Rack of Ethernet switches.

General Cybersecurity Information

General Information About Cybersecurity

If your experience is at all like mine, you will find that you need to both educate and convince people — from the "on-the-front-lines" users to management. Here's some help. Tell them about telecommunications outages, big-money losses, cyberwar, COMSEC, and more.

Telecommunication Outages

Big-Money Losses

Target / Neiman Marcus hack of 2013

Major U.S. discount retailer Target suffered a security breach between Nov 27 and Dec 15, 2013. Up to 40 million consumer credit and debit cards may have been compromised, including customer names, card numbers, expiration dates, and CVV codes, making this the second-largest retail cyber attack to this point (after the 2007 TJX Companies compromised affecting 90 million). Debit card PIN data was also stolen, although it was encrypted with Triple-DES (nice use of 1998 technology...), and the names, mailing addresses, phone numbers and email addresses of up to 70 million additional people was also been stolen.

The malware involved is called BlackPOS and Картоха. The second of those is spelled in the Cyrillic alphabet, maybe looking a little different in Italic, Картоха, and pronounced car-toe-kha and not cap-tock-sa.

News and details include:

Luxury retailer Neiman Marcus revealed a breach based on the same malware, running 16 July through 30 October 2014.. See a Reuters story of 12 Jan 2014 and an initial Dark Reading report of 13 Jan 2014; then a Neiman Marcus announcement updated 21 Feb 2014 and Ars Technica (24 Jan) and Dark Reading (23 Jan) analyses of a theft of 1.1 million customers' debit and credit cards. Also see the New York Times story of 23 Jan 2014.

Other Big-Money News

Cyberwar — Military applications of network attack and defense

This section grew enough to get its own page addressing:

Click here for that page.

COMSEC — attacking satellite communications

IOActive published a paper describing how they reverse-engineered the firmware of several commercial satellite terminals from various vendors. They found a number of security risks including what appear to be backdoors, hardcoded credentials, undocumented and insecure protocols, and the use of weak encryption algorithms. Only one vendor, Iridium, responded. Especially interested weaknesses include:

Harris RF-7800-VU024 and RF-7800-DU024 military land mobile and land portable BGAN terminals. Those units are used with software-defined radios such as the FALCON III AN/PRC-117G SDR. Malware running on an infected laptop connected to the terminal could inject malicious code, obtaining the GPS coordinates of the system and then possibly cutting off communication.

Hughes BGAN M2M terminal. This was found to be susceptible to a remote exploit. If the attacker knows the Mobile Subscriber Integrated Services Digital Network-Number (MSISDN) and the International Mobile Equipment Identity (IMEI), he can send an SMS incorporating the backdoor "admin code" and install malicious firmware.

Cobham BGAN terminal. The attack scenario is that a military unit member could be browsing the Internet during personal time and be lured onto the wrong website, to be hit with a client-side attack that would install malicious firmware which leaks the device's GPS-derived location.

COMSEC — attacking cellular/mobile & GSM telephony

To intercept both directions of a cellular telephony conversation, the eavesdropper will need to listen somewhere near the handset.

Digital AMPS (a GSM competitor once popular in North America, although now end-of-life) uses CAVE (Cellular Authentication, Voice Privacy and Encryption) and CMEA (Cellular Message Encryption Algorithm). These perform three main functions:

The voice "masking" was known to be cryptographically weak in 1992. On 20 March 1997, Bruce Schneier (author of Applied Cryptography) and David Wagner (UC Berkeley grad student) announced breaking CMEA. The response of the Cellular Telephone Industry Association (CTIA) was to lobby for laws to make it illegal to break their breakable system, so they can continue to advertise it to an unwary public as "unbreakable".... See Monitoring Times, June 1997, pp 28-29, and http://www.schneier.com/ for more details.

Harris StingRay mobile phone interception and tracking system.

Harris StingRay GSM / UMTS / CDMA2000 / iDEN intercept and tracking system, U.S. Patent and Trademark Office picture.

Targeted eavesdroppers can use a cell site emulator, which could be something like the CCS Digital Data Interpreter. These emulators use the non-voice data streams to track frequency changes, cell hand-offs, etc., and capture all the call information and content while tracking location. These are expensive, but they really do the job! The OKI 900 controlled by the right software running on a laptop is a lower-budget cellular intercept platform that's still pretty capable.

Better yet, use what the FBI uses to intercept and track mobile phones. A Harris Corporation StingRay spoofs a legitimate cell tower, tricking all nearby mobile phones and other wireless communication devices including air cards for GSM Internet connectivity on laptops. The devices all connect to the StingRay instead of the legitimate carrier tower. By moving the StingRay around, authorities can pinpoint the device location down to a specific apartment in a building.

Cruder forms of this technology have been used by law enforcement for at least 20 years. An FBI agent in a case in Utah in 2009 described using a cell site emulator more than 300 times over a decade, and indicated that they were used daily by U.S. Marshals, U.S. Secret Service and "other federal agencies".

Harris' cell site emulator product in the mid 1990s was the Triggerfish. By 2013 Harris' current model of full-sized cell site emulator had been the StingRay for some years. The KingFish is a hand-held unit easily carried up and down hallways of apartment buildings and hotels.

Other companies including Verint, View Systems, Altron, NeoSoft, Cobham Surveillance (formerly MMI Research Products), Ability and Meganet make systems similar to the Harris StingRay, intercepting and tracking GSM/UMTS based communications. But the Harris StingRay and KingFish can also track CDMA2000, and iDEN, and can support three different communications modes simultaneously. The StingRay II supports four communications modes simultaneously. When the City of Miami was shopping for Harris wireless surveillance products in September 2008 and published the Harris price list on their web site, a StingRay II cost $148,000 plus $22,000 per supported mode. A KingFish was $27,800 for just UMTS plus $18,000 each for GSM, CDMA and iDen modes.

For more details on GSM hacking, see the announcement of GSM cloning and how security-through-obscurity isn't security at all.

Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and Its Impact on National Security and Consumer Privacy is a 2014 paper by Stephanie Pell of the Stanford Law School Center for Internet and Society and Christopher Soghoian of the Yale University Information Society Project. They describe how the law enforcement and national government monopoly on cellular interception has vanished, and now criminals, the tabloid press, and anyone with a little motivation and money can eavesdrop. The Associated Press reported on 12 June 2014 that "The Obama administration has been quietly advising local police not to disclose details about surveillance technology they are using to sweep up basic cellphone data from entire neighborhoods. [...] Citing security reasons, the U.S. has intervened in routine state public records cases and criminal trials regarding use of the technology. This has resulted in police departments withholding materials or heavily censoring documents in rare instances when they disclose any about the purchase and use of such powerful surveillance equipment."

Also see Privacy International and their study of the $5 billion per year global surveillance industry.

Late 1999 saw announcements of GSM cracking (which, for the U.S.A., effects "Digital PCS" as well). Summarizing from Bruce Schneier's Crypto-Gram newsletter, 15 December 1999, the relevant algorithms at the time were:

Schneier says, "These algorithms were developed in secret, and were never published. "Marc Briceno" (with the Smartcard Developer Association) reverse-engineered the algorithms, and then Ian Goldberg and David Wagner at U.C. Berkeley cryptanalyzed them. Most GSM providers use an algorithm called COMP128 for both A3 and A8. This algorithm is cryptographically weak, and it is not difficult to break the algorithm and clone GSM digital phones. The attack takes just 2^19 queries to the GSM smart-card chip, which takes roughly 8 hours over the air. This attack can be performed on as many simultaneous phones in radio range as your rogue base station has channels." Summarizing now, the breaks and the publishing dates are:

Then in Feb 2008 Schneier again commented on A5/1 cryptanalysis. There had been quite a bit of coverage of announcements of further A5/1 cryptanalysis and practical systems to break GSM keys. This 2008 attack is completely passive, requires about US$ 1000 in hardware, and breaks the key in about 30 minutes:

A5/3 or Kasumi is used for confidentiality and integrity in 3G telephony. It is stronger than A5/1, but it is also vulnerable! A 2010 paper reports "The privacy of most GSM phone conversations is currently protected by the 20+ years old A5/1 and A5/2 stream ciphers, which were repeatedly shown to be cryptographically weak. They will soon be replaced in third generation networks by a new A5/3 block cipher called KASUMI, which is a modified version of the MISTY cryptosystem. In this paper we describe a new type of attack called a sandwich attack, and use it to construct a simple distinguisher for 7 of the 8 rounds of KASUMI with an amazingly high probability of 2-14. By using this distinguisher and analyzing the single remaining round, we can derive the complete 128 bit key of the full KASUMI by using only 4 related keys, 226 data, 230 bytes of memory, and 232 time. These complexities are so small that we have actually simulated the attack in less than two hours on a single PC, and experimentally verified its correctness and complexity."

The industry (predictably) claimed this was all impossible, as it required unavailable hardware. Yeah, right. Well under US$ 10,000 should provide a high-quality intercept station. For details of the analysis:

See this project to design and build a relatively inexpensive (US$ 700) GSM receiver and crack A5/1.

Further GSM security and insecurity references include GSM Security FAQ: Have the A5 algorithms been broken? and GSM Security Algorithms.

August 2009 saw further reports on making A5/1 cracking more practical and less academic. See Subverting the security base of GSM by Karsten Hohl and Sascha Krissler, presented at the Hacking At Random conference in Aug 2009. The DarkReading mailing list discussed the work.

December 2009 brought even further A5/1 cracking results. An article from late December 2009 reported that a complete GSM intercept station could now be built for about $4000, and it can handle the random channel hopping. A 2TB Rainbow Table is used to rapidly find the encryption key. A low-end intercept station could be built around a PC with a medium-end graphics card, at least 2TB of disk storage, and two GNURadio USRP2 computer-controlled receivers. A few minutes of conversation will be required to gather enough information. More elaborate and expensive systems using FPGA devices could break the encryption "almost instantaneously".

In 2012, researchers at Ruhr University Bochum broke the A5-GMR-1 and A5-GMR-2 algorithms used on satellite phones. They report a ciphertext-only attack on A5-GMR-1 with average complexity 232 steps, and a known-plaintext attack on A5-GMR-2 for which "the encryption key for one session, i.e., one phone call, can be recovered with approximately 50?65 bytes of key stream and a moderate computational complexity." See the research group's report, their paper, and a description in Network World.

If you want voice COMSEC on the cheap, check out PGPfone. You use your computer's audio interface and PGP software to encrypt and decrypt a pair of audio streams.

Mobile networks have been hacked by attacking the insecure GPRS backbone links used by most mobile phone providers. This was announced and demonstrated at the Chaos Communication Camp 2001.

GPRS encryption has been broken, see articles in ComputerWorld, in The Register, and MIT Technology Review.

To build your own GSM femtocell, see the Vodafone - THC Wiki.

If you are more interested in GSM jamming and otherwise denying service with decoy GSM cells:

DNS (Domain Name System) Security Issues

DNS should work as follows:

  1. The human user types www.cromwell-intl.com into a browser. The browser recognizes that this is not an IP address, and it makes a library call to the resolver. That creates a DNS query packet asking for an A record for the fully-qualified domain name (FQDN). This is a relatively simple UDP datagram.
  2. That DNS query is sent to the client's nameserver. If you are reading this at home, that means the DNS server specified by your ISP when your system used DHCP to get its IP configuration. If you are at work, then it would be your corporate DNS server. Either way, the DNS server is willing to do some work on behalf of the client and answer its questions because it's a client.
  3. That nameserver (labeled "ISP nameserver" below) doesn't know and it doesn't know who to ask. So it asks a server authoritative for the entire .com domain, "Where is the nameserver for the cromwell-intl.com domain?", asking for an NS record. The root servers are authoritative for .com and so its IP address is coded into the DNS server software.
  4. The .com server answers the direct question and also passes along the answer to the obvious next question, "What are their IP addresses?". As it turns out, there are two. One question was asked, there were two answers and two additional pieces of useful information.
  5. Your nameserver now picks one of those servers and asks the original question, "What is the IP address for www.cromwell-intl.com?".
  6. That nameserver responds that www.cromwell-intl.com is really an alias. The canonical name is cromwell-intl.com and its IP address is 75.146.106.233. This information should be good for a while, feel free to cache it for 3,600 seconds.
  7. Your ISP returns that information to your client, which receives it and passes the information along to the browser application. It makes a connection to TCP port 80 on that IP address, and this page loads.
  8. Meanwhile your nameserver is caching that information in case some client asks the question within the Time To Live value.

Below you see those numbered steps as ASCII art:

[1,2] client -----------------------> ISP nameserver
              DNS query:
              www.cromwell-intl.com A record

[3]                                   ISP nameserver --------------------> .com name server
                                                     DNS query:
                                                     cromwell-intl.com NS

[4]                                   ISP nameserver <-------------------- .com name server
                                                     DNS answer:
                                                     cromwell-intl.com NS = ns31.domaincontrol.com
                                                     cromwell-intl.com NS = ns32.domaincontrol.com
                                                     Additional resource record:
                                                     ns31.domaincontrol.com A = 216.69.185.16
                                                     ns32.domaincontrol.com A = 208.109.255.16

[5]                                   ISP nameserver --------------------------------> ns31.domaincontrol.com
                                                     DNS query:
                                                     www.cromwell-intl.com A

[6]                                   ISP nameserver <-------------------------------- ns31.domaincontrol.com
                                                     DNS answer:
                                                     www.cromwell-intl.com CNAME = cromwell-intl.com
                                                     Additional resource record:
                                                     cromwell-intl.com A = 75.146.106.233
                                                     TTL = 3600 seconds

[7,8] client <----------------------- ISP nameserver <---> cache
               DNS answer:
               www.cromwell-intl.com CNAME = cromwell-intl.com
               Additional resource record:
               cromwell-intl.com A = 75.146.106.233
               TTL = 3600 seconds

What the attacker wants to do:
The attacker wants to fool many people into looking at the wrong web site. They build a bogus web site on some server. It looks like something people would trust, for example, a clone of the citibank.com web site. Of course, it is just going to steal information if anyone visits it and believes it's really Citibank!

They will then try to fool as many DNS servers as possible into beliving that the IP address for www.citibank.com and citibank.com is whatever IP address they have for their bogus site.

Note that they could have a digital certificate from Verisign or whoever, completely valid for their IP address and whatever their domain really is. Your browser would be happy to connect to that server via HTTPS and it would report no problem. You would have to examine the certificate details and see that it was issued to some organization in Russia instead of Citibank, and what is the probability of you doing that every time you use a banking site?

So how do the bad guys fool the world-wide DNS infrastructure?

Problem #1 — Stateless DNS
Early versions of the BIND DNS server did not keep track of which questions they had asked. If they got an answer, they assumed it was relevant and put it in the cache. So the bad guy does this:

Problem #2 — The Kaminsky DNS Vulnerability
Dan Kaminsky discovered a very serious problem in DNS and publicized it in the summer of 2008. Left out of the above explanation was the detail that DNS packets contain a field called the Query ID. This allows a DNS server to match answers to questions, and it allows newer DNS implementations with some sense of state to tell if a given answer corresponds to a question that they had asked.

The problem is that the Query ID is reasonably easy to guess in many DNS server implementations. The bad guy now:

This is also a cache poisoning attack, but it is far more powerful.

So, how do you avoid being a victim?

The djbdns DNS server by Daniel J Bernstein has correctly randomized both the source UDP port and Query ID since the beginning. Many people find his djbdns easier to configure than the much more commonly used BIND software from ISC.

Incidents and Anecdotes

Government Warnings and Reactions

Further Reading


Back to the Security Page