Category Archives: KL backdoors

Data Is The New Perimeter in Emerging Age of Corporate-Espionage-as-a-Service

Last Tuesday, July 11 2017 I was pleased to listen to Mike Desens, Vice President, IBM Z and LinuxONE Offering Management, IBM Systems as he took myself and some colleagues through a preview and introduction of the z14 prior to the July 17 announcements *.

The overriding theme of the briefing was that IBM view the z14 as “Designed for Trusted Digital Experiences”. The last twenty four months in particular have seen data breaches that have seriously eroded public confidence in erstwhile trusted institutions and organizations.

There have been hacks that have embarrassed nations, and led to real fears about the risk that insecure data poses to our energy and commercial infrastructures not to mention the veracity of election results but I am not going there.

Shadow Brokers dumps and WikiLeaks releases of alphabet agency backdoors and toolkits have given cyber criminals (even the opportunists), and terrorist outfits almost nuclear-grade hacking capability when compared to 2014.

IBM are hoping that these real fears, but more particularly their real solution, will be the key driver in convincing customers to adopt the new platform.

Been There, Done That

I have seen this before (IBM pinning their hopes of making the mainframe cool by leveraging an unexpected turn of events). I worked on the deep end of the ADSTAR Distributed Storage Manager (ADSM) ESP’s in the early 90’s (renamed Tivoli Storage Manager in 1999).

Back then entire banks ran on less DASD than your kid’s pot burner phone does right now (and that included all the IMS, CICS, and DB2 data). IBM pinned some of their hopes on maintaining their lucrative storage market share on ADSM in the face of EMC inroads. “Disk mirroring” however by EMC was the final blow when EMC turned an engineering weakness into a strength. It cost outsider Ed Zschau, ADSTAR Chairman and CEO, his job in 1995.

IBM had made a very valid argument for ADSM adoption. All that data on the newly acquired (mostly by accident and without permission by rogue business units – especially the capital markets mavericks), rapidly expanding, and poorly managed (in terms of Disaster Recover and Business Continuity at the very least) AS/400, Tandem, and NT infrastructure was best managed on the mainframe storage farm.

This also included using those new-fangled robotic tape libraries on Level 2 (which even appeared in a few movies with perspex exterior, the StorageTek one though, not the IBM Magstar 3494 Tape Library).

It didn’t work though. Mainly because the network couldn’t handle the volumes, and record level backup was never going to work to help reduce the bandwidth requirements to fit the overnight backup windows what with the quagmire of proprietary databases that had sprung up.

GDPR Unwittingly Making the Market for “Corporate-Espionage-As-A-Service”

But I digress so I will briefly digress again to another but equally valid potential driver for z adoption. And that is GDPR. Soon GDPR regulators will be gleefully fining corporates who fail to adequately protect their data the higher of EUR€20M or 4% of annual turnover, for each breach. That’s an instant laxative right there for the entire C-Suite.

But what the proposed GDPR penalty system also makes me wonder is how much of a market maker it is (unwittingly) for Corporate-Espionage-As-A-Service (CEAAS) and Industrial-Espionage-As-A-Service (IEAAS).

Back On Message – Pervasive Encryption

Consequently, IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

Here are some stats to keep your CISO awake:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

The Z is arguably more powerful, more open and more secure than any commercial system on the planet and the box makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain. But again and again the focus comes back to Pervasive Encryption and that is the potential seismic shift that just might make the Z the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot.

Pervasive Encryption Is The New Standard

Back in the day as an MVS370 systems programmer I stressed about downtimes, availability stats, and the SLAs with business units. If I am being honest though I mostly stressed about the long holiday weekends spent in subterranean data centers upgrading ESP code or patching or migrating new releases from TEST to PROD LPARS or doing S390 disk mirrors.

Therefore when I first heard of the this bold new “encrypt it all” call to arms I wondered what the price for this would be in terms of the social lives and general marital stability of SPs globally.

However I am assured that the encryption “migration” involves no application changes, no impact to SLA’s, and that all of this application and database data can be encrypted without interrupting business applications and operations.

What’s Under the Hood

This section of the briefing was prefaced with the statement that the Z will deliver “unrivalled performance for secure workloads.” I have another post in the works with the tech spec dets on the encryption under the hood but for now here’s the 60k foot view:

“Industry exclusive protected key encryption, enabled through integration with a tamper- responding cryptographic HSM. All in-flight network data and API’s, true end-to-end data protection. 4x increase in silicon area allocated to cryptographic operations. 4 – 7x faster encryption of data with enhanced cryptographic performance. 18x fasterencryption than competition at 1/20th the cost to implement. 2x performance boost on Crypto Express6S. Securing the cloud by encrypting APIs 2-3x faster than x86 systems. Linux exploits Protected Key encryption for data at-rest.”

More later.

* From an article originally published on July 18 2017 on my Peerlyst blog

ENDS

"Has My Phone Been Hacked? Am I Being Surveilled?" – You Have No Idea

When someone asks that question do they mean that they are worried about rootkits, backdoors, trojans, worms, spyware, keystroke logging; are they concerned that someone has clocked their PGP private key; do they suspect LE have a warrant to eavesdrop their voice comms; or do they fret about the integrity of SIM card encryption and the Gemalto hack? Do they fuck.

Continued Happiness & Abundant Joy (For Hackers)

No, they don’t worry about these things because they don’t know about these things, they don’t care to spend the time understanding the threats or pay for the solutions and I don’t blame them. And that simple reality assures the continued happiness and abundant joy of the hacking for profit community.

If they are an above ordinary John Q then they follow a few simplistic tips they read after a quick Google and subsequently consider themselves bullet-proof and smart. If they are a small business they get comfortable when some self proclaimed infosec expert in a suit charges them a small fortune for “steal your watch & charge to tell you the time” consulting.

Good Old Fashioned Olde Worlde Surveillance 

And it’s not all about super-elegant hacks written by PLA Unit 61398 swirling around in the matrix gobbling up industrial secrets. A scene in the documentary CitizenFour showed Snowden using a blanket to cover his head and his laptop screen. The Snowden-Greenwald dialogue was as follows:

37:35 [Snowden pulling blanket over his head/laptop]
37:44 Greenwald: Is that about the possibility of…
37:47 Snowden [still under blanket, interrupts] visual, yeah visual collection
37:50 [Greenwald looking around the room, seems not rather sure what to think and say]
37:55 Greenwald: I don’t think at this point there is anything in this regard that will shock us. [laughter in room]

Gras Double commented on this precaution and noted that allegedly: “Still, using some advanced audio software, from the typing sound of the pressed keys, deducing from echo, reverb, comparing with the sound of a keyboard of an identical laptop, you could determine their coordinates in space. You can also analyse the movement of muscles of Snowden’s arms and extrapolate up to its fingers’ location and movement.” – a bold claim.

Another bright spark on Information Security Stack Exchange stated “He was using the blanket to fool visual recording devices attempting to steal his password, even though with modern technology x-ray or thermal imaging you could effectively ‘see through’ the blanket.” In rebuttal it was noted “I can see how an IR Thermographic Camera has a chance to detect something if the wrong kind of blanket is used. No idea how you want to use XRay, as it requires an emitter as well as a receiver.”

Line of Sight Surveillance for the Common Man

Still – the point is made I think – visual intercepts are economically viable even for local LE – it’s just an ultra low light wifi enabled pin-hole snake camera in the right spot. One above the driver and passenger seat belt brackets in a private vehicle is a good loc (easy access to and plenty of space behind the plastic covering the B pillar to store the bits). Five uninterrupted minutes and both are installed. Just wait for the target to take a Sunday drive and game on.

Most people rest the handset on their lap while typing stationary in traffic or better still upright and in front or on top of the wheel when driving – using one hand – which gives a nice unobstructed keystroke by keystroke view of their typing activities.

From a low value non-tech savvy target you will get screen lock password, SIM lock password, their main contacts, their email password and transcripts of their conversations during the time slot – even more if they are road safety conscious and use a speaker phone. For the high value target – encryption keys, app locks, timeline stats and so on and so on.

Turning Everyday Visual Objects into Visual Microphones 

When sound hits an object, it causes small vibrations of the object’s surface. This project shows how, using only high-speed video of the object, those minute vibrations can be extracted and partially recover the sound that produced them, allowing you to turn everyday objects—a glass of water, a potted plant, a box of tissues, or a bag of chips—into visual microphones.

The sound is recovered from high speed footage of a variety of objects with different properties, and uses both real and simulated data to examine some of the factors that affect the ability to visually recover sound.

The researchers evaluate the quality of recovered sounds using intelligibility and SNR metrics and provide input and recovered audio samples for direct comparison. They also explore how to leverage the rolling shutter in regular consumer cameras to recover audio from standard frame-rate videos, and use the spatial resolution of the method to visualize how sound-related vibrations vary over an object’s surface, which they can use to recover the vibration modes of an object.

In simple terms:

1. Two guys talking out of sight in a room;
2. You, outside at a distance pointing a video camera, through a window at a glass of beer on a table in the room;
3. Record the glass of beer for the duration of their conversation;
4. Take the footage and process it and extract the audio contents of the conversation that was happening out of sight;
5. No installs, no intrusion, no access to the room required, no need to see the targets;

SIM Card Encryption 

Here is a sobering thought in plain language that applies to every SIM card that you have ever owned:

“US and UK intelligence agencies after the Gemalto hack in 2010 and 2011 have the ability, with the stolen encryption keys, to monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.”

Sentimentality is Your Enemy

The easiest way to ensure that your smart phone remains un-hacked or returns to an un-hacked state is to be willing to survive on cheap throwaways – but most people are not willing to do that. If you are it’s simple as 🙂

1. Take the SIM out of your phone every few days / weeks / months (depending on your level of paranoia or the reality of your work / life), drill a hole in the motherboard, hit it with a hammer, microwave the mess and flush the remnants down a public toilet or a subset thereof;

2. Insert your SIM card in another cheap smart phone with the proper set of reliable tools that reduce (note the use of the word “reduce” not “remove”) your risk of infection, don’t transfer the data from the old phone or the apps and carry on. For maximum safety – bin your SIM too and buy a new one;

3. As before following a few simple rules like not downloading apps from random sites (although even the Google Play & Apple App Stores have their fair share of dodgy apps and are no guarantee of malware avoidance), don’t click on links in emails from Eastern European porn sites and don’t give your unlocked phones to strangers at airports – although you can just as easily be hacked remotely.

However, if you will insist on treating your phone as a treasured fashion accessory and have to travel everywhere with tons of personal data you haven’t looked at in years at your finger tips – just in case – then you will not want to do the above and will insist on a different answer to the question.

The Advice “Out There” 

A simple search on DuckDuckGo demonstrates the amount of posts out there on the subject and the amount of bizarre “clues” which are considered worthy of worrying about – that’s before you even get into the Android / iPhone variations and exposures.

Alarm bells should ring for you apparently, according to many of these posts if:

1. On checking your bank accounts / credit cards you see unusual activity that seems to arise from app purchases that you did not make (sort of blindingly obvious I would have thought);

2. You are also to worry if your pointer starts levitating across the screen to select specific options as opposed to the random behaviour of the pointer on a busted or water damaged handset (I would have thought this would worry even the most non-savvy user or really interest all paranormal investigators);

3. Seeing photos in your gallery that you did not take (Really?) – be very worried if they are of you while watching PornHub 🙂 – RansonWare;

4. Getting text messages from unrecognized numbers with weird characters in them (Oops);

5. Notifications that flash across your screen, disappear and then can’t be found in any app or the notification centre (Seems fair);

Subscribe to New Posts

To be notified as each post is published please subscribe to the blog – over there on the right – yes over there in the right column at the top where it says “Follow by Email”.

No new content, no email for you – ever – and we won’t sell your email details to the NSA either and we are subpoena proof too so we can’t be forced to either.

END.