Schneier on Security

Clive Robinson • May 17, 2017 5:59 AM

Two things to note before getting into the atribution game.

Firstly we humans are in general limited by our understanding of the physical world, and have little understanding of the information universe.

When we by something such as a car or book or childrens toy we don’t expect it to have harmful defects hidden away within it. Further if there are defects discovered it’s usually at the begining of a products life time and if serious a product recall is put in place (think the recent phone with burning batteries problem). Thus once we own a product we expect to be able to use it untill it falls apart on us.

This is not the case with software it’s riddled with bugs and thus attack vectors, with by far the majority unknown throughout the product life. As bugs are found unlike physical products information products are not recalled they get patches which the user is expected to incure the cost of downloading, installing and operating. And there is apparently no recourse if the patch causes harm…

There is a Catch-22 in this. If we force information products to takeon the same liabilities as physical products, the software companies would either disappear over night, or software would flip back to the sort we had with terminals of big iron mainfraims in the 1970’s, and the Internet as we know it would cease to become accessable.

Thus we have to accept that if we want the bells and whistels of having software on our hardware products there is a price to be paid personaly. We get forced into an upgrade hamster wheel or we drop out of communications with other computers, to avoid having the inbuilt bugs used against us. That is we have to treat software as a hazard to our health. Think of it like buying a book, that when you put it on the shelf, it might explode, destroying all your other books if you use the doors, windows phone, television, radio etc in your house to communicate with the outside world…

Thus we have to think of information products in a very different way to physical products, and it’s realy well outside of our usual perception and that is problematical.

Secondly we have to stop alowing the unqualified making gut feeling choices. In particular politicians and their ilk who actually rarely suffer the costs of their poor guesses.

Whilst the politicians are trying their best to distract the public away from it, the failure for the NHS is being actively created by politicians. In the case of XP back in 2015 the Secretary of State for Health in the UK Jeremy Hunt MP decided for political mantra reasons not to renew the NHS XP support with Microsoft. The cost saving was small less than nine pence per user of the NHS and in the same period Jeremy Hunt’s personal unearned wealth has increased many times what that support contract would have cost.

Likewise we see in industry the mental view point of very short term thinking. Basically maximise short term profit by destroying the resiliance in the longterm future.

If we are to stop the likes of cyber-wars we have to change our way of thinking. If we don’t then we are just going to continue the tail spin we are currently in.

We kind of have to view software on our own hardware like storing explosives which become not just more unstable with time, but also more powerfull in the damage they do with time…

Clive Robinson • May 17, 2017 10:01 AM

@ Winter,

Maybe we should see software as fresh fish? Or fresh milk?

Yup milk especially has a parallel… Back in the Victorian era there was a belief that when milk stated to smell buttery not creamy you should add a little lye to it. So although on the surface the milk was refreshed it was actually steadily going poisonous, but your nose was not telling you so.

So you could regard software patches as being the lye in the milk of the application.

@ Bruce,

But the North Koreans have surprised me before, and I’m trying to keep a more open mind this time around.

It’s not just the NKs it’s all half way competent IC agencies of just about any country you could name without having to get a map out.

For some reason there is a bunch of wishfull thinking about a bunch of ones and zeros that do damage to our very poorly written overly complex mainly usless feature rich applications and OSs. People like to belive that,

1, It’s difficult to write malware.
2, It’s difficult to stop malware.
3, That locards principle applys to software.
4, That code cutters have unique styles that are fingerprints.
5, That you can not falsify malware.

All of these are false assumptions, and if we keep making them we are going to end up with pie in our faces.

Malware is not that difficult to write, the hard part which is often more luck than skill is finding the exploit. In fact if you know where to look malware code is almost trivial to get hold of. In this respect it’s much like the coding style of a lot of people, the look up an example on the intetnet pull out the bits they want and stich it together. It’s something you would expect bright teenagers to be able to do.

As for stopping malware, it’s easy to do but there is a price to pay which is you lose or severely restrict connectivity. There are ways to mitigate some of the effects but due to the way hardware design is going building systems with no semi-mutable storage that can be got at from an Internet or other connection is getting difficult if not impossible. Thus we need to think seriously about how we design our hardware, and how we communicate. The likes of the fettish for IoT and similar is going to bring this to a head within a year or two at the most, the question is how long will it take us to clean up the midden on our doorsteps.

To demonstrate a basic issue of human thinking, there are the assumptions we carry forward from our physical world perspective to the information universe. We instinctively believe that what applies to the one we are familiar with, also applied to the one we are not, and we trip over our assumptions. What makes it worse is that our physical world we perceive is very likely to be a subset of the information universe, thus many assumptions do carry across but by no means all. One such is the fundemental tenent of forensics, Locards exchange principle, where the assumption is that objects and entities exchange parts of themselves or leave toolmarks etc which are unique identifiers. The simple fact is this realy is not true for software toolchains and the end product of executable code.

Unfortunatly a number of people on the forensics side also incorrectly believe that code cutters have unique styles that can be used as hard and fast as fingerprints. We even know that this is not true in the physical world, so why on earth should we believe it’s true in the information universe, where it’s representation in ones and zeros that can be endlessly copied and sliced and diced which ever way a person adept with an editor might wish.

Denying that you can slice and dice to your hearts content to remove statistical traces, unfortunately gives rise to something that is realy silly when you take a step or two backwards and think about it. Which is the notion that you can not falsify malware. At the very simplest you just copy someone elses code and the way it works. You then make one or two small changes by cutting, pasting and modifying parts of code from other software that has been “supposedly” identified. Fish chase lures and get hooked even though a lure looks very little like a fish, are we realy all just as bad?

With the way things currently work with computers and the Internet it’s easy to fake not just sources of attacks but destinations of data etc. Thus we need to look outside of the computers and Internet to find evidence that is actually indicative. This is always going to be physical world evidence, be it as difficult as Human Intelligence or as simple as tracing proceads of a crime.

Currently we do not have any such physical world evidence which means that attributing would be very slipshod at best.

In the intelligence game of smoke and mirrors there are ways to build up comfirmation, you basically supply your assumed target with a small piece of false but identifiable piece of information. You then observe if the target takes action in a way they would only have done if they had received that piece of information. The problem is such techniques are probabilistic in nature not definitive.

Thus attribution is hard, and going off half cocked is likely to hurt the person firing the shot more than it does the person they are aiming at.

Thus the NY Times has gone of half cocked again and more and more people are becoming cautious about what they say.

I have my own reasons for distrusting the NY Times as I’ve mentioned in the past. Thus I can see a connection as to why the NY Times might well publish a story that would be helpful to UK political interests as this story is likely to turn out to be.

Clive Robinson • May 18, 2017 5:00 AM

@ Ratio,

Ross Anderson was probably refereing to what went on prior to his 2009 paper on “Snooping Dragon”

http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html

Back then things were the other way around to the way they are today in the attribution game. Ross had done his homework and the attribution to China he presented was reasonably sound…

But nobody officially wanted it to be true then for political reasons thus shots were taken at the messenger.

I like others who comment here do not blow cold the hot then cold again when ever the political wind changes direction when it comes to attribution. We ask for a certain burden of proof prior to making a claim.

As it turns out in this particular case an early version of the WannaCry ransomware used code from earlier malware used to conduct successful thefts of money.

Depending on your view point and it’s underlying assumptions you might or might not accept that those who identified the original code as being from a group that has been christened Lazarus, that likewise has been said to have ties to North Korea based on various assumptions.

The problem is that some of the supposed evidence backing the Lazarus Group idea and claims is to put it mildly tenuous. Worse there are other indicators that suggest that this is not as likely.

The early version of the WannaCry ransomware had not just code attributed to the Lazarus group, but code taken from other places, so we know there is more than one piece of code reuse. However other attacks attributed to Lazarus not just worked, but worked well, and importantly the back-end financial system worked. The same can not be said of WannaCry ransomware.

Thus you have a set of arguments in one direction whilst also having a set of arguments in the opposite direction. But there are other indicators, the code attributed to the Lazarus group has identifiable purpose that can be said to align with North Korean aims, which is to get money (which is also the intent of most cyber-crime). However this WannaCry ransomware appears to lack purpose other than to be a problem to those running Microsoft OSs that are no longer under normal support… Thus it could be argued that it was actually aimed at making Microsoft and it’s special support look bad, which is not something that aligns with either previous Lazarus group code or North Korean aims and objectives so far established…

Even the people that noted the original reuse of supposed Lazarus Group code[1] and other similarities[3] did not say the WannaCry ransomware was from the Lazarus Group or North Korea…

What is lacking so far is an unbiased break down of both differences and similarities so that a differential diagnostic can be reasonably be carried out. Until that happens all we have is “hearsay” not “opinion” and by no means “evidence” in the accepted sense even for the “balance of probability” of a civil action.

[1] Google researcher Neel Mehta tweeted two points in an early version of wannacry, which showed code from earlier malware Contopee.

[2] Contrary to what many have indicated the WannaCry authors didn’t actually use the NSA code, they actually copied it from the version in the open source project Metasploit tool.

[3] Kaspersky bloged about Mehta’s tweet[1] very shortly after with analysing the similarities, they did not definitively say that WannaCry came North Korean or the supposed Lazarus group.

[4] Neither Neel Mehta or Kaspersky have actually said very much beyond pointing out similarities. Others have run with this without doing their own analysis, which has made the reporting far from unbiased. Whilst Kaspersky have acknowledged the possibility of a false flag operation, they discount it as being to complex for the people that made the buggy WannaCry. Which unfortunately is circular reasoning.

Clive Robinson • May 18, 2017 8:52 AM

@ Louis C,

I personally think that wannacry … may be a proof of concept

The early version from Feb may well have been, but the later versions contain problems.

I’m thinking that who ever built is scraped code and ideas then bolted it all together without doing any real kind of testing.

This sort of slap dash thing is not what the tools –that are alleged to be from the supposed Lazarus Group– that attacked Swift were like. Further the tools that were used against the Swift financial network had a very clear function and were used to successfully achive the task of stealing quite a large amount of money. This ransomware realy has no clear purpose other than to be more of a nuisance than a revenue generator.

Thus there is the very real appearance of two groups… One taking an almost proffessional approach and achiving clear objectives, in a well ordered way. The other slapdash with little or no originality, poor implementation of anti-forensic, financial realisation methods and poorly executed.

Thus the MO differences not the occasional code copying would suggest two groups one proffessional and coordinated the other not…

As for what turned out to be a kill switch, you have to ask several questions. The choice of domain name suggests it was not something that was being tested, yould pick a much simpler name for that. Likewise it’s way to simple as a kill switch, to easy to find and thus be used by targets. Hence the viewpoint some have that someone wanted to add an anti-forensics feature, but never got it out of the idea phase, thus a part implemented prototype with not implemented code stubs that never even got to the point of being tested let alone put into a production ready idea.

I would not be surprised to find that at the end of the day it will be a variation of the archetypal “400lb acne riddled teenage agoraphobe hiding in a bedroom in his parents trailer south of slamdunk nowheresville” meme, that various people pull up from time to time. Not some variation of the supposed “Elite group of ninja coders working with military disipline” meme.

Clive Robinson • May 24, 2017 6:15 PM

@ Gordo,

Symantec attacked over claims that WannaCry ransomware is the work of North Korea

If you want to look back at the Friday Squid, you will see that some of “the usuall suspects” called the attribution suspect for exactly the reasons James Scott gave yesterday, but we did it within hours of Symantec’s supposed atribution not a week later.

Maybe James Scott reads this blog 😉

Clive Robinson • May 26, 2017 5:31 AM

@ gordo,

As ICIT rightfully points out, such attribution speculation takes the focus off of issues that can, should and need to be addressed.

Yes, there is always more behind things than are generaly visable. The problem is though if somebody claims to have seen behind the curtain and makes certain claims how do you go about verifying them.

For instance this got sent to my wokspace a short while ago,

http://www.voltairenet.org/article196455.html

How to go about verifying not just parts or the whole, but also the context it aims to set.