Russian Spies used Wi-Fi and Steganography

Some of the details are beginning to emerge about the 10 Russian spies that were captured in the US. According to an article on The Register, the spies communicated with Ad-Hoc Wi-Fi networks and hid messages in pictures using Steganography.

FBI agents monitored 28 year old Russian spy Anna Chapman as she communicated with a Russian government official. Anna would go to a book store and using her laptop, created an Ad-Hoc Wi-Fi connection to a Russian contact who was outside the store:

Surveillance agents nearby used “a commercially available tool that can detect the presence of wireless networks” to witness the creation of the ad hoc networks. NetStumbler is probably the most popular example of such software. Law enforcement agents were able to detect a particular MAC address – MAC address A – at the time that Chapman was observed powering on her laptop computer,” the complaint says. Law enforcement agents were also able to determine that the electronic device associated with MAC address A created the ad hoc network.”

The spies also embedded secret messages in pictures and uploaded them to sites where Russian officials retrieved them, and decoded the messages.

A New Jersey search uncovered a network of websites, from which the alleged spies had downloaded images. “These images appear wholly unremarkable to the naked eye,” the complaint explains. “But these images (and others) have been analyzed using the steganography program. As a result of this analysis, some of the images have been revealed as containing readable text files.”

It is interesting to see the tactics used by modern spies. Of course Russia is denying any and all involvement. Kudos to the FBI for taking them down.

Definition of Cyber War still in Flux

Interesting seminar today at Arcsight called “Hacking the Odds – Gaining a House Advantage over Modern Threats”. I must admit that it wasn’t at all what I was expecting. I thought it would be on modern defense techniques and tactics, but it ended up being an expo on cybercrime and defining cyberwar.

I was disappointed at first, but some interesting points did come out of the talk. First and foremost, defining Cyber War and what it is, is still a hot topic amongst policy makers. Dr. Prescott B. Winter of Arcsight (and former NSA Associate Deputy Director) had some very interesting points.

First and foremost, he compared cyberwar to physical war. In a physical war, we see troops in uniform forming up, arms preparations, ship and naval units moving into position. There are several tangible things that happen that we know lead to battle. You do not have that in Cyberwar. There are no early warning systems, no radar returns, no thermal images of the enemy advancing to attack. Also, it is hard to see which direction you are being attacked from in a cyber war. When Estonia faced cyber attacks in 2007, they had evidence pointing to over 100 nations where attacks came from, when in reality it was just the work of one nation.

Secondly, we are not the only nation having trouble defining cyberwar. With differences of opinions, policy and political stances, all the nations may never agree on set international rules and laws. Many times too, we are not facing a foreign country or rogue nation, but a lone hacker or cyber crime syndicate trying to make money.

This too brings up its own unique issues. How do you prosecute cyber crime? What may be illegal in one nation may not be in another. Also, if we have a hard time getting state, local and federal police to cooperate, how much harder is it when you get foreign police services involved? Then again what about when the case is taken to court? Cybercrime Expert Andy Crocker mentioned in the broadcast that when he was prosecuting a case in Russia that he used a Power Point presentation because the court was not up to speed on the technical issues of cyber crime. The result? The court argued for a week if Power Point presentations were legal in Russian courts.

To wrap up, I loved one of Dr. Winters analogies on policy. He said that we have strict policies on airplanes coming in and out of the US. Planes in disrepair are not allowed to fly over US cities. But, he said that we allow malicious foreign traffic on our systems every day.

Policy changes are indeed needed and quickly.

US Cyberwar Tactics over Relying on IDS?

Very interesting article recently on by Richard Stiennon about the weapons that the US is deploying to fight Cyber War. Richard is the founder and Chief Research Analyst at IT-Harvest and the author of the recently released book “Surviving Cyber War“.

According to Richard, the US is relying on 15 year old technology to defend the US. The much vaulted “Einstein” project may not be the right choice to secure our digital borders. Yes, future version supposedly will have auto defense capabilities, but currently the technology still relies on Intrusion Detection.

IDS is a technology invented over 15 years ago. It is signature based which means it relies on a massive collection of snippets of text and code that researchers have discovered over the years are associated with unwanted network traffic, be it worms, port scans, or intrusions. Because the original deployments of IDS were just passive data collectors there was no impact on network performance from adding new signatures so the data base grew and grew and the logs IDS generated grew and grew to the point where even a mid-size organization would receive millions of alerts a day.

Herein lays the problem. The Einstein system or any signature detection based system has to filter through massive amounts of packets to look for suspicious activity. In this huge river of data, you have legitimate user traffic, normal system communications, and transactions along with the malicious traffic. In analyzing this data you receive a large amount of false positive alerts along with real threats. Human analysts are required to sift through the alerts and try to determine the false alerts from the foreign national hacker with nefarious intentions. According to Richard:

The only tool in DHS’s chest is a monitoring tool. Millions of alerts have to be filtered down. The continuous port scans, the worm traffic, the DDoS attacks, have to be winnowed down to something actionable. And even if that were possible, attacks such as those seen by Google, the Dalai Lama’s office, and the Pentagon, would still be effective… Einstein is a waste of money and a distraction. Other than generating huge reports that highlight the levels of attacks targeting DHS it will do nothing to protect DHS networks.

It looks like the US may need to look in a new direction to defend government systems. But if signature based intrusion detection is out, what do you replace it with?

Penetration Testing: Physical Security Breach

Amazing video of an off hours physical penetration. Definitely a must see. This shows what can be done to your network if your physical security is weak. If these guys were to breach your building it would be game over. I found this video on, interesting site, if you like the video, check out the site.