innismir.net

While going through my backlog of RSS entries that have piled up over the past week, I came across this story from Byron Achohido (via Threatpost, which I highly recommend) who talks about the moral ambiguity of the release of tools that can allow rainbow tables made for cracking the A5/1 GSM encryption cipher. First, let’s get this out of the way: Attacks like this against A5/1 have been around sine at least October 2007. The big deal with these new tools is that they provide the basis of taking the computation time down from days or hours to seconds. These tools are rainbow table generators. They do not do any kind of sniffing or cracking, just a boat load of computations.

This aside, I find the story interesting for a number of reasons: First I like how the iPhone is specifically mentioned. Byron mentions that:

Hackers could go after sensitive information exchanged while using Web apps for phone banking and stock trading; or they could eavesdrop on sensitive conversations, discussion about medical histories, for instance.

Actually, in cases where you are on a 3G network, you’re safe from this attack on the data side, as 3G networks use the A5/3 cipher. The problem is that, at least in AT&Ts case, even if you are on a 3G network, any voice calls are routed over regular GSM channels, which use the faulty A5/1 cipher. I believe T-Mobile is in the same boat. Fixing this is rather simple from a technical standpoint, just flip the voice side over to 3G as well. Of course, we know that in real life it’s almost never that simple. Both carriers’ 3G network is nowhere near the size of their GSM networks, and who knows what kind of capacity they have on the 3G side. However, the decision here is completely on the carrier: What do they value more, their customers security and privacy or their profit margin?

Plus, I think the larger question here is when did mobile phones become secure? I think any person with a background in Information Security or Radio that was around in the early 1990s either monitored cell phones or knew of someone that did. While with the introduction of digital phones the monitoring became more difficult by your simple geek, given a sizable sum of money, it is still possible. The creation of devices such as Cryptophone proves this. Even before these tools were released, there are attacks on GSM in the wild which are “active” attacks, such as spoofing cell towers and then telling the phone to go sans encryption.

Next, regarding the question of releasing these tools; Byron calls the release taking the “morally debatable high ground.” I think his logic is really flawed, and he shows why in his article:

As this timeline depicting the emergence of the Conficker worm shows, the bad guys pay big bucks to black hat researchers adept at finding vulnerabilities, which can be immediately exploited for profit — before anyone issues a patch.

And now grey hat researchers,  like Moore and Nohl,  build careers out of concocting campaigns to embarrass vendors under the banner of compelling vendors to resolve security flaws in popular products – usually highly profitable cash cows — in a timely manner.

It’s been shown that attackers pay large sums of money for attacks that aren’t patched, making a market for enterprising attackers with questionable morals to develop them. With the existence of this market, why are we assuming that the bad guys don’t have rainbow tables for A5/1 already computed and are actively recording calls from high value targets? Cons It’s silly. Releasing these tools essentially destroys the already tattered blanket of ignorance people have been wrapping themselves up in since people started shouting that A5/1 was insecure and once again shows us that mobile phones are, by their very definition, insecure devices.

This article just was posted to my Twitter stream (Hat Tip: Chris Boyd). Graham Cluely from Sophos calls for people to stop using the word “endpoint” and replace it with “computer” as it confuses users. On it’s face, it makes sense. My wife would have no idea what I was talking about if I started bandying about “endpoints” in conversation instead of “computers”. I also completely agree that the term “endpoint” is incredibly overused by marketing departments. However, if we start trying to fit our nomenclature into simpler terms rather then continue to use our existing ones, are we hurting ourselves in the long term?

Allow me to babble about my childhood. I have always had a deep love of radios. My dad would have the police scanner on almost every evening and one of the channels he had crystaled in was “North Shore CMED.” For the 99.9% of you who have no idea what CMED was, it allowed ambulances to brief hospitals about inbound patients being delivered to their ER. For those of you familar with the 1970s era TV Show Emergency, the radio traffic was similar to the calls between Squad 51 and Rampart. Now, what does this have to do with endpoints? Well, back when I first started listening, there would be patients that were involved in “car accidents”. Then, a few years later, “car accidents” started being replaced with “motor vehicle accident” or “MVA”, makes sense, right? Person could be in a truck, bus, dune buggy, etc. Now, apparently, the new term is no longer “MVA”, it is now a “MVC” or “Motor Vehicle Collision”, that makes sense too, right? Person could have decided to ram someone off the road or is suicidal. These terms do a better job of encompassing all possible scenarios, despite most people possibly not understanding the difference between a “car accident” and a “motor vehicle collision”.

This reasoning is exactly why we use the term endpoint. While the public might not understand the difference between a “computer” and an “endpoint” there are key differences between the two.  For example: I currently have five endpoints on my desk, but only two computers, the other three are an embedded device, an IP phone, and my mobile phone. While all are endpoints and you could make the case that all five are indeed “computers”, they do not fit what the general public thinks a computer is. When you’re talking about endpoint security, you need to keep in mind anything that is a destination for information is an endpoint and they all need to be protected. Yes, in 90% of the cases it is a computer, but this is rapidly changing. Language is a very powerful tool. By switching to “endpoints” instead of “computers” we as professionals are being more specific to whats affected. If we say that computers are affected by a certain issue, do we mean only computers? Or do we mean computers along with other devices? As a side benefit, it’s also the first step to start convincing people that they need to start looking at any kind of device needs to be secure.

While we’re not going to be changing any thinking overnight, nor are we going to enjoy answering the endless questions of “What’s an endpoint? Oh, you mean a computer…” its one of those painful things that we’re going to need to do. Keeping ourselves to old definitions keeps us from talking about evolving threats accurately and that’s just a bad idea.

Tuesday, work had some training for some $FAIRLY_EXPENSIVE_SECURITY_SOFTWARE. Training required us to install one of the desktop versions of their product (which was passed around on a USB stick. </facepalm>)  and required a license key. The trainer walked around to my laptop and set up a key. My paranoia is peaked when someone uses an computer with my account, so I watched him log in to the webpage with the key generator (OK, I averted my eyes when he typed his password, that’s a common courtesy), generate the key, made sure it worked, and moved on the the next laptop.

Did you notice the missing step? Allow me to show you what was still up on my screen behind the software (censored to protect the guilty):

Click for Larger

Click for Larger

License Keys anyone?

Being the upstanding citizen I am I took my screenshots and logged out. I could have, however, generated a nice stretch of license keys for the next few months for my own personal use. Considering the amount of money the software costs, these keys would would have saved me a pretty penny.

There were four mistakes here, all small, two of which could have been fixed in the design phase of the application, two of which were the trainer’s fault.

1. Trainer using a unknown laptop to log in to a secure site. Good thing I didn’t have a keylogger or something.
2. Application not having a some kind of system that would allow me to submit for my own key and have the trainer approve it.
3. Trainer not paying enough attention to log out.
4. Application not having some kind of oversight so that if I…. uhhh… I mean someone… did compromise the trainers account, I… er… he couldn’t create a bunch of keys.

I will give credit to them for some restrictions that kept this from being an epic fail:

1. 30 days was the longest period I could generate a key.
2. It would likely had my fingerprints all over it.
3. I believe the key could be revoked on their end.

That being said, it’s still an interesting example on how a series of small mistakes can cost an organization. Not that it did in this case, but how often do we hear about a bad system allowing a breach of sensitive data? A secure system requires both proper design and diligence of the users. In this case, unfortunately, they all clicked to allow the possibility of someone making off with the goods.

This floated across my Twitter stream yesterday: Internet Lawyer Take: DEFCON Spinning Out of Control? Watch out, you might want to make sure you’re caffeinated and sitting down while you read it.

Where do I begin?

Typical DEFCON attendee in Mr. Dozier's Mind

• Basing the criticism off two anonymous people’s complaints? Check
• Vague complaints about evil hackers trying to deface his website during Defcon? Check
• Suggestions about a possible Oracle genocide because of DEFCON? Check.
• DEFCON is all about 15 year old kids learning to do l33t h@x? Check.
• Sensationalizing various happenings without going into detail as to what happened? Check. Check. Check.

Dozier seems to be of the opinion that DEFCON is a cespool of high school students who sit around their laptops trade mad hax and attempt to knock power grids offline all weekend. As anyone who has attended DEFCON knows, this is a complete load of horse puckey. DEFCON is essentially a Black Hat after party in which you get to kick back, enjoy Vegas, talk shop with other InfoSec people, and essentially spend most of the convention in an inebriated state (provided you’re over 21). I thoroughly enjoyed both times I attended.

Mr. Dozier seems to really dislike anonymity. He goes to suggest that DEFCON get full details on every attendee to flush out the less desirable elements. I’m sure Mr. Dozier would be aghast to know that when I spoke I used a pseudonym. Why would an upstanding citizen like me choose to be anonymous even when I was speaking about an relatively innocuous topic? Because I enjoyed keeping my identity somewhat under wraps and more people knew me under my pseudonym rather then my real name.  When you deal with random people on the Internet, it’s very common to associate an e-mail, Twitter name or forum handle more easily with them rather then a full name. This has been the case since the early days of networked computing, as evidenced in Guy Steele’s “Confessions of a Happy Hacker” from The New Hacker’s Dictionary, 3rd edition. (Aside: If you like Hacking History, get this book.)

…when Barbara and I got married, we sent out wedding invitations of the usual sort without considering the consequences. One hacker friend was completely puzzled: “Barbara Kerns … Guy Steele … Who are these people???” His girlfriend looked over his shoulder and said, tentatively, “Guy Steele … isn’t that Quux?” This was someone I knew quite well, but he knew me only by that handle.

The statements on Oracle really have me scratching my head. Mr. Dozier seems to be confused about the cause and effect of things. In his train of thought, any kind of Oracle breaches from here on out are solely the fault of DEFCON and the MetaSploit project. Never mind the fact that all of the exploits have existed in the wild for quite some time, or the fact that they will be used by people such as myself to demonstrate to non-technical people that their Oracle server is doomed. These tools will only be used by 15 year olds who will deface websites, steal identities, and use their ill gotten gains to fuel their $1500 a day XBox Gamer Point habit.

As for “embarassing [sic] the federal authorities” everyone who goes to DEFCON is well aware of the “Spot the Fed” competition. Every time I saw a “Fed” “spotted” it was very non-adversarial and amusing for all parties involved. If his “exceptionally talented and knowledgeable government security types”  have a problem with this they need not attend, which they don’t. I also think that they need to develop a touch thicker skin.

Finally this leaves me shacking my head:

Is there a Free Speech right, protected by our First Amendment, to describe in detail ways to hack into computer systems when it is a federal and state crime to hack into a protected computer? At Dozier Internet Law we know this issue is yet to be fleshed out fully but we expect that criminal conspiracy laws could come into play at some point.

Mr. Dozier better get his lawsuits warmed up. I hear there are also conferences where people talk about things like guns and ones that talk about cars too. People get killed by cars and guns EVERY DAY! Surely this needs to stop!

One thing I will give him credit for is his web design: I think I’m start calling myself an “Internet Security Engineer” and rename my weblog to “Ben Jackson, Internet Security Engineer for the Commonwealth of Massachusetts, GIAC Certified Intrusion Analyst, Author of “Asterisk Hacking”, FCC licensed radio amateur, subject of an article in Infoworld, and stunningly handsome offers and Internet Security Engineer perspective on the web, Amateur Radio, and his life” — Instant credibility.

David Rice wrote a response about my last post regarding a Secure Software Reality Check and makes some good points.

But people’s “wants” do not exist in a vacuum. The “wants” live within an incentives framework that either promotes or inhibits certain behaviors. In fact, because of relatively low U.S. gas prices (in comparison with the UK, for instance) and tax incentives for purchasing trucks or SUVs over a certain weight, the “want” of a big vehicle is promoted in the U.S. while inhibiting the ”need” for low-emissions subcompacts.

I don’t disagree with the idea of people’s wants not living in a vacuum. The ads on TV demonstrate otherwise. However, most people’s wants live within their own bubbles. For example, While don’t give a crap about torque, horsepower, etc, I do give a damn about 4 wheel drive due to my winter commute down some crazy back roads to the commuter rail. One of my other wants is downright “strange” when compared to the mainstream: I am one of the few people who look for cars with a smaller central console due to my other hobbies, which is a pretty strange “want” to have when you look at the mainstream, but it makes perfect sense within my bubble.

In other words, it makes more sense from a buyer’s perspective in the US to buy a bigger vehicle because the incentive structure rewards that behavior. If gas prices were allowed to rise to $10/gallon and a broader tax burden was placed on all non-subcompacts (much like the gas-guzzler tax on the Hummer, only more general), the incentive to “buy big” would gradually ebb. So the “want” for a big vehicle would be partially transformed into a new “want” for smaller, more fuel-efficient cars (so long as people felt they were better off for buying the smaller car). And it just so happens this “want” would be more aligned with the “need” for reducing the social and environmental costs (known as negative externalities) of car ownership.

I disagree with the current gas prices “reward” buying a larger vehicle. They simply allow for buying a larger vehicle. Do consumers by a Hummer when a Impala would suffice? I’d be stupid to suggest that they don’t. But by creating an external force (i.e. a tax) in order to to “discourage” certain “behaviors” you’re doing nothing to stop the “want” you’re just trying to force people to do something they don’t want to do. You’re treating the symptom (low MPG cars) rather then treating the disease (bad driving habits).

What does this have to do with secure software you may ask?

In the context of software then, there is no incentive to reduce “vulnerability emissions” by software manufacturers nor is there an incentive for buyers to avoid purchasing software with plenty of bugs and defects. Buyers want “big” software; that is, software with a bevy of features even though this dramatically increases the likelihood of latent defects and vulnerabilities. Because of this demand for “big” software, software manufacturers are happy to supply it. There is no incentive to do otherwise.

There is an incentive to do otherwise and I think this is where the MPG analogy breaks down. Every so often Microsoft has some major bug that gets exploited enough that it makes the news cycle. Microsoft’s response to this has been nothing more then a “Whoops! Our Bad. We have a patch.” They then wash their hands of it. This is the equivalent to Ford Motor Company dealing with the Cruise Control issue back in 2003 with “Whoops! Our Bad. We’ll replace it.” However, their are now multiple class action lawsuits from people who were affected by this problem. Why does Microsoft get away scot free yet Ford has to pay the piper? I think one of the reasons is because people haven’t realized that they can make money off of software defects and the other is that people haven’t made a connection yet between physical loss and virtual loss.

Aunt Ethel and Uncle Mortimer, while they don’t give a crap about how many critical bugs their operating system had this month, they do care if their computer gets owned. What needs to be done by us as a  community is teaching them that B is directly related to A. If people start understanding that because some coder at Microsoft didn’t check his buffer size correctly their credit card numbers are now floating around Romania, we’ll start seeing people crying bloody murder. The sooner they do that, the sooner we’ll get vendors who take security seriously, and the sooner that happens, the sooner we’ll all be better off. No laws needed.

Chris Wysopal, aka “Weld Pond” wrote about the recent DDoS attacks against South Korea and the root cause being that we have an insecure software ecosystem. Chris is spot on with this statement and he brings up an interesting analogy:

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

Each insecure computer is much like a polluting car. By itself there is little risk of harm. But when the software on that computer is compromised and taken together with all the other computers with that software, the risk builds up until it reaches a critical mass. We see that critical mass when groups, nation state sponsored or simply criminal, are able to destroy network connectivity for their targets using these compromised computers

I think the analogy he uses is great, but not for the reason he uses it for. We talk a lot about “keeping emissions down” and the government pushes lofty goals about reducing so-called “carbon footprints”, but the main reason we don’t see everyone driving subcompacts that get 35 miles per gallon is because very few people want them. The public, as a whole, wants their 6000 SUX that looks dead sexy and has a top speed of $BIGNUM MPH. 8.2MPG? Runs on baby seal blood? Who cares?

This is exactly the same with computer security. We talk a lot about “securing cyberspace” and the government pushes lofty goals about treating our “digital infrastructure… as a strategic national asset” but the it’s exactly the same. Most people don’t want to have secure software. They want to have their Bonzi Buddy and their 3D Dancing Pigs on their website. The software has a horrible security track record? It requires tons of security settings to be disabled on the computer? Your entire HR system uses Microsoft Access as a back end? Who cares?

Chris is right. We need to make EVERYTHING secure. Every operating system, every application, every library. This is nowhere near an easy fix. Ideally we need to start the software industry at tabula rasa and start everything from scratch. It is possible: Just look at OpenBSD. However, we are not going to be able to convince anyone to start taking these steps until we start making a gigantic culture change starting from the ground up. Aunt Ethel and Uncle Mortimer need to start understanding that they are doomed in the current environment and start demanding their software be secure. Companies need to stop dealing with vendors that have repeated security problems. In house staff need to be trained in secure computing practices. Computer science students need to be taught about secure coding methods. This needs to be EPIC. However, until then, we are all going to be stuck on the hamster wheel of pain by dealing with massive botnets, scrambling to patch zero day vulnerabilities, and holding our breath waiting for the next “big one.”

How do we make it so we can escape? I have no clue and I doubt anyone else does either. The only thing I could see possibly breaking us out is everything going up in a giant cloud of smoke. All the cyberwar pundits are correct and we have a massive attack on our infrastructure. Blackouts! ATMs Jackpotting! Computers turning into Bombs! Dogs and cats, living together! Mass Hysteria! Only then will we learn the error of our ways!

Of course the pessimistic side of me says that we’ll still want our Bonzi Buddy and 3D dancing pigs.

(On a tangent, did you know Weld Pond was 43? I feel old now.)

SOURCE Boston 2009 wrapped up last Friday. Once again, the SOURCE Advisory board did a bang-up job picking talks: Normally, during a conference there are “collisions” in which there are two talks I want to see that run concurrently. SOURCE had this, but it seemed that it happened almost every single talk. I was desperately switching my attention between the talk I was currently at and my twitter stream watching people live-tweet the other tracks. I constantly felt I was missing something great. SOURCE also improved the one complaint I had about SOURCE Boston 2009, lack of the ability to get to the venue via the MBTA. This year’s venue, the Seaport Hotel was easily accessible from the Silver line and the new digs were great.

My talk went as well as I could have hoped. Despite some minor issues with regards to what I could and couldn’t talk about and thus the presentation being much shorter then I wanted it to be, I felt I fielded all the questions cleanly and ones that I could not answer I made sure I got business cards so that I could follow up. For those of you interested in downloading my slide deck it is available here:

• Massachusetts Data Breach Laws, Regulations, and Responsibilities (PPT, 828K)
• Massachusetts Data Breach Laws, Regulations, and Responsibilities (PDF, 286K)

Some highlights of the conference:

• David Mortman‘s delicious bread, which he handed out if you asked questions during his talk. I got a slice because I was able to answer a question.
• Marcus Ranum‘s keynote. Despite being a presentation of “The industry is beyond repair, and here’s why…” gloom and doom, I was able to at least grab some good points out of it that will enable me to fight the good fight. He also made a great metaphor: “3D dancing pigs” meaning something which management wants and will try to implement despite any warnings.
• James Atkinson‘s counter-surveillance talk. Last year he did telephones and this year he did automobiles. Crazy stuff.
• L0phtCrack 6 information session. I can’t wait.

And these are just the ones I can remember off the top of my head.

SOURCE is a great conference and if I had the time and money, I’d seriously consider going to SOURCE Barcelona in September. If you have the chance in 2010, I would highly recommend attending.

F-Secure, who is doing great work on surveying the breadth of Downadup, recently asked “Is it time for Internetpol?” when people starting asking why they didn’t take advantage of their sinkholes for Downadup and attempt to disinfect the zombies.

Still — it seems that people want a champion that can make big command decisions. Perhaps it would be a good time to bring up the idea of Internetpol again? Mikko briefly mentioned it on December 12th, it was the topic of his AVAR 2008 keynote. The idea was also mentioned in our third quarter security summary.

Do you want an organization with international legal authority to act against Internet threats?

Speaking strictly as a security researcher who, whenever I feel a bit masocistic, attempts to play whack a mole with various “bad sites” on the Internet: “Yes!” I don’t think anyone would disagree with a group Internationally recognized with the authority to shut down “bad” sites.

However, the primary issue is what constitues a “bad” site? With the authority to declare a site “bad” shifted over to an International entity, what standards will they use to judge sites? Sure, I think everyone will agree that sites which distribute malware is bad, but what about sites engaging in dissident political speech? I’m sure China think that any site blocked by the “Great Firewall” is “bad.” How will an InternetPol handle this? I would see conversations playing out like a scene from Silence of the Lambs:

Clarice: That’s only a part of the island. There’s a very, very nice beach. Terns nest there. There’s beautiful…
Hannibal: [cuts her off] Terns? Mmh. If I help you, Clarice, it will be “turns” with us too. Quid pro quo. I tell you things, you tell me things. Not about this case, though. About yourself. Quid pro quo. Yes or no?
[pause]
Hannibal: Yes or no, Clarice? Poor little Catherine is waiting.

China is a large haven for malware. Does “InternetPol” say “we won’t disconnect the sites you’ve requested” to China? If so, what would China do when InternetPol comes knocking and asks them to assist in an investigation from another member country? Quid Pro Quo would expect them to show InternetPol the door. The only way to get every country to play ball is to adjust the standards so that every country will be enforcing every other country’s laws. China doesn’t like Falun Gong sites? Gone. US doesn’t like gambling sites? Gone. Australia doesn’t like naughty web sites? Gone. It’s less of a “slippery slope” and more like a near vertical drop.

This is also coupled with numerous other issues of local Law Enforcement Organizations (LEO). If Russia doesn’t feel like enforcing their laws against a certain group *cough* RBN *cough* then the best an InternetPol oganization can hope for is to lean on their upstream providers and hope they cave. Thankfully, this seems to be working even with private organizations, but criminals are crafty, what happens when we see criminal organizations start setting up their own NSPs (With Blackjack! And Hookers!)? How about when the local LEO is compromised itself through bribes or worse?

These are major issues that need to be addressed on a global scale. Sadly, if only one country decides to take it’s ball and go home, we’re going to see every e-Crime enterprise beat a path to that country’s door the next day. If numerous countries refuse to play ball, InternetPol will be the electronic form of the United Nations: a great idea who’s main weapon is a strongly worded letter.

The InfoSec community was murmuring lately over a interview with Matt Knox, who wrote spyware in a previous life. I did feel that the interview, although done fairly well, was a bit soft and “DirectRevenue” did cause long-dormant synapses in my brain to start to wake up and scream in horror, but I dismissed them and didn’t look into it any futher.

Thankfully, Chris Boyd aka “Paperghost” did. Boy, did he ever…

The interview painted a “Hey, they did things that were of questionable morality, but they weren’t that bad!” picture and Knox did have a “Aw, shucks… Sorry!” demeanor to him. Which, as Chris points out, is kind of expected, since the interviewer is a friend. However, the State of New York documents paint a very different picture to the entire operation, and comments like:

Matt is a wonderful teacher, a great coder and a good friend. It was pretty awesome that he did this interview and gave us the inside scoop on how a noted adware company operated, both technically and from a business perspective… Nowadays he uses his skills to educate and create software for doctors.

Seem to try to whitewash the seriousness of the situation he had a hand in creating. I’ll give Knox credit for doing an interview, but I won’t give him a pass for coding such nastiness for a very, very long time. Everyone can make mistakes, but the questionable ethics that get them into such mistakes deserve to be scrutinized. As much as I would like to believe he has turned over a new leaf (and by the accounts I’ve see he has) there is this little nagging voice that says “Software for Doctors? He better not be touching patient records.”

I would enjoy a follow-up interview with Knox to address the question raised by Chris. I hope one is forthcoming.

What’s the opposite of FUD? Unbridled optimism? Rosy colored glasses syndrome? Sheesh. This @ryanaraine posted this on Twitter this morning: Microsoft to issue out-of-cycle patch for the ‘unknown exploit’. This features such choice quotes as:

It’s the kind of development that could give “zero-day” a whole new meaning: a wave of alleged Internet Explorer exploits, the total number of experimentally validated cases of which apparently numbers zero.

What in the Wide Wide World of Sports is “experimentally validated cases?” Did I miss something here? Is this some kind of new InfoSec standard that I was previously unaware of? How much verification do you want? Take your pick: ISC, Trend Micro, F-Secure, ZDNet, or the  Washington Post. What else does he want, have the hole paint itself purple and dance naked on the table in front of him singing “zero day exploits are here again?”

This IS being actively exploited. I have a list of sites that are being used to host exploits sitting in my INBOX right now. If you use IE, you need to patch ASAP or switch you web browser over to something else. To suggest this may not be “actually valid” is irresponsbile and is undermining the efforts of security people across the Internet.