Most of us will recall that on March 17 2011,  RSA Security admitted that cyber-attackers had breached its network and obtained “information relating to the SecurID technology.” SecurID generates security tokens by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password (a process commonly known as two-factor authentication in access control systems).

Since that RSA announcement, several Department of Defense contractors or their subsidiaries have disclosed that their networks were targets of cyber-attacks apparently using information stolen from RSA.

Big players in the military industrial complex like Northrop Grumman Corp, Lockheed Martin, L-3 Communications pretty much have the military technology secrets of the United States. They provide command-and-control, communications, intelligence, surveillance and reconnaissance (C3ISR) technology to the Pentagon and intelligence agencies.

Since the RSA breach, they have all reported intrusion attacks that involved the use of information stolen from remote-access security tokens which according to RSA executive chairman Art Coviello, “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

That broader attack seem to be under way because on of the seemingly random but targeted attacks against contractors with ties to the nation’s defense systems:

• On May 21, it was reported that Lockheed Martin shut down remote access to its internal network after a “significant and tenacious attack on its information network”.
• On May 26, Northrop Grumman shut down remote access to its network without warning, forcing the company to go through a domain name and password reset across the entire organization.
• On May 27, an attack on L-3 Communications Holdings using spoofed pass codes from a cloned RSA SecurID token was reported by Reuters.

There are speculations that the RSA breach may have occurred through a remote device or VPN client or with the help of an insider since an attacker would need at least one employee’s user name and pass code as well as have some idea of which services that employee had access to in order to break into a SecurID-protected network.

Anush Gosh, a former scientist with the Defense Advanced Research Projects Agency (DARPA) argues that the RSA attack was very sophisticated, and was probably executed by people who had plans for what to do with the keys.

Wired goes further to opine that “the attacks suggest the RSA intruders obtained crucial information — possibly the encryption seeds for SecurID tokens — that they’re using in targeted intelligence-gathering missions against sensitive U.S. targets”.

Even RSA characterized the breach as an “advanced persistent threat,” or APT – an unusually sophisticated attack in which intruders use social engineering coupled with undisclosed or so-called zero-day vulnerabilities to infiltrate a target network at a weak point, and then spread out carefully to steal source code and other intellectual property.

Now that those plans seem to be in full motion, the big question is, is it time for RSA to break its silence on the matter and tell the American public what actually happened. It may not be pretty, but at least we will know what is coming. After all, most IT security folks have a thing or two against security by obscurity.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can secure your network and data without upfront or out-of-pocket cost here.

I walked into a local electronics store the other day and saw a 2TB SATA hard drive for $80, and a 3TB drive was on sale for about $160.00. I unconsciously blurted out “You’ve got to be kidding me!”. Of course everyone around gave me that “what’s up with that?” look.

Not too long ago, one terabyte of data storage space was “unthinkable”. Even worse was the projection of the cost. I have a hard drive an engineer friend of mine gave me a while back. It weighed a ton and had a whopping size of one gigabyte (1GB) and the astonishing price was $1, 248.99.

Going even further back, there was a time when a ten megabyte (10MB) hard drive cost over $3000. I know hard drive manufacturers wish we were back to those good old days. That was when the manufacturers of computer hard drives made a “killing”.

Three Terabytes (3TB) of data storage space is a lot of disk space for a home  user or even a small business. In these days of Motherboards that can handle multiple SATA (Serial Advanced Technology Attachment) devices and up to 16GB of Random Access Memory (RAM), it may not be unusual to have a computer or server in a small business or SOHO (Small Office/Home Office) environment with 12TB (4 hard drives with 3TB each) of data storage space on a home computer.

That is a lot of data storage space. Even if such a user takes the precaution of setting up such a configuration in a RAID 5 array, that still leaves about 9TB of data storage space to play with.

Which brings us to the question: Is unlimited data storage space a good thing or a Sword of Damocles – a disaster waiting to happen?

In culture, art, and literature, the Sword of Damocles is frequently used in epitomizing the imminent and ever-present peril faced by those in positions of power. More generally, it is used to denote the sense of foreboding engendered by a precarious situation, especially one in which the onset of tragedy is restrained only by a delicate trigger or chance. Shakespeare’s Henry IV expands on this theme with the popular saying: “Uneasy lies the head that wears a crown”. So it is with the ever increasing availability of data storage space.

If you’ve managed IT in a small business environment, then you are probably familiar with the ever increasing demand for data storage space because your users wants to keep all the crap they dump on their desktops and the network – personal photos, images on emails, stuff they thought they secretly downloaded from the internet and put in hidden folders (the fools!), automatically synched mobile devices etc.

What limited data storage space did for small business IT managers in the pre-Giga and TeraByte (GB/TB) days was to force the undertaking of occasional “spring cleaning” if you will, where you had users make a decision on what was important and what had to go. It also gave the IT folks a reason to archive emails and unload data from the network.

With this new age of unlimited data storage capacity, my fear is that the “laziness” factor will kick in. Not that the IT folks are lazy (ok some are), but that the availability of so much storage space, where if you dump say 300GB of data on a 3TB drive, it will barely register on the used space radar, will give a false sense of security. 300GB  is a lot of data and just the thought of a hard drive with 3TB of data going bad or “crapping out” makes me cringe. And since it is at the end of the day a mechanical device, it will go out on you. It is just a matter of time.

Many of us who use multi-gigabyte drives at home or the office can relate to this. When you have space, you tend to dump stuff there especially the ones you do not need. I was going through one of our computers the other day and saw that a 1TB drive only had 160GB of space left.

A cursory audit showed multiple files in different locations that were duplicates and triplicates. Folks just moved files and folders to new locations and probably forgot where the files were and downloaded the same files multiple times. Some were video downloads from Youtube that were never watched. Unlimited storage will do that to you. Much like when you have space in your garage or have a big house and have the tendency to “just throw stuff in there”.

Of course, the issue of “just back it up”, or “send it to the cloud” will inevitably come up. The first argument will lead to more data sprawl since you need to buy even more storage space to back up your jumbo drives and as for the cloud argument, the recent case of WeR1 versus Cyberlynk shows that there is still a compelling need for some sort of local retention of corporate data even if you have the data stored offsite.

In the long run, it could be a combination of both internal and external storage management options that will enable a small business handle the ever increasing need for data storage space. Managed services providers can help small business owners navigate the increasingly complex world of hard disk and data management.

UPDATE: It has now been confirmed that Samsung laptops do not contain keyloggers or spyware.

UPDATE: Samsung has issued a statement saying that the finding is false. The statement says the software used to detect the keylogger, VIPRE, can be fooled by Microsoft’s Live Application multi-language support folder. This has been confirmed at F-Secure and two other publications, here and here.

UPDATE: GFI Labs, the maker of VIPRE, has issued an explanation and apology for generating the false positives that led to these articles: “We apologize to the author Mohamed Hassan, to Samsung, as well as any users who may have been affected by this false positive.”

UPDATE: A Samsung executive is said to have personally flown from Newark, N.J., to Burlington, Vt., carrying two unopened boxes containing new R540 laptop computers. These units were immediately put under seal and details recorded for chain-of-custody records. At 17:40, Dr Peter Stephenson, Director of the Norwich University Center for Advanced Computing and Digital Forensics, began the detailed forensic analysis of the disks. The results are expected by Monday.

Original post:
There seems to be a  claim (false, as it turns out) that Samsung installs a commercial keylogger called StarLogger on its laptops before shipping them out, apparently to “monitor the performance of the machine and to find out how it is being used.”

This was reported by Mohamed Hassan, MSIA, CISSP, CISA who bought two different models of Samsung’s laptop – the R525 and R540 models. If the report is true, it will be like a rehash of the Sony Rootkit snafu a couple of years back.

According to Mohammed:

This key logger is completely undetectable and starts up whenever your computer starts up and can capture “everything being typed: emails, messages, documents, web pages, usernames, passwords, and more.[ StarLogger] can email its results at specified intervals to any email address undetected so you don’t even have to be at the computer… The screen capture images can also be attached automatically to the emails as well as automatically deleted.

Keyloggers are considered spyware that can track all the keyboard activities on a computer and has the ability to send the collected information to a third party for analysis or use. What is not known at this time is how many models in Samsung’s lineup of laptops contain the alleged malware other than the R525 and R540-models.

It is not alarmist in this day and age to encourage users to check their laptops, especially those with the Samsung models that are supposedly affected. You can look for the “c:\windows\SL” folder and if you have that folder, then StarLogger is probably installed.

If it is true, one wonders how long it has been going on. Does it make sense for Samsung to want to “monitor the performance of the machine and to find out how it is being used.”? As usual, corporate users are not the concern here, but home and small business users who just boot up their new laptop and use away without a second thought to out-of-the-box infection with a keylogger.

It will be interesting to hear the official explanations of this “uncomfortable” situation by Samsung if the report turns out to be true. I am always cautious about these reports and allegations because the reputation of an organization is at stake. Is it possible that the software was installed along with the detection/scanning tool (in this case VIPRE)? The author claims it a commercially licensed version though.

What other devices could this affect if the allegation turns out to be true? A lot of people have Samsung printers, cell phones, tablets, mp3 players etc. Should we be worried? I guess we will wait and see. Scary all the same.

“The Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite. It is chiefly used by the operating systems of networked computers to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached. ICMP can also be used to relay query messages”
(see RFC 1256, if you are into that kind of thing).

Bottom line, ICMPs are used by routers, intermediary devices, or hosts to communicate updates or error information to other routers, intermediary devices, or hosts. It is a useful error reporting and diagnostic utility and is considered a required part of any IP implementation.

My focus today is on the morbid language used to describe some of the services provided by ICMP.
Each ICMP message contains three fields that define its purpose and provide a checksum – type, code, and checksum. The “TYPE” field identifies the ICMP message, the “CODE” field provides further information about the associated TYPE field, and the “CHECKSUM” provides a method for determining the integrity of the message.

Take for example, the case of type 3 “Destination Unreachable”.
When an IP packet is sent from one host to another, each packet is allotted a number of stopping points, usually routers, to pass through in order to reach its destination and these are called “hops” or “hop count”.
When a packet is undeliverable, a Destination Unreachable, Type 3, ICMP is generated. Type 3 ICMPs can have a Code value of 0 to 15:

If an IP packet reaches its limit of hops, the last receiving router usually just deletes the message. Now this is where the language issue comes in. The router that deletes the datagram is called an executioner. After “killing” the datagram, this “executioner” uses ICMP to send an “obituary” message to the machine that sent the message to inform it that its message met an untimely death. I am not making this up. Actually, here’s a paper called “Providing Packet Obituaries” that discusses the obituary concept.

What is the world coming to?

And oh, by the way, did I tell you about the “selfish” way Microsoft uses PING, the Packet InterNet Groper? PING uses the alphabet in the data portion of a packet as payload. But when you use ping on a Windows device, we seem to be a little short on our alphabet count.

For example:

Notice how the alphabet stops at “w”. Hmm. What happened to x, y,z? Windows, anyone?

Props to Todd Lammle for that tidbit.

For example, what are your first thoughts when you read this “Who has 10.10.13.102? Tell 10.10.13.101″?

That is actually an exact capture of a network query. Take a look at the image below:

Look at the structure of the query. First there is a simple question “Who has the 10.10.13.102 address? Tell 10.10.13.101″ through a  network broadcast to the Address Resolution Protocol (ARP). Sounds like what you and I would ask doesn’t it? It’s like walking into a building looking for an office suite. You would ask the receptionist “Please, where is office number 102?

Now look at the reply from the other side:

Again, it takes the form of a “natural” language. So there is a response that says, “oh, that address you are looking for (10.10.13.102) is at address 08:00:27:33:14:f8″. Well, it gets more interesting because the response points to the hardware or Network Interface Card (NIC) address of the computer with the address 10.10.13.102. So the asking computer responds with something like “English, please” through a name query.

And there is a new response that now identifies the computer with the IP address as PCLab1:

There are a few other interesting things that goes on. For example when there is a duplicate IP address on the network, here’s how it is represented.

And when you send files back and forth, computers actually ask if there is more data to be expected. Take  a look:

Notice the lines “More fragments follow: No” and “This is first fragment: Yes”. This looks like asking the question “Is that all? Is this the first one? A fragment is any portion of a larger packet that has been intentionally broken down or segmented into smaller pieces. If there were more and the answer was yes, then the receiving computer has to collect all the pieces and put them together.

Obviously, most network traffic is highly technical and does include a lot of “gibberish” that would give us a headache. I just found it interesting that there is some level of “human conversation” going on behind the scene.

So the next time you are tempted to yell at your computers or call them “stupid”, don’t be surprised if your computer slows down just a little bit as a way of telling you “hey, I heard that”. Just kidding.

By the way, the tool I used is called Wireshark – a network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network.