When Does A "Tool" Become A "Weapon"?

As with so many tools, security vulnerability detectors can be misused to exploit rather than defend.  The Metasploit Project is an extremely valuable tool and many of us in cyber security use it to research and probe for potential problems. However, a recent development which was revealed by Security Labs in India demostrates just how easily the Metasploit Framework can be used to develop malicious payloads that avoid detection by the usual Anti-Virus and Firewall software.

By installing a few extras with BackTrack 5 (another tool-set that penetration testers know well) it is possible to run a script based upon Metasploit that generates a "reverse TCP payload".  In essence, all of your Internet data is carried using a protocol called TCP/IP, where the IP part gives the "addresses" of the sender and receiver, and the TCP part ensures that the entirety of the data is reconstructed correctly once received as it is chopped up into small "packets" for transmission across the Internet.  This "reverse payload" method means that you receive the unwanted data without realising it.  Hence, it will bypass detection by the types of traps to are usually employed to capture unwanted code.

What could you do with this?  Well, imagine you could use the technique to deliver a "backdoor" to a machine. Actually, you don't need to imagine as that is exactly what was done.  All of a sudden you have the means to take over machine remotely without the user knowing, and in such a way that most users would stand very little chance of detecting the attack: certainly not using routine Anti-Virus and Firewalls software.

It's such a shame that these tools are used in this way. Or is it? Perhaps that's the very reason they exist.  After all this has shown a vulnerability and a form of attack vector that may not have been thought about by the AV and Firewall vendors.

Hackers Serve Notice Of An Interesting Year To Come

To paraphrase Douglas Admas' mega computer, "Deep Thought", I speak not of the attacks that have happened in 2011 but of those that are to come.  2011 has been dubbed by many in the press as "the year of the hacker".  I think they may be mistaking the calm before the storm.  One has only to read the various Tweets and Blogs by those involved in the hacking to realise that, if anything, they feel emboldened.  I don't mean those involved in cybercrime or cyber warfare, but the hacktivists.

The hacktivists such as TeamPoison, Anonymous and LulzSec have found that hacking can be a very effective means of making a political statement.  In times of increasing economic peril, widening gaps between rich and poor, and behaviours by some that appears to be worse than Gordon Gekko, its not surprising that those identified as the cause of the problem are subject to attack.

Whilst many involved in cyber security are seeking to secure systems that could lead to financial loss or interruption of critical infrastructure, I can't help but wonder if those in the sights of the hacktivists have taken the necessary precautions.  I suspect their focus may be elsewhere.  But, when it comes they can't say they weren't warned. And I don't mean by folk like me. The hacktivists themselves have quite blatantly set out their intentions - see below - ignore it at your peril (DO NOT WATCH THIS IF YOU ARE EASILY OFFENDED):

Analysis Emerges About Government Cyber Strategy

It's fascinating to watch the various interpretation that have emerged over the weekend following the release on Friday of the UK Government Cyber Strategy.  Some do appear to have come up with some quite extreme interpretations such as that from ZNet (http://www.zdnet.com/blog/london/uk-government-8216planning-to-launch-stuxnet-like-attacks-against-hostile-states/1128) who read from the document that the UK was about to go on the offensive with attacks such as the Stuxnet attack of 2010 through clandestine means.  However, as if to salve their own journalistic conscience they did add that it had been worded "vaguely".  Quite.

Of more interest are those that have picked up on the fact that the MoD will be involved in developing capability alongside GCHQ.  British Forces Broadcasting Service of all people gave a succinct interpretation which I thought was really rather good, although a tiny bit of irony perhaps in having to admit that they had lost quite so much data:

Cyber Defence Through Community Action

Today sees the start of Malcon (http://malcon.org/) in India.  The clue is in the name: it is a conference about malware.  However, it has some important differences to the now infamous DEFCON gathering in Las Vegas each year, where hackers attend to learn from each other how best to attack systems around the world.  Malcon has a degree of involvement from the Indian government.  Not hidden or disguised: totally in the open.  Whereas DEFCON has a "spot the fed" competition, Malcon appears to welcome government involvement.

The Indian government formed a centrally run register of those who can help organisations to counter and respond to cyber attack.  It is known as the National Security Database (http://nsd.org.in/web/).  The government certifies the individuals they list so that users of the register can trust those that they call upon. Whilst it has existed for some time, the NSD is due to be launched (or some would say re-launched) at Malcon.  The NSD was conceived after the terror attacks in Mumbai in 2008 when India realised it was as vulnerable as anyone else to attack, including cyber attack, particularly on critical national infrastructure.

In many ways the NSD look a lot like some elements of the planned "hub" in the UK.  How successful either model will be has yet to be seen, but at least the Indians have taken action and have put the NSD in place.

In a further demonstration of how a community can (apparently) come together to help defend itself, a not-for-profit organisation has been formed called the Indian Cyber Army (http://www.cyberarmy.in/).  Their ambitions appear very laudable in trying to engage white and black hat hackers in defence rather than attack.  Whats more, they are trying to engage them from a very early age.  However, whether this works or is simply a magnet for black hat hackers to collaborate through will only become clear over time.