innismir.net

Over the past few weeks, the Lower Merion School District has been in the news due to their use of school issued laptops to photograph, monitor, and otherwise invade the privacy of students that used them. The information security community I follow on Twitter, Martin Mckeay in general, are up in arms regarding the school’s behavior, and rightly so. But, with the way things are blowing, at least in Massachusetts, are the things that LMSD did just a sign of things to come?

In Massachusetts, there have been a couple high profile suicides over the past year by students that were the result of being “bullyed” at school. While each death is a tragedy, the Massachusetts Legislature, backed by the public’s outrage, is trying to pass “anti-bullying” legislation in order to somehow fix the problem. The legislation covers the usual bases, making it illegal to harass students at school, but the bill also covers…

…bullying through, without limitation, electronic mails, cellular phones, instant messages, text messages or websites…

…and that each school district must prohibit…

…bullying through the use of the district computer system while on or off campus…

Of course, the legislation is, like any law, vague in how the school is to accomplish such things.

With schools keen to embrace the “computers and broadband for everyone” mantra, and with the possibility of it becoming illegal for students to harass one another online, are we going to see more mandatory school issued computers for students tightly locked down with monitoring software and all activities logged? With the recent groundswell of support by parents of stiffer penalties I worry about whether or not there would be similar outrage if such an incident like the one in LMSD occurs again. Will the general public be aghast or pleased at the fact that a school district monitors such behavior in a few years time? Even more concerning, as pointed out in ComputerWorld, schools get to slide sometimes as they have a sort of quasi-guardianship of students. It scares me that  if such legislation is passed and such an incident occurs again, the school may be able to legally hide behind such legislation saying that they’re trying to protect the general student populace as required by law.

Now, I am no fan of bullies, as I’m sure any computer geek that went to public schools can attest. However, despite the fact that everyone can agree that students harassing other students is bad, the schools should not have the right to monitor and investigate any behavior that happens physically off school grounds. Such areas are the parent’s and, if necessary, law enforcement’s domain. Also, as we start going even further down this slippery slope, are we going to see schools wanting to gain more access into student’s personal accounts if they access them from a school district computer? Wow! Check it out! This slope is slippery!

Any such legislation that mandates the protection of students must also mandate due process and protect the privacy of students, both the harassed and harassers. Otherwise we may start to see incidents like the one at LMSD stop being the exception and start being the rule.

There has been a minor murmur in the TwitterSphere recently regarding th3j35t3r, a person who is launching Denial of Service attacks against websites that sympathize with or actively promote Islamic terrorism. The questions being asked are not new: Do two wrongs make a right? Is it ethical to attack “the bad guys” with a taste of their own medicine? Should we be condemning, condoning, or congratulating such behavior?

Neal Stephenson put it best in Snow Crash that “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest mother&^%#er in the world.” I think that deep down in every InfoSec professional’s heart, we want to be that mother&^%#er. We think, every so often, that we could go rogue, drop off the radar, and launch a one man war against the script kiddies, mafia types, and general ne’er-do-wells that inhabit the Internet. I think that’s why some of us are having a tough time reconciling th3j3st3r’s actions within their own moral code of being one of the “good guys”. I think everyone agrees that the sites being attacked are “bad” in the incredible sliding scale of morality. The question that comes up is: Does leveraging methods such as DoS attacks against “bad” sites result in a “bad” or “good” outcome?

I think that this question can be answered by one of Hollywood’s legendary bad mother&^%#ers, Harry Callahan. In the 2nd film of the “Dirty Harry” series, Magnum Force, the plot revolves around a group of cops that have “gone rogue” and are taking out criminals in San Francisco. Now, anyone who has watched the “Dirty Harry” series (You have, haven’t you? If not, go order it on NetFlix and watch it. Go Ahead. I’ll wait… Back? Good, huh?) know that Callahan is a cop who gladly tosses out the rulebook when it gets in his way of getting the bad guy. While trying to reconcile the rogue cops methods against his own playbook, there is an important quote by Callahan: “I hate the goddamned system, but until someone comes along with changes that make sense, I’ll stick with it.” This should be the mantra of every information security professional who deals with the scum of the Internet day in and day out. There is a system that we use, such as takedowns and working with ISPs to get bad material removed, and while it fails on a regular basis, it’s what we have to work with. I know how difficult it can be, as I have been on the front lines desperately trying to work with ISPs to take down a phish or a piece of malware from their servers and running into stone wall after stone wall. I’ve often wished for some kind of more effective system. While I don’t think anyone can debate the effectiveness of th3j35t3r’s tactics, I feel they cross a line that should not be crossed. While I feel that the removal of such sites is a good thing, the methods in which it is accomplished is not.

The question of morality aside, no one knows exactly “how” th3j35t3r is DoSing these sites, th3j35t3r says it’s “like a DDOS attack, except without the first ‘D’. There is nothing ‘distributed’ about this. It is possible with very low bandwidth and a single low-spec linux machine.” While judging from his description I have an idea of what his tool of choice may be, we likely won’t know due to the sites he’s choosing since they aren’t the ones who are likely going to run to the authorities. The ones that are talking are making their own assumptions and are mostly conjecture. So, it’s likely we won’t know any time soon exactly what he, or she, is doing. Does it affect other sites on the same network? Could it be disrupting critical services hosted on the same netblock? Are the attacks being pivoted across systems that did not give permission to be involved? Is there any collateral damage? Until we know exactly what’s going on, we can only guess.

There’s another quote from Magnum Force that I want to toss out here. The quote is “A man’s got to know his limitations” and I feel sums up the debate correctly. I think that, at least in my case, I know my limitations, and I think that DoSing sites, no matter how bad they may be, is beyond my limitations ethically.

UPDATE: Shouts to @Shpantzer for pointing out my ability to make “people operating outside normal or desirable controls” into “red or pink cosmetics for coloring the cheeks or lips” with a single typo.

Andrew Hay has been doing a series of interviews with the various unsung heroes of the security industry calling it the “Security D-List”. I’m pleased to say that if anyone asks, I can now say where I rate.

Bored at lunch and sketched this out…

“Son, we live in a world that has firewalls, and those firewalls have to be administered by people with a clue. Who’s gonna do it? You? I have a greater responsibility than you could possibly fathom. You weep for your Internet access, and you curse the security admins. You have that luxury. You have the luxury of not knowing what I know. That the firewall rule set, while convoluted and not perfect, probably saved data. And my existence, while grotesque and incomprehensible to you, saves data. You don’t want the truth because deep down in places you don’t talk about at parties, you want me on that firewall, you need me on that firewall. We use words like “high availability”, “cloud”, “ISO 27001 compliance.” We use these words as the backbone of a life spent defending something. You use them as marketing fodder. I have neither the time nor the inclination to explain myself to a man who surfs and e-mails under the blanket of the very security that I provide, and then questions the manner in which I provide it. I would rather you just said thank you, and went on your way, Otherwise, I suggest you install an IDS console, and stand a post. Either way, I don’t give a damn what you think you are entitled to.”

“Did you block Facebook access from the company?”

“I did the job I…”

“Did you block Facebook access from the company?“

“You’re Goddamned right I did!“

Not up to the same level of Hoff’s creativity, but I found it amusing…

Haven’t been on the train lately so this is a bit old, but Chris Gates (@carnal0wnage) and Richard Bejtlich (@TaoSecurity) started an interesting discussion in the comments section of one of Richard’s postings regarding who is to blame when a security incident occurs. Richard was talking about SHODAN, the new AI being deployed to the  TriOptimum Corporation’s new Citadel space station… er… No… Wait.. Wrong SHODAN… The spiffy little searchable database that was recently put up containing portscans and banners of various computers across the Internet. While discussing the morality of such a database, Chris made an interesting statement:

again we take the responsibility of securing devices and systems away from responsible party (the admins and owners) and blame the bad guys with the “think of the children” argument.

why dont we start blaming the jackasses for allowing theirselves to be hacked and not the bad guys who do it. can you really blame the guy that steals the “whatever” out of the unlocked car? really?

This easily carries over into the cyber war arena. lets stop pointing our fingers at the guys breaking in and instead point our fingers at the organization who allowed it to happen.

Wow. I understand where Chris is coming from. When an breach occurs, it’s often followed up by incident handlers like Chris or myself looking at the server and muttering “What in God’s name were they thinking?” As someone who, for the increasingly-rare insightful commentary, still listens to Off The Hook on my iPod every week, I hear statements similar to Chris’ a lot. Every time some company gets attacked and releases a statement “Teh H@x0rz did it!” they rail on the company and blame them for having insecure computers in the first place.

It doesn’t matter if the admin decided to toss Windows 2000 without any service packs on the Internet. Yes, he or she was stupid, probably violated about twenty different policies, and should be given fifty lashings with a wet noodle. There would not have been an issue if the silly script kiddie from Eastern Estonia didn’t compromise the box.

Another interesting thing about the “Blame the Admins!” advocates were that they seemed to be guilty of the same things that the Admins were. They were blaming someone else. Admins were blaming the attacker while the security guy blames the admin. When someone gets compromised at my job, I’ve failed as the security person. It’s partially my fault.

• Why didn’t I notice traffic going to computer?
• How did I not notice when that computer went online?
• What didn’t I do to make sure that computer wasn’t part of the patch cycle/AV/IPS/IDS etc?

We can make excuses all day, blame the admins, blame our tools, blame the lack of support from business owners, the issue is that are we men, or women, enough to say that the buck stops with us and we missed something along the way. Do we fall back into our regular routine after the crisis passes or do we try to take steps to ensure that we aren’t caught with our pants down again?

While I am not saying the admins or the maintainers of the data are completely blameless during an incident, I think Chris’s and OTH’s statements reveal a very scary shift in thinking regarding InfoSec. We are essentially saying that we’ve lost not only the battle, but the war, and we are being overrun. We’re admitting that we can no longer protect endpoints and that it’s a crap shoot if you go out onto the network. But don’t blame us if you get compromised, it’s your own damn fault.

I was very lucky this summer because the Security Office got some funding for training and footed the bill for another SANS course. I opted to go for SANS SEC504: Hacker Techniques, Exploits & Incident Handling. I did a “At Home” course this time, which met three times a week online and was taught Ed Skoudis and John Strand. While I did like the self paced learning that I had for SEC503, but it was very cool to be taught by the folks that you always heard on and about PSW. Plus, I was able to make snide remarks in the chat window.

As much as I still wonder about certifications in general, I am starting to really like SANS courses. The course wasted little time on the basics and quickly had us rolling up our sleeves mucking about in what I classify as “cool sh*t”. While I did have stretches where I was just nodding and going “yeah… yeah… know that… uh-huh…” I would occasionally see or hear something, go “Oooh!”, and make write down some notes. The course consisted of 5 books of material, ranging from incident planning and handling to how to exploit systems, and then culminated in a capture the flag contest. I am ashamed to say the CTF was designed well enough that I could barely establish a toehold on the first server, I guess my days of staying up for an entire weekend and dominating the CTF at Northeastern is far behind me.

Although the course itself wrapped up sometime in the summer, I finally took my certification test today and passed with flying colors. I am happy to report that I have even more alphabet soup after my name and I am now “Ben Jackson, GCIA, GCIH”

While going through my backlog of RSS entries that have piled up over the past week, I came across this story from Byron Achohido (via Threatpost, which I highly recommend) who talks about the moral ambiguity of the release of tools that can allow rainbow tables made for cracking the A5/1 GSM encryption cipher. First, let’s get this out of the way: Attacks like this against A5/1 have been around sine at least October 2007. The big deal with these new tools is that they provide the basis of taking the computation time down from days or hours to seconds. These tools are rainbow table generators. They do not do any kind of sniffing or cracking, just a boat load of computations.

This aside, I find the story interesting for a number of reasons: First I like how the iPhone is specifically mentioned. Byron mentions that:

Hackers could go after sensitive information exchanged while using Web apps for phone banking and stock trading; or they could eavesdrop on sensitive conversations, discussion about medical histories, for instance.

Actually, in cases where you are on a 3G network, you’re safe from this attack on the data side, as 3G networks use the A5/3 cipher. The problem is that, at least in AT&Ts case, even if you are on a 3G network, any voice calls are routed over regular GSM channels, which use the faulty A5/1 cipher. I believe T-Mobile is in the same boat. Fixing this is rather simple from a technical standpoint, just flip the voice side over to 3G as well. Of course, we know that in real life it’s almost never that simple. Both carriers’ 3G network is nowhere near the size of their GSM networks, and who knows what kind of capacity they have on the 3G side. However, the decision here is completely on the carrier: What do they value more, their customers security and privacy or their profit margin?

Plus, I think the larger question here is when did mobile phones become secure? I think any person with a background in Information Security or Radio that was around in the early 1990s either monitored cell phones or knew of someone that did. While with the introduction of digital phones the monitoring became more difficult by your simple geek, given a sizable sum of money, it is still possible. The creation of devices such as Cryptophone proves this. Even before these tools were released, there are attacks on GSM in the wild which are “active” attacks, such as spoofing cell towers and then telling the phone to go sans encryption.

Next, regarding the question of releasing these tools; Byron calls the release taking the “morally debatable high ground.” I think his logic is really flawed, and he shows why in his article:

As this timeline depicting the emergence of the Conficker worm shows, the bad guys pay big bucks to black hat researchers adept at finding vulnerabilities, which can be immediately exploited for profit — before anyone issues a patch.

And now grey hat researchers,  like Moore and Nohl,  build careers out of concocting campaigns to embarrass vendors under the banner of compelling vendors to resolve security flaws in popular products – usually highly profitable cash cows — in a timely manner.

It’s been shown that attackers pay large sums of money for attacks that aren’t patched, making a market for enterprising attackers with questionable morals to develop them. With the existence of this market, why are we assuming that the bad guys don’t have rainbow tables for A5/1 already computed and are actively recording calls from high value targets? Cons It’s silly. Releasing these tools essentially destroys the already tattered blanket of ignorance people have been wrapping themselves up in since people started shouting that A5/1 was insecure and once again shows us that mobile phones are, by their very definition, insecure devices.

This article just was posted to my Twitter stream (Hat Tip: Chris Boyd). Graham Cluely from Sophos calls for people to stop using the word “endpoint” and replace it with “computer” as it confuses users. On it’s face, it makes sense. My wife would have no idea what I was talking about if I started bandying about “endpoints” in conversation instead of “computers”. I also completely agree that the term “endpoint” is incredibly overused by marketing departments. However, if we start trying to fit our nomenclature into simpler terms rather then continue to use our existing ones, are we hurting ourselves in the long term?

Allow me to babble about my childhood. I have always had a deep love of radios. My dad would have the police scanner on almost every evening and one of the channels he had crystaled in was “North Shore CMED.” For the 99.9% of you who have no idea what CMED was, it allowed ambulances to brief hospitals about inbound patients being delivered to their ER. For those of you familar with the 1970s era TV Show Emergency, the radio traffic was similar to the calls between Squad 51 and Rampart. Now, what does this have to do with endpoints? Well, back when I first started listening, there would be patients that were involved in “car accidents”. Then, a few years later, “car accidents” started being replaced with “motor vehicle accident” or “MVA”, makes sense, right? Person could be in a truck, bus, dune buggy, etc. Now, apparently, the new term is no longer “MVA”, it is now a “MVC” or “Motor Vehicle Collision”, that makes sense too, right? Person could have decided to ram someone off the road or is suicidal. These terms do a better job of encompassing all possible scenarios, despite most people possibly not understanding the difference between a “car accident” and a “motor vehicle collision”.

This reasoning is exactly why we use the term endpoint. While the public might not understand the difference between a “computer” and an “endpoint” there are key differences between the two.  For example: I currently have five endpoints on my desk, but only two computers, the other three are an embedded device, an IP phone, and my mobile phone. While all are endpoints and you could make the case that all five are indeed “computers”, they do not fit what the general public thinks a computer is. When you’re talking about endpoint security, you need to keep in mind anything that is a destination for information is an endpoint and they all need to be protected. Yes, in 90% of the cases it is a computer, but this is rapidly changing. Language is a very powerful tool. By switching to “endpoints” instead of “computers” we as professionals are being more specific to whats affected. If we say that computers are affected by a certain issue, do we mean only computers? Or do we mean computers along with other devices? As a side benefit, it’s also the first step to start convincing people that they need to start looking at any kind of device needs to be secure.

While we’re not going to be changing any thinking overnight, nor are we going to enjoy answering the endless questions of “What’s an endpoint? Oh, you mean a computer…” its one of those painful things that we’re going to need to do. Keeping ourselves to old definitions keeps us from talking about evolving threats accurately and that’s just a bad idea.

Tuesday, work had some training for some $FAIRLY_EXPENSIVE_SECURITY_SOFTWARE. Training required us to install one of the desktop versions of their product (which was passed around on a USB stick. </facepalm>)  and required a license key. The trainer walked around to my laptop and set up a key. My paranoia is peaked when someone uses an computer with my account, so I watched him log in to the webpage with the key generator (OK, I averted my eyes when he typed his password, that’s a common courtesy), generate the key, made sure it worked, and moved on the the next laptop.

Did you notice the missing step? Allow me to show you what was still up on my screen behind the software (censored to protect the guilty):

Click for Larger

Click for Larger

License Keys anyone?

Being the upstanding citizen I am I took my screenshots and logged out. I could have, however, generated a nice stretch of license keys for the next few months for my own personal use. Considering the amount of money the software costs, these keys would would have saved me a pretty penny.

There were four mistakes here, all small, two of which could have been fixed in the design phase of the application, two of which were the trainer’s fault.

1. Trainer using a unknown laptop to log in to a secure site. Good thing I didn’t have a keylogger or something.
2. Application not having a some kind of system that would allow me to submit for my own key and have the trainer approve it.
3. Trainer not paying enough attention to log out.
4. Application not having some kind of oversight so that if I…. uhhh… I mean someone… did compromise the trainers account, I… er… he couldn’t create a bunch of keys.

I will give credit to them for some restrictions that kept this from being an epic fail:

1. 30 days was the longest period I could generate a key.
2. It would likely had my fingerprints all over it.
3. I believe the key could be revoked on their end.

That being said, it’s still an interesting example on how a series of small mistakes can cost an organization. Not that it did in this case, but how often do we hear about a bad system allowing a breach of sensitive data? A secure system requires both proper design and diligence of the users. In this case, unfortunately, they all clicked to allow the possibility of someone making off with the goods.

This floated across my Twitter stream yesterday: Internet Lawyer Take: DEFCON Spinning Out of Control? Watch out, you might want to make sure you’re caffeinated and sitting down while you read it.

Where do I begin?

Typical DEFCON attendee in Mr. Dozier's Mind

• Basing the criticism off two anonymous people’s complaints? Check
• Vague complaints about evil hackers trying to deface his website during Defcon? Check
• Suggestions about a possible Oracle genocide because of DEFCON? Check.
• DEFCON is all about 15 year old kids learning to do l33t h@x? Check.
• Sensationalizing various happenings without going into detail as to what happened? Check. Check. Check.

Dozier seems to be of the opinion that DEFCON is a cespool of high school students who sit around their laptops trade mad hax and attempt to knock power grids offline all weekend. As anyone who has attended DEFCON knows, this is a complete load of horse puckey. DEFCON is essentially a Black Hat after party in which you get to kick back, enjoy Vegas, talk shop with other InfoSec people, and essentially spend most of the convention in an inebriated state (provided you’re over 21). I thoroughly enjoyed both times I attended.

Mr. Dozier seems to really dislike anonymity. He goes to suggest that DEFCON get full details on every attendee to flush out the less desirable elements. I’m sure Mr. Dozier would be aghast to know that when I spoke I used a pseudonym. Why would an upstanding citizen like me choose to be anonymous even when I was speaking about an relatively innocuous topic? Because I enjoyed keeping my identity somewhat under wraps and more people knew me under my pseudonym rather then my real name.  When you deal with random people on the Internet, it’s very common to associate an e-mail, Twitter name or forum handle more easily with them rather then a full name. This has been the case since the early days of networked computing, as evidenced in Guy Steele’s “Confessions of a Happy Hacker” from The New Hacker’s Dictionary, 3rd edition. (Aside: If you like Hacking History, get this book.)

…when Barbara and I got married, we sent out wedding invitations of the usual sort without considering the consequences. One hacker friend was completely puzzled: “Barbara Kerns … Guy Steele … Who are these people???” His girlfriend looked over his shoulder and said, tentatively, “Guy Steele … isn’t that Quux?” This was someone I knew quite well, but he knew me only by that handle.

The statements on Oracle really have me scratching my head. Mr. Dozier seems to be confused about the cause and effect of things. In his train of thought, any kind of Oracle breaches from here on out are solely the fault of DEFCON and the MetaSploit project. Never mind the fact that all of the exploits have existed in the wild for quite some time, or the fact that they will be used by people such as myself to demonstrate to non-technical people that their Oracle server is doomed. These tools will only be used by 15 year olds who will deface websites, steal identities, and use their ill gotten gains to fuel their $1500 a day XBox Gamer Point habit.

As for “embarassing [sic] the federal authorities” everyone who goes to DEFCON is well aware of the “Spot the Fed” competition. Every time I saw a “Fed” “spotted” it was very non-adversarial and amusing for all parties involved. If his “exceptionally talented and knowledgeable government security types”  have a problem with this they need not attend, which they don’t. I also think that they need to develop a touch thicker skin.

Finally this leaves me shacking my head:

Is there a Free Speech right, protected by our First Amendment, to describe in detail ways to hack into computer systems when it is a federal and state crime to hack into a protected computer? At Dozier Internet Law we know this issue is yet to be fleshed out fully but we expect that criminal conspiracy laws could come into play at some point.

Mr. Dozier better get his lawsuits warmed up. I hear there are also conferences where people talk about things like guns and ones that talk about cars too. People get killed by cars and guns EVERY DAY! Surely this needs to stop!

One thing I will give him credit for is his web design: I think I’m start calling myself an “Internet Security Engineer” and rename my weblog to “Ben Jackson, Internet Security Engineer for the Commonwealth of Massachusetts, GIAC Certified Intrusion Analyst, Author of “Asterisk Hacking”, FCC licensed radio amateur, subject of an article in Infoworld, and stunningly handsome offers and Internet Security Engineer perspective on the web, Amateur Radio, and his life” — Instant credibility.