[Info-vax] another outsourcing success story

[Paul Sture]

On 2017-06-30, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
> On 2017-06-30, Paul Sture <nospam at sture.ch> wrote:
>> On 2017-06-09, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
>>> On 2017-06-08, Paul Sture <nospam at sture.ch> wrote:
>>>>
>>>> This bit disturbs me.  I signed a very heavy confidentiality agreement
>>>> with a Swiss bank back in the day...  What the hell would you do if the
>>>> UK authorities lobbed you with a warrant you weren't even allowed to
>>>> reveal to your overseas client or employer and could force you to leave
>>>> a security hole open which could lead to a potential breach of that
>>>> confidentiality you have previously agreed to?
>>>>
>>> I think you are in trouble either way and it's wrong for someone to be
>>> placed in that situation through no fault of their own.
>>>
>>> If I was ever employed by such an organisation and placed in that
>>> situation, my instincts would be to tell the organisation because
>>> I wouldn't work for an intelligence agency which carried on in this way.
>>
>
> [snip]
>
>>
>>> It's a very tough choice, with consequences either way, but Kipling comes
>>> to mind here and he was right. Once you give into that kind of situation,
>>> you will always give into that kind of situation and I for one would
>>> indeed feel shame if I gave in and worked with the intelligence agencies
>>> in that way.
>>
>> Sorry, which bit of Kipling?
>>
>
> Dane-geld. Not an exact match for this situation in that it's money
> and not knowledge you are bargaining with in the poem but close enough.
>
> The idea of the Danes (aka GCHQ) coming over the hills and taking
> your assets (in this case, your knowledge) by force and the fact
> you may give in and give them a bit of your knowledge in the hope
> they will go away and leave you alone.

Tried that with a crooked ISP once, by paying them to go away.

They did indeed come back for more later, and they don't appear to give
a monkey's about the law unless forced to.  There are regular stories in
the IT news outlets about similar abuse.

Yes, we know the internet is a dangerous place, but what I have learned
is that the danger starts with your ISP and/or telco.  You might choose
a decent one, but you are only a takeover or management reshuffle away
from rogues.

I have come to the conclusion that legal insurance is pretty much a must
to defend yourself against these folks, and you should not be afraid to
use it.

> Like I said, not an exact match to the Dane-geld poem, but it's what
> Kipling says about the situation which _is_ an exact match here in
> that once you give in, they are likely to come back anyway and he's
> right about the shame you would feel for giving in in the first place.
>
> The consequences bit is resonating very strongly with me at the moment.
>
> BTW, for anyone wondering what Paul and I are talking about:
>
> 	http://www.kiplingsociety.co.uk/poems_danegeld.htm

Danegeld: a tax raised to pay tribute to the Viking raiders to save a
land from being ravaged.

<https://www.britannica.com/topic/Danegeld>
<https://en.wikipedia.org/wiki/Danegeld>

>>>> Moving only slightly off-topic, Bruce Schneier has a interesting take
>>>> on government backdoors:
>>>>
>>>> "ShmooCon 2014: The NSA: Capabilities and Countermeasures " 
>>>>
>>>><https://www.youtube.com/watch?v=rwGQ9bFIfgo>
>>>>
>>>
>>> Thanks. I'll add it to the list of things to watch.
>>
>> If you haven't got around to it yet, that's just a straight talk from a
>> podium, no slides or other visuals, so all you'll miss by listening
>> versus watching is Bruce's facial expressions.
>>
>
> Not yet unfortunately - been _way_ too busy with other things.
> Thanks for the info.

There is other interesting stuff in there, such as the NSA developing
a 2 or 3 pronged attack, and the idea of an attack vector being used
as a "crumple zone".

> Oh, and for anyone thinking this is OT for comp.os.vms, it's not.
>
> As Kerry and company like to point out, while VMS is no longer
> widespread, it is still used in some high profile companies;
> companies which the intelligence services may very well like
> to get inside of.
>
> IOW, VMS may be a target for the intelligence services and what
> you should be getting from these discussions is how you should be
> upping your game as a result.
>
> For example, if you send access information or vulnerability
> information to HPE or VSI in unencrypted email, there's a really good
> chance the intelligence services now have a copy of that information.
>
> Once again, this no longer the 1980s/1990s security environment.
>

Agreed.  The lessons of Stuxnet should be heeded.

An eleven minute video:

<https://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon/transcript>

Click on Transcript and in the first paragraph (approx 1 minute into the
video):

    "The gray boxes don't run Windows software; they are a completely
    different technology. But if we manage to place a good Windows virus
    on a notebook that is used by a maintenance engineer to configure
    this gray box, then we are in business. And this is the plot behind
    Stuxnet."


Also a couple of videos Hoff linked to back in January:

28c3: Print Me If You Dare 
Duration: 1:03:36

<https://www.youtube.com/watch?v=njVv7J2azY8>

(note the URL Hoff posted in January expired, this one is current)

and the follow up talk 

[DEFCON 21] Stepping P3wns: Adventures in full spectrum embedded
exploitation (and defense!)
Duration: 42:38

https://www.youtube.com/watch?v=HyEiMyyrfyE#t=2m56s

If you don't have time to watch the videos, here are the Youtube
synopses:

----------------------------------------------------------------------
28c3: Print Me If You Dare

Ang Cui, Jonathan Voris: Print Me If You Dare
Firmware Modification Attacks and the Rise of Printer Malware

Network printers are ubiquitous fixtures within the modern IT
infrastructure. Residing within sensitive networks and lacking in
security, these devices represent high-value targets that can
theoretically be used not only to manipulate and exfiltrate the
sensitive information such as network credentials and sensitive
documents, but also as fully functional general-purpose bot-nodes which
give attackers a stealthy, persistent foothold inside the victim network
for further recognizance, exploitation and exfiltration.

We first present several generic firmware modification attacks against
HP printers. Weaknesses within the firmware update process allows the
attacker to make arbitrary modifications to the NVRAM contents of the
device. The attacks we present exploit a functional vulnerability common
to all HP printers, and do not depend on any specific code
vulnerability. These attacks cannot be prevented by any authentication
mechanism on the printer, and can be delivered over the network, either
directly or through a print server (active attack) and as hidden
payloads within documents (reflexive attack).

In order to demonstrate these firmware modification attacks, we present
a detailed description of several common HP firmware RFU (remote
firmware update) formats, including the general file format, along with
the compression and checksum algorithms used. Furthermore, we will
release a tool (HPacker), which can unpack existing RFUs and create/pack
arbitrary RFUs. This information was obtained by analysis of publicly
available RFUs as well as reverse engineering the SPI BootRom contents
of several printers.

Next, we describe the design and operation a sophisticated piece of
malware for HP (P2050) printers. Essentially a VxWorks rootkit, this
malware is equipped with: port scanner, covert reverse-IP proxy,
print-job snooper that can monitor, intercept, manipulate and exfiltrate
incoming print-jobs, a live code update mechanism, and more (see
presentation outline below). Lastly, we will demonstrate a
self-propagation mechanism, turning this malware into a full-blown
printer worm.

Using HPacker, we demonstrate the injection of our malware into
arbitrary P2050 RFUs, and show how similar malware can be created for
other popular HP printer types. Next, we demonstrate the delivery of
this modified firmware update over the network to a fully locked-down
printer.

Lastly, we present an accurate distribution of all HP printers
vulnerable to our attack, as determined by our global embedded device
vulnerability scanner (see [1]). Our scan is still incomplete, but
extrapolating from available data, we estimate that there exist at least
100,000 HP printers that can be compromised through an active attack,
and several million devices that can be compromised through reflexive
attacks. We will present a detailed breakdown of the geographical and
organizational distribution of observable vulnerable printers in the
world.

*We have also unpacked several engine-control processor firmwares
(different from the main SoC) and are currently attempting to locate
code related to tracking dots. Perhaps we will have some results by
December. In any case, HPacker will help the community to do further
research in this direction, possibly allowing us to spoof / disable
these yellow dots of burden.

----------------------------------------------------------------------
Stepping P3wns: Adventures in full spectrum embedded exploitation (and defense!)

Speakers:
Ang Cui - Ph.D. Candidate, Columbia University
Michael Costello - Research Staff, Columbia University

Our presentation focuses on two live demonstrations of exploitation and
defense of a wide array of ubiquitous networked embedded devices like
printers, phones and routers.

The first demonstration will feature a proof-of-concept embedded worm
capable of stealthy, autonomous polyspecies propagation. This PoC worm
will feature at least one 0-day vulnerability on Cisco IP phones as well
as several embedded device vulnerabilities previously disclosed by the
authors. We will demonstrate how an attacker can gain stealthy and
persistent access to the victim network via multiple remote initial
attack vectors against routers and printers. Once inside, we will show
how the attacker can use other embedded devices as stepping stones to
compromise significant portions of the victim network without ever
needing to compromise the general purpose computers residing on the
network. Our PoC worm is capable of network reconnaissance, manual
full-mesh propagation between IP phones, network printers and common
networking equipment. Finally, we will demonstrate fully autonomous
reconnaissance and exploitation of all embedded devices on the demo
network.

The second demonstration showcases host-based embedded defense
techniques, called Symbiotes, developed by the authors at Columbia
University under support from DARPA's Cyber Fast Track and CRASH
programs, as well as IARPA's STONESOUP and DHS's S&T Research programs.

The Symbiote is an OS and vendor agnostic host-based defense designed
specifically for proprietary embedded systems. We will demonstrate the
automated injection of Software Symbiotes into each vulnerable embedded
device presented during the first demonstration. We then repeat all
attack scenarios presented in the first demo against Symbiote defended
devices to demonstrate real-time detection, alerting and mitigation of
all malicious embedded implants used by our PoC worm. Lastly, we
demonstrate the scalability and integration of Symbiote detection and
alerting mechanisms into existing enterprise endpoint protection systems
like Symantec End Point.

Ang Cui is a fifth year Ph.D. candidate at Columbia University and Chief
Scientist at Red Balloon Security. He has focused on developing new
technologies to defend embedded systems against exploitation. During the
course of his research, Ang has also uncovered a number of serious
vulnerabilities within ubiquitous embedded devices like Cisco routers,
HP printers and Cisco IP phones. Ang is also the author of FRAK and the
inventor of Software Symbiote technology. Ang has received numerous
awards on his research and is the recipient of the Symantec Graduate
Fellowship.

Michael Costello is a Research Staff Associate at Columbia University
and Scientist at Red Balloon Security. He was a network engineer at
various ISPs and other organizations prior to his current work in
offensive and defensive research and development of embedded systems.

-- 
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.