innismir.net

Over the past few weeks, the Lower Merion School District has been in the news due to their use of school issued laptops to photograph, monitor, and otherwise invade the privacy of students that used them. The information security community I follow on Twitter, Martin Mckeay in general, are up in arms regarding the school’s behavior, and rightly so. But, with the way things are blowing, at least in Massachusetts, are the things that LMSD did just a sign of things to come?

In Massachusetts, there have been a couple high profile suicides over the past year by students that were the result of being “bullyed” at school. While each death is a tragedy, the Massachusetts Legislature, backed by the public’s outrage, is trying to pass “anti-bullying” legislation in order to somehow fix the problem. The legislation covers the usual bases, making it illegal to harass students at school, but the bill also covers…

…bullying through, without limitation, electronic mails, cellular phones, instant messages, text messages or websites…

…and that each school district must prohibit…

…bullying through the use of the district computer system while on or off campus…

Of course, the legislation is, like any law, vague in how the school is to accomplish such things.

With schools keen to embrace the “computers and broadband for everyone” mantra, and with the possibility of it becoming illegal for students to harass one another online, are we going to see more mandatory school issued computers for students tightly locked down with monitoring software and all activities logged? With the recent groundswell of support by parents of stiffer penalties I worry about whether or not there would be similar outrage if such an incident like the one in LMSD occurs again. Will the general public be aghast or pleased at the fact that a school district monitors such behavior in a few years time? Even more concerning, as pointed out in ComputerWorld, schools get to slide sometimes as they have a sort of quasi-guardianship of students. It scares me that  if such legislation is passed and such an incident occurs again, the school may be able to legally hide behind such legislation saying that they’re trying to protect the general student populace as required by law.

Now, I am no fan of bullies, as I’m sure any computer geek that went to public schools can attest. However, despite the fact that everyone can agree that students harassing other students is bad, the schools should not have the right to monitor and investigate any behavior that happens physically off school grounds. Such areas are the parent’s and, if necessary, law enforcement’s domain. Also, as we start going even further down this slippery slope, are we going to see schools wanting to gain more access into student’s personal accounts if they access them from a school district computer? Wow! Check it out! This slope is slippery!

Any such legislation that mandates the protection of students must also mandate due process and protect the privacy of students, both the harassed and harassers. Otherwise we may start to see incidents like the one at LMSD stop being the exception and start being the rule.

There has been a minor murmur in the TwitterSphere recently regarding th3j35t3r, a person who is launching Denial of Service attacks against websites that sympathize with or actively promote Islamic terrorism. The questions being asked are not new: Do two wrongs make a right? Is it ethical to attack “the bad guys” with a taste of their own medicine? Should we be condemning, condoning, or congratulating such behavior?

Neal Stephenson put it best in Snow Crash that “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest mother&^%#er in the world.” I think that deep down in every InfoSec professional’s heart, we want to be that mother&^%#er. We think, every so often, that we could go rogue, drop off the radar, and launch a one man war against the script kiddies, mafia types, and general ne’er-do-wells that inhabit the Internet. I think that’s why some of us are having a tough time reconciling th3j3st3r’s actions within their own moral code of being one of the “good guys”. I think everyone agrees that the sites being attacked are “bad” in the incredible sliding scale of morality. The question that comes up is: Does leveraging methods such as DoS attacks against “bad” sites result in a “bad” or “good” outcome?

I think that this question can be answered by one of Hollywood’s legendary bad mother&^%#ers, Harry Callahan. In the 2nd film of the “Dirty Harry” series, Magnum Force, the plot revolves around a group of cops that have “gone rogue” and are taking out criminals in San Francisco. Now, anyone who has watched the “Dirty Harry” series (You have, haven’t you? If not, go order it on NetFlix and watch it. Go Ahead. I’ll wait… Back? Good, huh?) know that Callahan is a cop who gladly tosses out the rulebook when it gets in his way of getting the bad guy. While trying to reconcile the rogue cops methods against his own playbook, there is an important quote by Callahan: “I hate the goddamned system, but until someone comes along with changes that make sense, I’ll stick with it.” This should be the mantra of every information security professional who deals with the scum of the Internet day in and day out. There is a system that we use, such as takedowns and working with ISPs to get bad material removed, and while it fails on a regular basis, it’s what we have to work with. I know how difficult it can be, as I have been on the front lines desperately trying to work with ISPs to take down a phish or a piece of malware from their servers and running into stone wall after stone wall. I’ve often wished for some kind of more effective system. While I don’t think anyone can debate the effectiveness of th3j35t3r’s tactics, I feel they cross a line that should not be crossed. While I feel that the removal of such sites is a good thing, the methods in which it is accomplished is not.

The question of morality aside, no one knows exactly “how” th3j35t3r is DoSing these sites, th3j35t3r says it’s “like a DDOS attack, except without the first ‘D’. There is nothing ‘distributed’ about this. It is possible with very low bandwidth and a single low-spec linux machine.” While judging from his description I have an idea of what his tool of choice may be, we likely won’t know due to the sites he’s choosing since they aren’t the ones who are likely going to run to the authorities. The ones that are talking are making their own assumptions and are mostly conjecture. So, it’s likely we won’t know any time soon exactly what he, or she, is doing. Does it affect other sites on the same network? Could it be disrupting critical services hosted on the same netblock? Are the attacks being pivoted across systems that did not give permission to be involved? Is there any collateral damage? Until we know exactly what’s going on, we can only guess.

There’s another quote from Magnum Force that I want to toss out here. The quote is “A man’s got to know his limitations” and I feel sums up the debate correctly. I think that, at least in my case, I know my limitations, and I think that DoSing sites, no matter how bad they may be, is beyond my limitations ethically.

UPDATE: Shouts to @Shpantzer for pointing out my ability to make “people operating outside normal or desirable controls” into “red or pink cosmetics for coloring the cheeks or lips” with a single typo.

Andrew Hay has been doing a series of interviews with the various unsung heroes of the security industry calling it the “Security D-List”. I’m pleased to say that if anyone asks, I can now say where I rate.

Bored at lunch and sketched this out…

“Son, we live in a world that has firewalls, and those firewalls have to be administered by people with a clue. Who’s gonna do it? You? I have a greater responsibility than you could possibly fathom. You weep for your Internet access, and you curse the security admins. You have that luxury. You have the luxury of not knowing what I know. That the firewall rule set, while convoluted and not perfect, probably saved data. And my existence, while grotesque and incomprehensible to you, saves data. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that firewall, you need me on that firewall. We use words like “high availability”, “cloud”, “ISO 27001 compliance.” We use these words as the backbone of a life spent defending something. You use them as marketing fodder. I have neither the time nor the inclination to explain myself to a man who surfs and e-mails under the blanket of the very security that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way, Otherwise, I suggest you install an IDS console, and stand a post. Either way, I don’t give a damn what you think you are entitled to.”

“Did you block Facebook access from the company?”

“I did the job I…”

“Did you block Facebook access from the company?“

“You’re Goddamned right I did!“

Not up to the same level of Hoff’s creativity, but I found it amusing…

So, a quick post about two things:

1st, I did a presentation to the Boston Chapter of the Association of Government Accountants for their monthly meeting as part of my day job. I’d like to think I did fairly well and there certainly was a fair amount of discussion afterward. In case any of them find their way here in an attempt to find my slide decks, I am happy to oblige:

• Information Security and You PPT (1.4MB)
• Information Security and You PDF (1.8MB)

2nd, I have been selected to speak at QuaghogCon in Providence, RI the weekend of April 24th and 25th. I’ll be departing from my usual “Information Security” speaking groove and instead will be evangelizing Amateur Radio. Sadly, this means I’ll be missing out on B-Sides Boston, but that’s the way the cookie crumbles. Registration is open now and I’ve heard rumors that attendance will be capped at 150, so even if you don’t want to hear me speak, buy a ticket; there are going to be some awesome presentations.

The episode of PaulDotCom I made an appearance on has been posted:

• Part 1
• Part 2

Hear me discuss cigars, G. Schneider & Sohn beer, and decoding digital signals.

I’ll be appearing tonight on PaulDotCom Security Weekly on Episode 179 tonight around 8:30PM helping Larry discuss the legal ramifications and technical aspects of decoding pager traffic and plugging amateur radio.

When the stream goes live you can check out

• PaulDotCom Live Video Stream
• PaulDotCom Live Radio Stream

If you’re interested in making fun of me while I am live on the air feel free to join the PaulDotCom IRC channel during the stream. Point your client to irc.freenode.net #pauldotcom.

Haven’t been on the train lately so this is a bit old, but Chris Gates (@carnal0wnage) and Richard Bejtlich (@TaoSecurity) started an interesting discussion in the comments section of one of Richard’s postings regarding who is to blame when a security incident occurs. Richard was talking about SHODAN, the new AI being deployed to the  TriOptimum Corporation’s new Citadel space station… er… No… Wait.. Wrong SHODAN… The spiffy little searchable database that was recently put up containing portscans and banners of various computers across the Internet. While discussing the morality of such a database, Chris made an interesting statement:

again we take the responsibility of securing devices and systems away from responsible party (the admins and owners) and blame the bad guys with the “think of the children” argument.

why dont we start blaming the jackasses for allowing theirselves to be hacked and not the bad guys who do it. can you really blame the guy that steals the “whatever” out of the unlocked car? really?

This easily carries over into the cyber war arena. lets stop pointing our fingers at the guys breaking in and instead point our fingers at the organization who allowed it to happen.

Wow. I understand where Chris is coming from. When an breach occurs, it’s often followed up by incident handlers like Chris or myself looking at the server and muttering “What in God’s name were they thinking?” As someone who, for the increasingly-rare insightful commentary, still listens to Off The Hook on my iPod every week, I hear statements similar to Chris’ a lot. Every time some company gets attacked and releases a statement “Teh H@x0rz did it!” they rail on the company and blame them for having insecure computers in the first place.

It doesn’t matter if the admin decided to toss Windows 2000 without any service packs on the Internet. Yes, he or she was stupid, probably violated about twenty different policies, and should be given fifty lashings with a wet noodle. There would not have been an issue if the silly script kiddie from Eastern Estonia didn’t compromise the box.

Another interesting thing about the “Blame the Admins!” advocates were that they seemed to be guilty of the same things that the Admins were. They were blaming someone else. Admins were blaming the attacker while the security guy blames the admin. When someone gets compromised at my job, I’ve failed as the security person. It’s partially my fault.

• Why didn’t I notice traffic going to computer?
• How did I not notice when that computer went online?
• What didn’t I do to make sure that computer wasn’t part of the patch cycle/AV/IPS/IDS etc?

We can make excuses all day, blame the admins, blame our tools, blame the lack of support from business owners, the issue is that are we men, or women, enough to say that the buck stops with us and we missed something along the way. Do we fall back into our regular routine after the crisis passes or do we try to take steps to ensure that we aren’t caught with our pants down again?

While I am not saying the admins or the maintainers of the data are completely blameless during an incident, I think Chris’s and OTH’s statements reveal a very scary shift in thinking regarding InfoSec. We are essentially saying that we’ve lost not only the battle, but the war, and we are being overrun. We’re admitting that we can no longer protect endpoints and that it’s a crap shoot if you go out onto the network. But don’t blame us if you get compromised, it’s your own damn fault.

I was very lucky this summer because the Security Office got some funding for training and footed the bill for another SANS course. I opted to go for SANS SEC504: Hacker Techniques, Exploits & Incident Handling. I did a “At Home” course this time, which met three times a week online and was taught Ed Skoudis and John Strand. While I did like the self paced learning that I had for SEC503, but it was very cool to be taught by the folks that you always heard on and about PSW. Plus, I was able to make snide remarks in the chat window.

As much as I still wonder about certifications in general, I am starting to really like SANS courses. The course wasted little time on the basics and quickly had us rolling up our sleeves mucking about in what I classify as “cool sh*t”. While I did have stretches where I was just nodding and going “yeah… yeah… know that… uh-huh…” I would occasionally see or hear something, go “Oooh!”, and make write down some notes. The course consisted of 5 books of material, ranging from incident planning and handling to how to exploit systems, and then culminated in a capture the flag contest. I am ashamed to say the CTF was designed well enough that I could barely establish a toehold on the first server, I guess my days of staying up for an entire weekend and dominating the CTF at Northeastern is far behind me.

Although the course itself wrapped up sometime in the summer, I finally took my certification test today and passed with flying colors. I am happy to report that I have even more alphabet soup after my name and I am now “Ben Jackson, GCIA, GCIH”

OK, this floated across Twitter over the weekend:

With the annual cost of ATM crime in Europe approaching half a billion Euros, ENISA, the European Network and Information Security Agency, is urging consumers to be more aware of the risks and take precautions to avoid personal loss. The rapid growth in the number of ATMs, combined with more sophisticated attacks and fraud has resulted in an alarming 149% rise in ATM attacks in 2008.

For those of you who don’t know what ENISA is, they’re kind of the EU equivalent to US CERT. While I think that the “Golden Rules” are mostly fluff, I’ve always felt that Europe is more of the FEBA of ATM based attacks. This is a good start at trying to address issues with ATMs and I applaud it. However, with more and more sophisticated attacks coming out against ATMs, is ENISA trying  formulate battle plans against horse cavalry when the bad guys are deploying armored tanks? Could the effort of creating these be better used to start pushing banks to start reevaluating ATM security? ENISA seems to be aiming for “low hanging fruit” in this case, however,  this strategy could backfire. It’s possible that they’re setting themselves up for failure if these malware based attacks start to prevalent. If people, by some strange miracle, start taking these recommendations to heart, follow them, and still get owned, ENISA is going to have a tough time explaining themselves.

There are a lot of issues with it, but I’ll be the first to say that the perfect is the enemy of the good. This is a step in the right direction. I would love to see this start being pushed in the United States. ATM skimming scams are starting to become increasingly common across various regions in the United States. Various European gangs are starting to export attacks, sending them to other countries to steal data, so this is rapidly becoming a global problem. Ideally, in the United States at least, it would be great if some of the big banks started pushing PSAs to their customers regarding skimming and shoulder surfing. This could be sticky as I think we’d see “third party” ATM vendors scream bloody murder if the big banks say “Look out for sketchy ATMs!” I also know for a fact that Bank Of America has “free standing” ATMs (like the one at the MA-24/I-495 rest stop, complete with a Cisco router visible inside the machine, *shudder*) in some spots and I doubt they would want to drive people away from them. But still, could you picture a bank embracing ATM security? I’d certainly consider moving my business to them. The more evil side of me would love to see technology advocacy groups start pushing this as well. It be interesting to start seeing stickers on ATM proclaiming them possibly unsafe to use similar to the circa-2005 “This phone is tapped” stickers that were placed on pay phones across the US. I am sure that the banking industry would be in a tizzy if these started showing up on numerous ATMs overnight.

So, this has become a bit of a rambling post with no clear point to tie it all together. So, I’ll guess I’ll just give kudos to ENISA and tell everyone to read the Golden Rules and follow them. You’ll be glad you did.