IBM Acquires SoftLayer - Who cares that it serves a shit-ton of malware?

The SoftLayer - StopGeorgia.ru Network (Source - Inside Cyber Warfare, p.107)

During the Russia-Georgia war in August, 2008, Russian hackers created a forum called StopGeorgia.ru to conduct recruitment, training, and attack operations against a list of Georgian government websites. That forum and many other malicious sites before and afterwards were hosted by a U.S. company - SoftLayer Technologies. Today, IBM announced that it's buying SoftLayer for $2 billion; approximately eight times its earnings of 2010.

HostExploit.com has been publishing a list of the world's top 50 bad ISPs since 2009, and SoftLayer and The Planet, which became part of SoftLayer in 2010, has been included each year since then. In 2011, SoftLayer was rated #30 and The Planet was #14. In 2012, SoftLayer moved up to #17. The ratings indicate an estimate of the amount of exploit servers, phishing servers, C&C servers, badware, Zeus servers and infected websites found on each company's respective hardware.

When President Obama issued an Executive Order slapping Syria with sanctions in 2012, SoftLayer was one of the companies that violated sanctions through its hosting of Syrian government websites. SoftLayer and The Planet have always operated and profited in that grey area that so many U.S. ISPs enjoy; i.e., when called on the carpet for its customers' hosting and serving malware they that they aren't responsible for scanning and identifying what's on their leased servers. This is what makes U.S. IP space so popular among international cyber criminals: high uptime, competitive rates, and no one gives a shit what you do. And it's all perfectly legal, not to mention highly profitable.

Add to Cart View detail

What's Missing in your Threat Landscape Picture?

ENISA (European Network and Information Security Agency) recently published its "ENISA Threat Landscape" report for 2012. Overall it's a good document as far as traditionally known threats go, but it's a re-hash of the threat landscape that we've accepted as complete because we've relied on security vendors to create it. A vendor tends to focus on the part of the threat landscape that their product addresses and ignore what's irrelevant to their product line. Customers often accept that as accurate because, after all, they aren't in the business of information security or threat assessment and rely upon the advice from their vendors, which I'm sorry to say is often incomplete.

The following threat table from ENISA illustrates what I mean:

According to ENISA's paper, the above table was created from 120 reports issued from Virus/Malware protection vendors, CERTS, security agencies, commercial companies in the area of security, industrial associations and committees, and Networks of Excellence (p. 10). Unfortunately, they tend to mirror each other in terms of what they report. In the Intelligence Community, this is a cognitive bias known as mirror-imaging. Customers, especially governments and multi-national corporations, need to go beyond these types of traditional and limited threat landscapes and expand it to include at least two more very important areas:

1. Vendor-to-Government relationships (V:G)
2. Offices in Foreign States (OFS)

Vendor-To-Government Relationships
U.S. companies, especially those in the Fortune 100, rely upon vendors, both foreign and domestic, for everything from development work to marketing. Yet very few take the time to do a deep dive into who their vendors' executives are and what their relationships are with other partners and government officials. As an example, we (meaning my company Taia Global) regularly perform this type of due diligence for our client firms and at least 70% of the time discover significant foreign government relationships with both U.S.-based and foreign-based vendors who have unrestricted access to valuable data owned by our clients. Frequently, prior to our investigation, no one was aware of those relationships.

Offices in Foreign States
U.S. companies who have offices in Russia and China, including Hong Kong, are at high risk for technology theft through both legal and illegal means. It may be through a local vendor who provides "secure" paper shredding services off-site when in reality those documents aren't destroyed but are sold to interested parties. It may be through legal intercepts on all landline, VOiP, mobile and satellite communications from the foreign offices of a U.S. company in Russia or China. It may be through a legal request to review your products' source code for "national security" reasons. The bottom line from a threat landscape perspective is - if you're doing business in a foreign state, there are a dozen ways for them to access your company's crown jewels; all of which have nothing to do with spear phishing, APT, or botnets.

If your company has overseas offices or uses vendors who do, the traditional threat landscape - even one created from over 100 sources - is incomplete. And if your security plan is built around that limited threat landscape, you're intellectual property is still at risk. Contact us for more information.

Add to Cart View detail

Would a Malware BuyBack Program Work?

I just read a story about how successful L.A.'s gun buyback program has been and it reminded me about a suggestion that was made at our Boston Suits and Spooks event - that a buyback program might be successful in reducing the amount of malware in circulation. Most malware writers just want to be paid for their research; something that isn't happening frequently enough or at a rate that's considered fair by the researchers. As a result, some of those researchers are exploring grey markets in offensive malware development or are selling 0-days to clients as a form of threat intelligence, or both.

Imagine how much malware the U.S. government could buy for the price of one F-35 ($600 million per jet). And the intelligence gleaned from a forensics review of all that malware would be priceless. Certain precautions would have to be built in to the program to reduce fraud or recompiling malicious code to create slightly different versions for sale, etc., but I think it's worth at least a pilot program to gauge its effectiveness.

Add to Cart View detail

Flipping Malware: A Profit Opportunity for Corporate IT Departments

The one thing that corporate IT departments are not is a profit center. But the trend towards developing offensive exploits and selling them to government agencies could change that tomorrow if CEOs can be convinced to take the opportunity. Up to this point, CEOs and their Boards of Directors have been reluctant to spend too much money on cyber security because, frankly, it could easily become a serious money pit. A typical incident response bill for a breach can easily exceed the mid-six figures. Saudi Aramco and Sony probably paid a hefty multiple of that. Then there's the 5 figure monthly bills for threat intelligence feeds, plus the charges to protect against Denial of Service attacks, AV, IDS, IPS, etc. And the worst part of this money pit is that the company can only hope that their previously compromised network is clean. There's no way to tell for certain because it could still contain un-discovered malware.

The good news, or at least potential good news since no one is doing this yet, is that the undiscovered malware lurking on corporate networks potentially represent tens or hundreds of thousands of dollars in income for the corporation. And since it resides on the corporate network, it becomes the property of that corporation. All of a sudden, something that you've viewed only as a threat and an expense has become a valuable commodity thanks to the trend in selling offensive malware to government agencies.

The U.S. government is a customer for offensive exploits and so are a number of allied governments. In fact, if they aren't already doing this, defense contractors like Lockheed Martin, Raytheon, Northrup Grumman, and many others should already be mining their own networks for undiscovered malware, reverse-engineer what they find, and use it to fill orders by DoD since they've already got the contract vehicles in place.

Some of the more forward-looking DOD contractors who have robust internal Computer Emergency Response Teams (CERT) staffed with engineers who can do reverse-engineering could be in the best position to offer free or low-cost network defense to corporations who want to "flip" the malware found on their network for a nice profit. The best part is that everybody comes out a winner except for the malware writers who may have spent a lot of time and money developing 0-days for targeted attacks (i.e., the creators of Stuxnet, DuQu, Gauss, and Flame). In my scenario, they've merely provided a sellable commodity for free to the targets that they were hoping to exploit.

If you're a C-level executive and you'd like to discuss this idea privately with me, feel free.

Add to Cart View detail

Request for Code Comment Samples From International and U.S. Programmers

I'm working on a joint project with an expert in linguistic analysis on evaluating the structure and syntax of comments embedded in the source code of malware. As part of the study we need to build a database of sample code comments where we know a few characteristics about the programmer (age, gender, nationality, but no names). If you have some samples that you can provide to us for this study, please contact me ASAP. Feel free to forward this post to anyone who you think would be interested in participating. The results will be published here and in my forthcoming book "Assumption of Breach".

Add to Cart View detail

Inconclusive Attribution Is Worse Than No Attribution

A China expert friend of mine just sent me a link to a Defense News article by Andrew Tilghman "Chinese Virus Targets DoD Common Access Card". Jaime Blasco, lab manager for AlienVault, said "the virus is linked to a “command and control server” that appears to be based in China; some flaws buried deep in the code revealed Chinese language characters, suggesting that only a Chinese speaker would be able to launch it." Tilghman's headline doesn't accurately reflect Blasco's findings. Instead, he chose a sensationalistic headline that would attract readers. Unfortunately, it also attracts researchers, pundits and U.S. government employees who harbor an anti-China slant and who collect stories like this to add fuel to an already hot anti-China sentiment on the Hill.

As I've said many times before, the geolocation of IP addresses mean absolutely nothing since IP addresses are easily obtainable by anyone - both legally and illegally. Chinese characters in the code only mean that a Chinese engineer was involved at some point. How many Chinese engineers work for Western companies or are naturalized citizens outside of the PRC? I shouldn't have to state the obvious fact that because you write using Chinese characters doesn't mean that you work for the Chinese government. That's beyond simple ignorance; bordering on Xenophobia.

Related:
Why I Oppose the 12 Chinese Hacker Groups Claim
Rep. Mike Rogers Needs To Re-Think His China Tactics
The Case Against The Case Against China

Add to Cart View detail

U.S. Air Force Demonstrates How NOT to Report a Malware Attack

I just ended a phone call with Air Force Space Command Public Affairs after reading their press release "Flying operations of remotely piloted aircraft unaffected by malware". I figured that since the malware was "found routinely on computer networks and is considered more of a nuisance than an operational threat" that there would be no problem in telling me the name of the malware involved.

That didn't happen, which is too bad because the press release has some confusing language in it and conflicts with unnamed Air Force sources quoted in the two earlier Wired articles (here and here). For example, the release makes a distinction between a "credential stealer" and a "keylogger". Well, that's a distinction without a difference. What we're really talking about is a trojan that steals credentials by logging key strokes. Zeus and SpyEye are two of the largest but there are lots of trojans out there. Here's one I found on a game forum: "Trojan.KillAV.RS Steals Gamers’ Login Credentials". The other important fact to know about trojans or "credential stealers" as the Air Force likes to call them, is that they transmit their stolen credentials out to a Command & Control site. The Air Force PR statement said that their particular credential stealer wasn't designed to transmit data or video. Video? No. Data? Absolutely. That's the entire point of the malware - to capture data and send it back to the C&C.

I think that what happened here is that the Air Force is focusing on what the malware isn't instead of what it is. It's not designed to take over the controls of a remotely piloted aircraft. It is, however, designed to steal data. If the Air Force wants to put this to bed and stop the speculation, here are two tips for future briefings:

1. Have an engineer from the 24th Air Force write the press release so that the language is precise and accurate.
2. Name the malware.

The only thing that your current press release did was raise more questions.

Add to Cart View detail