Advanced Persistent Threat (APT) is the all the buzz these days. It’s become an all-encompassing term to describe just about any covert intrusion in the news. Guess what? APT is espionage. It’s not spammers, it’s not opportunistic hackers, it’s not criminals trying to get credit card information. Wikipedia has a good entry: http://en.wikipedia.org/wiki/Advanced_Persistent_Threat

The problem is that APT sounds sexy. It’s easy to say and has had so much press everyone has heard of it. Vendors love to say they stop APT. Chris Eng covers that well here: http://www.veracode.com/blog/2011/03/please-jump-off-the-apt-bandwagon/

My proposal is simple. We need sexy descriptions of the other types of threats. Once we have these new terms, people who refer to APT can be corrected and referred to the Hot New Threat (HNT).

The first new term is Perpetual Financial Threat (PFT). PFT covers all those threats that involve banking or credit.

Perpetual – Just like the definition, it continues forever, it’s everlasting. Attackers are always looking to increase their bank account. They target large companies as well as single users, if you have money or credit, they are want to take it. They never stop, because the rewards are huge.

Financial – The end goal is making money. Stealing identities, credit card details, bank account information, anything that will ultimately be involved in fraud or sold to fraudsters.

Threat – Their intention is to steal your Personally Identifiable Information (PII). They are out there and they are coming for you. They are phishing, spamming, and actively looking for exploits on you network and computers. They have automated tools and large botnets to help them achieve their goal of taking your money.

PFT is the new APT

Disclaimer… PFT is not to be confused with Bill the Cat and Pfft or Thbbft or Ack! http://en.wikipedia.org/wiki/Bill_the_Cat

The next suggested term is Automated Opportunistic Attack (AOA).

Automated – The attackers build tools into their malware to perpetuate themselves. The malware itself is designed to spread itself to any device that is vulnerable to the built-in exploits. This also covers scripts that written for the purpose of scanning for exploits.

Opportunistic – These attackers and tools are not discriminating, they attempt to exploit any and all vulnerable hosts. The end goal is to control as many hosts as possible. The hosts will be remotely controlled and become a commodity that can be rented to other criminals.

Attack – Hostile intentions to steal your information and commandeer your computer.

AOA is all those scans and connection attempts that most firewalls block. These attacks have become so commonplace, they’ve become an accepted part of connecting to the Internet. They are mostly easy to defend against, but if they are successful, they are a pain to clean up.

I initially intended to redefine APT to mean Automated Perpetual Threat…but that just seemed silly. These new terms should catch on quickly and somehow make me a lot of money. I look forward to it.

Want my business? Do these things:

Become the provider with the largest selection of Android phones.
Hell, make yourself open to any Android phone. Do you care what handset people use or do you care that they are a paying customer? All carriers want to put apps and limitations on my phone. I don’t want photobucket or Facebook on my phone. I want to pick and choose the applications that get installed. Don’t try to force your will on customers. Can you install some apps on my phone to get me started? Sure, make some deals to help offset the cost of my phone, but allow me to remove those apps if I see fit. Open is the future.

Embrace the Android Community.
There are thousands of Android Developers, make them think of Sprint as *THE* Android provider. Let them guide you with rock solid phones that have tons of features. Make the Cyanogenmod firmware YOUR base install. http://www.cyanogenmod.com/ Let them do whatever they want to Sprint Android phones. In return, you get a firmware that is backed by lots of developers. The community gets phones with features no other provider has and in some cases, actively removes from their phones.

Don’t forget about tablets.
I’m one of those people that doesn’t have a tablet. If you embrace Android and have a good selection, Sprint might be the place I finally buy one. When someone says Android tablet, they should think of Sprint.

Be Honest.
CEO Dan Hesse seems to be doing this already. http://www.engadget.com/2011/03/12/sprints-dan-hesse-differentiates-between-unlimited-and-unlimit/ Don’t stop. People will pay more if they use more bandwidth, but don’t lie to them.

Be innovative.
T-Mobile is the only operator that has WiFi calling. Go figure this out and make it happen. Phones aren’t for just phone calls anymore, with WiFi, suddenly the Sprint network is everywhere.

Don’t lock me into doing everything with Sprint.
If you are my cell phone provider, don’t try to wring every cent out of me with crappy addons. This is a step in the right direction: http://tech.fortune.cnn.com/2011/03/21/sprint-teams-up-with-google-voice/

It’s time for a wireless provider that doesn’t suck. It’s time for a wireless provider that let’s the customers participate. Don’t let this opportunity escape, seize it. Make me want to use Sprint.

First, install the dnscache-run package. This will install all the dependencies required. (daemontools daemontools-run djbdns dnscache-run ucspi-tcp)

apt-get install dnscache-run

svscan looks in /service for programs to start. This doesn’t seem to get created during the install, fix it with this:

mkdir /service
ln -s /etc/dnscache /service

Now, lets configure dnscache for our environment:

Edit /etc/dnscache/env/IP with the IP you want dnscache to listen on. The default is 127.0.0.1. That won’t work for hosts on our network.

vi /etc/dnscache/env/IP
192.168.1.2

Now we need to tell dnscache what networks are allowed to query the cache. It’s as simple as touching a file.

touch /etc/dnscache/root/ip/192.168

We’ve allowed access to all of 192.168.xxx.xxx. If we wanted to further restrict we could do this:

touch /etc/dnscache/root/ip/192.168.1

The default cache size is 1MB. I like to boost this to 100MB.

echo 100000000 > /service/dnscache/env/CACHESIZE
echo 104857600 > /service/dnscache/env/DATALIMIT

Now we need to start svscan, which will keep dnscache running:

/sbin/start svscan

That’s it, our cache should be up and ready to answer queries. Read more about dnscache here: http://cr.yp.to/djbdns/dnscache.html

The main reason I use dnscache is the memory usage. BIND tends to get very bloated when used strictly as a cache and as a result the system it’s running on suffers. Dnscache is very strict about memory usage and removing old cache items.

Inspiration: http://twitter.com/WeldPond/statuses/14499873948700673

Cybertage

I can't stand It, I know you planned it
I'ma set it straight, this cybergate
I can't stand reporters with nothin' to do
But I feel disgrace, because they've got no clue
But make no mistakes and switch up my keys
I've got quantum cryp-tog-raphy
What could it be, it's all a mirage
You're flooding on a host that's Cybertage

Plug your usb stick in and use diskutil to list your disks:
$ diskutil list

/dev/disk0 #: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *500.1 GB disk0
1: EFI 209.7 MB disk0s1
2: Apple_HFS Macintosh HD 499.8 GB disk0s2

/dev/disk1
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *2.0 GB disk1
1: Microsoft Basic Data UNTITLED 2.0 GB disk1s1

Now unmount the disk using diskutil and replace the disk number with the id of your usb stick.

$ diskutil unmountDisk /dev/disk1

Then use dd to write to the usb stick. DOUBLE CHECK THAT YOU ARE USING THE CORRECT DISK ID!

dd if=/tmp/ubuntu-10.10-server-amd64.iso of=/dev/disk1

Replace if=/tmp/ubuntu-10.10-server-amd64.iso with the path to your iso image

Goal:
First we need to decide the end result. Are we trying to shutdown a single webserver? Shutdown the wikileaks.org domain? Are we targeting specific information that we don’t want people to see? Are we trying to do this as fast as possible? Can we take our time and covertly infiltrate the wikileaks organization? Are we just trying to make the entire site inaccessible to everyone? Are we trying to destroy their ability to disseminate any information? Is this a political exercise or are we prepared to use methods that the world would consider cyberwar?

Applying political pressure may work in the US or in NATO countries, but eventually the target will move to a location that doesn’t want to cooperate. Amazon kicked wikileaks off it’s service, but the site quickly moved. http://www.guardian.co.uk/media/2010/dec/01/wikileaks-website-cables-servers-amazon

Let’s say we want to prevent anyone from contacting wikileaks.org, we’re skipping politics and methods short of destroying hardware are fair game. This leaves us with vulnerabilities in software used by Wikileaks, DNS and network disruption. With these guidelines, we need a plan.

I don’t think the planning stage is as simple as saying, let’s hijack their DNS and make the website impossible to access. A thorough operation will involve multiple attack vectors working in concert. Breaking the operation into smaller parts will allow teams to focus on their specific attack method. The tiger teams would be for software, DNS and network attack. I won’t go into detail on each method, but give some potential attacks.

Reconnaissance:
For all the attack methods, we need to double and triple check that who and what we are attacking is the actual target. It’s important that we minimize collateral damage. Attacking a target unrelated to wikileaks might be an accepted risk, but it’s one thing to know that we’re affecting more than just the target and not knowing we’ve created a bigger mess because we didn’t research properly. Shared hosting is common and if we took out an entire server, we might bring down unrelated blogs and websites in the process. Additionally, hardware located in foreign countries presents messy diplomatic problems if our methods are considered cyberwar.

Software:
Once we verify the target/targets, we need an inventory of the software and operating systems running on those devices. WIth this list of information, we can use exploits to target those applications. Depending on the level of urgency, we could stick to publicly available exploits, or we could reach into our bag of tricks and use unknown zero day vulnerabilities to bring down the software applications on one or more of Wikileaks systems. If we can gain access to these systems we can lock out the system admins and reconfigure or wipe the systems remotely.

DNS:
A court order could be used to confiscate the wikileaks.org domain, but we’ve ruled that out as an option. We could use methods from the software team to disable nameservers for the wikileaks.org domain. The issue is that even if we are able to compromise and prevent the domain from being used, the website can be easily moved to another domain that is better protected. (I think targeting DNS is a never-ending task) Fast Flux http://en.wikipedia.org/wiki/Fast_flux is a good example of how easy it is to change DNS. We could target the nameservers with a Denial of Service (DoS) attack http://en.wikipedia.org/wiki/Denial-of-service_attack. This would prevent users from finding the url for wikileaks.org, but not prevent them from hitting the IP directly or going to a new domain name.

Network:
From a network perspective, there are a few things we can do to prevent people from visiting the websites. Flooding the webservers, a DoS, would prevent legitimate connections from accessing the website. The downside here is that you need lots of bandwidth and many hosts to perform this attack, not to mention all the networks that are affected in between yours and the target.

Disrupting Border Gateway Protocol (BGP) http://en.wikipedia.org/wiki/BGP is another option, but collateral damage is more likely. Hijacking the address space for Wikileaks would be possible with the right infrastructure. BGP could be used to redirect their traffic to our own servers or just make requests to the website timeout. BGP hijacking would get more complicated with a globally load balanced network of webservers. Again, an attack platform infrastructure would have to be maintained to ensure the website was completely inaccessible.

Execution:
We have our recon information, we’ve evaluated our options and created operation plans and each or our teams have their orders. Now we execute the plan. Let’s assume each team is successful and our target is offline. Now what?

Monitor:
After all the planning, recon and attack execution, we need to do Battle Damage Assessement (BDA) http://en.wikipedia.org/wiki/Battle_damage_assessment How do we know we were successful? Is the domain up somewhere else? Is the information we’re trying to contain on another domain? Did they change IPs? Did they move to a new ISP? We need to be able to assess our efforts and continue to monitor for any status change. Depending on what we are trying to accomplish, the monitoring could be considered the most important part of the entire process.

I’ve just scratched the surface on what’s involved in taking down a website. The thought of a politician asking the Pentagon why a website with sensitive information hasn’t been forcibly removed is scary. The idea that a relatively new organization like Cyber Command could be orchestrating active attacks around the globe should concern everyone. I hope Cyber Command has smart people, that think too much, working these issues and that they realize it’s not as easy as pushing a button and shutting wikileaks down. Believe it or not, the internet is more complicated than trucks in a series of tubes. I suppose the real challenge is educating the politicians….

To whom it may concern,

I have purchase and sold four cars through CarMax. Up until recently I have been happy with my CarMax experience and have recommended them to friends. Unfortunately, I won’t be recommending CarMax in the future and I will be taking my business elsewhere.

Most recently, I purchased a 2007 Jeep Liberty at CarMax in White Marsh, MD.

CarMax
10201 Philadelphia Road
White Marsh, Maryland 21162

Along with the car, I purchased the MaxCare Extended Service Plan. I purchased this plan so that everything would be covered while I owned this vehicle. The plan gives me the peace of mind that if something on my car fails, the dealership where I bought it will fix it at no further cost to me. Apparently, this is not the case and depending on the level of competency of the dealership, they will advise customers to go elsewhere. This is unacceptable and clearly a management problem at the dealership in White Marsh.

The rear driver’s side window in my 2007 Jeep Liberty failed to close. Great news, that’s covered by MaxCare. http://www.carmax.com/enus/maxcare/default.html

From the plan:

Electrical – Alternator, voltage regulator, distributor cap, rear window defroster, speedometer cable, head lamp relay assembly, horn relay, ignition relay, head lamp dimmer relay assembly, interlock emergency switch, fuse block, flasher unit and relay, seat belt warning timer, retractable head lamp motor assembly, wiper arm, rear wiper arm, reverse lamp assembly, clock, windshield wiper motors and delay controller, wiper washer tanks (front/rear), starter motor and drive, starter solenoid, wiring harnesses, manually operated switches (such as turn signal, headlight, dimmer, and wiper switches), and mechanically actuated switches (ignition, brake light, and neutral safety switch), cruise control system, power seat motor(s) and transmission(s), power window motor(s) and power regulator(s), power door lock actuators, power trunk release actuator, and power antenna motor.

I called the service department and explained the issue to the dealer and set up an appointment to have the car repaired. When I arrived for my appointment I was informed it would take 90 minutes to evaluate the problem and then they would have to order parts, so the car would not be ready until that afternoon. First, if the minimum service visit is 90 minutes, tell me on the phone. Scheduling an appointment time tells me that at that exact time you are going to look at my car and give me information on how long it will take to fix. This “evaluation” should be no longer than 30 minutes. If it takes longer than that, pretend that my time is valuable and you care about your customers and let me know ahead of time. As I was scheduling a rental car, a CarMax White Marsh employee advised me that the window was covered by a recall from GM, but CarMax was having problems getting MaxCare to cover the costs. He then told me to take my car TO ANOTHER DEALERSHIP because they were able to do the warranty work with no issue. CarMax was so helpful, they TAPED the window closed with painters tape and sent me on my way.

Why did I buy a car from a dealership that can’t handle warranty or recall work? Why did I buy a service plan that even CarMax can’t seem to work with? This excuse about having trouble getting paid for warranty work reeks of a company that is too lazy to put in the effort involved to get reimbursed. I know that warranty work is a pain to get money for, the dealer has to do extra work and they are out the money immediately, because the customer doesn’t have to pay. I don’t care, I paid to specifically avoid that nightmare.

I don’t know what guidelines are used to evaluate customer satisfaction, but I will use the grading scale that all school children understand. I give CarMax in White Marsh an F. I didn’t pay extra for the MaxCare plan, to be told that the dealership has trouble getting them to pay for warranty work. I paid to avoid hassles and headaches and wasting my valuable time.

I’m not going to sit on hold waiting for a customer representative to apologize. I’m just not going to patronize the White Marsh CarMax again. I’m going to tell everyone I know that CarMax can’t support their own service plans and that they are better off dealing with another dealer. I’ll probably be selling this car that needs warranty work back to CarMax so they can fix it at their time and expense. Then I’ll stroll down to the Toyota dealer and buy reliable car from a dealer that can handle fixing it if it breaks.

So CarMax, if you want my business, it’s going to take a lot of ass kissing. I don’t get angry easily, but wasting my time is a sure way to piss me off.

It’s 2010 and SSD prices seem to be dropping quickly. I picked up a 64GB Kingston SSDNow V Series at Newegg for $94 after rebate. For me, when new technology drops below $100, I don’t feel like I’m overspending for the cutting edge. $50 off the regular price helps too.

My current desktop is an AMD Athlon64 X2 Dual Core Processor 4600+ with 4GB of RAM. Not the most cutting edge system, but I haven’t had reason to upgrade it yet. I installed the SSD as the boot drive in my system. Ubuntu 10.04 32-bit didn’t have any issues during the install. Wow, does it seem peppy. I haven’t noticed a change this big in a hardware upgrade since I upgraded my 486 SX25 to 486 DX100. My Ubuntu desktop was reborn! It was like the old days of windows, when formatting the drive and performing a fresh install of Windows95 was the only way to clear the registry. It was like I just bought a new computer from the future. No more waiting 60 seconds for the system to boot and then another 60 seconds to get to my desktop, it felt instant. From power on, my machine is at the login prompt in 30 seconds. Half of that time is the BIOS load. Once I hit enter to login, it’s less than 5 seconds for my desktop to appear. That’s a huge leap from the 2-3 minute boot and 2-3 minutes to launch my desktop. My point is, that to the average consumer, an SSD makes the computer feel faster. None of the other specifications matter to the typical end-user, it’s about clicking a program and how quickly they can use that app.

Myths and Recommendations
When buying an SSD, do your homework. Don’t buy one just because it’s cheap. Read reviews and make sure it isn’t an older generation drive.

If you buy an SSD that’s been made recently, your SSD will certainly outlive your computer. It’s common to read that SSDs have limited writes. While that may be true, most SSDs will last 50+ years even if you performed the maximum amount of writes per second. I don’t think I’ve used a regular hard drive for more that 4 years, so I’ll probably replace an SSD before I see performance issues. Read more about SSD myths here, it’s worth the read. In a nutshell, SSD tech has come a long way, but consumers still have the idea that a flash-based drive will have a short lifespan. The firmware and controllers these days work to optimize the drives to avoid problems. The SSD I purchased has an MTBF of 1 million hours which is 114 years. I think that will be long enough for my use.

If you search for information on using SSDs with Ubuntu, you will often read recommendations to not use a journaling filesystem. While that may speed things up and increase the drive life, I prefer the security of journaling in case of system shutdown. My thinking is, I’ll try to minimize writes where it makes sense, but not at the cost of complexity or data security.

You will also commonly see ‘noatime’ as a recommended mount option. This is usually a good option and will reduce writes, with little impact on other applications.

/dev/sda1 / ext4 noatime,errors=remount-ro 0 1

Options
You can put everything on an SSD or put your OS on the SSD and everything else on a regular HDD. On my Ubuntu 10.04 Desktop I’ve done just that. My /home, /var, /tmp and swap are on a regular HDD, everything else is on the SSD. The system boots in less than 30 seconds from power on and it’s noticeably snappy launching apps. I also don’t feel like I’m abusing the SSD with partitions that have lots of writes. In my limited testing of application launching, most apps took a few extra seconds to launch the first time (which is expected), but subsequent launches are instant. If you’ve used OpenOffice.org, then you know all about slow launching apps.

Research
Take note of some of the dates of these articles below. If they aren’t written in 2010, they are probably talking about older generation SSDs. I’m not suggesting you use all the information found at these links, I just found them useful in my research.

No SWAP Partition, Journaling Filesystems, … on a SSD?
Karmic Koala with Solid State Disk: How to Optimize Ubuntu for SSD
How to optimize Ubuntu for SSD?
Linux – Tips, tweaks and alignment

Conclusion
Go right now and start looking at SSD drives. My default install of Ubuntu 10.04 used about 10GB of space. You can get drives in the 32GB-64GB range for under $100 if you shop around. Rebuild your system with the SSD as the boot and OS drive, you’ll never want to use a single HDD system ever again. I just removed my old HDD, installed ubuntu with the SSD and then mounted the old drive after the install. Boot times are insanely fast and apps on the SSD launch instantly. It’s the kind of performance you expect from a modern computer.

My SSD experience has been so positive, I’m contemplating purchasing one for an older laptop I have. The speed of the drive would make up for the slowness of the CPU. The risk is that the laptop won’t support the drive or that the SSD won’t have much effect. I don’t have evidence to back this up, but I suspect it would extend the laptop’s useful life. From now on, any desktops I build will have an SSD boot drive, the speed is addictive.

Patriotism
This might be the most obvious reason. For me, patriotism was a large factor in joining the government as a civilian. I couldn’t pass up the chance to use my skills to keep America safe and protect her from all enemies.

Job Security
I’ve always said, the only way to get fired from a government job is to murder someone at work and get caught eating their body or commit time card fraud. Everything else gets you suspended or demoted. Even people who commit treason seem to quit before they are fired, because the government just transfers them into a job they don’t want to do.

Opportunity to travel
While this isn’t true for all cybersecurity jobs, there are agencies that have multiple locations in the continental US, as well as, locations around the world. Some agencies, such as the State Department, have locations in various countries around the world. You could have opportunities to live abroad if you so choose.

Opportunity to instigate change
If you’re thick-skinned and persistent, you can certainly find opportunities to make improvements. If that’s the kind of challenge you’re looking for, then you might be thrilled. Sometimes change has to happen from within, there are certainly opportunities for dedicated folks to do just that.

Security Clearance
If you don’t currently hold a clearance, getting one is difficult. Contractors looking to fill openings will pick someone with a clearance over someone without. The government, on the other hand, will put prospective employees through the process. Once you have a clearance, maintaining it and reactivating it is much easier. If you have a clearance, you will always have a job.

Hopefully, this list demonstrates a few examples of why a government job as a cyberwarrior might not be too bad. If that isn’t enough, most big agencies have cafeterias on campus and it’s taco salad day!

The list looks like this if you include the date

$t list
1 2010-07-25 setup todo.txt
2 2010-08-01 update website
--
TODO: 2 of 2 tasks shown

I can’t possibly cover all the features here, but todo.txt is simple yet very powerful. Here’s the help:

strongbad:~ jlewis$ todo.sh -h
Usage: todo.sh [-fhpantvV] [-d todo_config] action [task_number] [task_description]

See "help" for more details.

To make it even better, you can alias commands to make it even quicker to type. Here is my alias:
alias t='todo.sh -d $HOME/.todo.cfg -t'

I just have to type t list to show all my tasks. I maintain multiple lists so I can easily track work and personal related todo items. My personal list uses another alias and another config file.
alias personal='todo.sh -d $HOME/.personal.cfg -t'

You can even alias the command to add items.
alias ta='t add'

strongbad:~ jlewis$ ta test
TODO: '2010-08-15 test' added on line 3.

When you’ve completed an item, you can remove it from the list.

t list
1 2010-07-25 setup todo.txt
2 2010-08-01 update website
3 2010-08-15 2010-08-15 test

t list
1 2010-07-25 setup todo.txt
2 2010-08-01 update website

When you complete a task, it is move to another file, done.txt.
cat ~/todo/done.txt
x 2010-08-15 2010-08-15 test

The possibilities are endless with todo.txt. There are addons available and it’s easy to create your own addons. There is an add-on for http://www.rememberthemilk.com/, which has phone apps and integration with gmail tasks and twitter.

You can get todo.txt here: http://ginatrapani.github.com/todo.txt-cli/

Get GeekTool here: http://projects.tynsoe.org/en/geektool/

GeekTool scripts here: http://www.macosxtips.co.uk/geeklets/