturers and looking for these utilities to be made available or created.

So far we’ve only had one case where it’s an issue, but anticipate many more and hopefully the issue will be resolved before something really important comes along.

Digital Trust

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems; no public re-use is permitted without licensing. Any republication or reuse is forbidden if the Digital Trust name is removed.

New Fraud Alert

There’s a new (to us) version of the Send Money scam floating around. A company with a web commerce site gets a probing email, typically something like “do you ship to Australia”. When someone responds, they then ask for product lists and send a large order. The request comes in the form of a payment that will only work if the company deposits money or sends money or what have you. Of course, anything sent is gone for good, but some people see that big purchase order and lose all common sense. Businesses are usually better off than people at dealing with these, but since a lot of ecommerce is individual, we thought it best to put something out to warn people.


Thanks to 2600 for letting us know about this.

PCI DSS Failures

We’re going to keep seeing Payment Card Industry security failures. This isn’t because the Data Security Standards are weak; they’re quite good. But they fail on implementation. At least they do if you are using one of the “sanctioned” certification tracks.

Because PCI recognized early that many industries were not capable of adequate testing and preparation, they authorized a number of companies to do certification testing for companies that couldn’t handle it, or in some cases, simply to offer a streamlined solution to charge card processing entities. And that’s where the failure is.

At least one of these “certifiers” (who shall remain nameless to protect the inept) is using a methodology to certify an organization as PCI compliant that utterly fails to validate security in the tested organization.

The method works like so: 1) point a vulnerability detection utility at said company’s external gateway. 2) document any failures. 3) answer some questions on paper about what’s going on inside said organization.

It may be streamlined, but perhaps a little too streamlined. There is no validation except on paper of anything internal, and there is no serious effort to inspect external security. There certainly isn’t any investigation of what genuine hardworking threats will do to obtain PCI information.

While the paper test asks about such things as password strength, encryption, and patching, it fails to validate the claims. While it examines the accessibility of the organization via their primary gateway, it fails to check for anything more complicated than open ports.

Given that the vast majority of compromises come from attacks originating from spyware brought in via email and http traffic, how does any of this testing provide a valid indication of how secure an organization is? It doesn’t.

All it’s going to do is annoy organizations that practice real security, miss organizations that simply don’t care, and locate only organizations that are utterly inept. Of which there should be very few.

What it doesn’t do is increase the security of PCI data. The organizations themselves are already doing that, so what’s with the pointless testing? Test for real problems, validate actual configurations, or don’t do anything. Because failing after creating a false sense of security is still failing.

And after so much work to create a really nice standard, wouldn’t we want it done right? Implement genuine validation efforts at the inspection level.

Digital Trust

This blog and it’s contents copyright 2009 Digital Trust, LLC. Republication of this post is permitted provided it is strictly on internal corporate messaging systems. Any republication or reuse is forbidden if the Digital Trust name is removed.