Friday, 28 October 2011

When activism works


Over the past while, Anonymous and the related splinter groups have been attacking business and more.  This moral crusade seems laudable to some, but the reality is that this was detrimental in many ways. No group or individual has the right to say how a company should act other than to not use that company or to compete with it as long as the company is acting within the law.

On the other hand, when things are clearly out of hand, there we see benefit in action. Anon’s operation darknet is an example of how this type of group action can be directed towards a goal that benefits society.

Mere possession of Child pornographic materials is a criminal offense. The protections granted to  Freedom hosting as a mere publisher vanishes as soon as they received notification. They received a warning and did nothing. They had been taken offline and then proceeded to make the illegal data accessible again. This is itself a crime.

Terror groups including FARC / FARC-V have been funding their operations through drugs and kidnapping. The latter being a risky process that commonly results in tragedy and loss. The new paradigm is becoming even more tragic. In kidnapping both locals and tourists, raping and murdering these people (including children) and selling the videos in locations such as #darknet, the risk is significantly decreased and the profitability increases. A clear win for the terror groups and one that will only lead to increases violence.

There are many reasons I oppose the actions of anon for, but this is not one of them.  This is one where they have been directed in the right way.

Many people smuggling groups have started to move to creating child exploitation/rape videos in places such as Sth America as there is more profit for a lower risk and the people videos are sold to can be exploited if the stop paying (mere possession is a crime).

More sites such as xnxx.org/xnxx.com and freebeast.com have been also managing to survive through jurisdictional tricks. Hosting porn is one thing, but when the material is openly illegal in many instances, it is not hard to determine that this material is illegal. Worse, both xnxx.org and freebeast (and hundreds of others like them) serve malware allowing those visiting these sites to be compromised by online criminals who further exploit them. If you go to these sites, it is at your own risk so I do not advise it. Then sites openly and freely promoting rape and bestiality movies are something I would not recommend that you should see even if they did not have malware hosted in some of their links.

The existing criminal justice system is not coping well with this type of violation. The Russian copyright infringer ZML.com was taken down in the last year, but only after a couple years of both operation and investigation. In this, a video was leaked from the Academy awards with a watermark. This (as well as other videos) was used to demonstrate the intent and means that the Russian dragons used to obtain materials illegally.

It will always amaze me that individuals will offer their credit cards and personal details to these criminal actors. What better proof can they offer of complicity?

Wednesday, 26 October 2011

How soon we forget

If it is not local, we forget quickly. This is nothing new. In 2008, a teen hacker broke into the Polish Rail Network.

In this incident, the attacker used the trains like a toy and in the process derailed 4 trains.

I have posted on Rail systems and SCADA and how these need better security. Here in NSW Australia, we are no better. The SCADA and control engineers are afraid of anything breaking right now, what about if an attacker actually does this?

I have been accused in recent weeks of creating the scenario. That the issue is how I am noting these flaws. It seems that these individuals see an attack as a consequence of my posts. That only in having written on this topic can it exist.

Well it exists.

Even had I not written on this topic, it would remain a threat. As I have noted above, it has really occurred. Not as people such as myself have made others aware, but as it was discovered and exploited.

The question now is when it will happen again, not if.

Tuesday, 25 October 2011

Windows Domain Isolation

I will cover off on the actual process of how to implement Domain Isolation in a Windows Domain based architecture in coming weeks. As this does require that I include images, it will need to wait until I am past the current round of conferences.

 

Domain isolation is a set of technologies that have been pulled together by Microsoft and which have controls under Group Policy that all you to limit the risk of unauthorised access to trusted systems. Attacks by trusted administrators is of course a separate issue that this type of control does not mitigate (here we need Segmentation of Duties and related non-technical controls).

Domain isolation uses a combination of IPSec and local host firewalls. It can be used to restrict the access to a trusted system to only allow those protocols needed to connect to the system (IPSec, ESP, AH; Kerberos etc.) and to block all access even when a host is situated on the Internet. If a host is on the Internet and is mobile, the need to allow DHCP and other local protocols does complicate the configuration, but it does not make this impossible.

If you install RADIUS (either that provided with Windows Server in IAS or a third party service) you can also integrate other devices (such as a Cisco or Juniper router or switch) into the domain and IPSec policy groups (I will also get to documenting how this can be done in time).

You can further improve the security of a site with the inclusion of strong per-packet mutual authentication, integrity, anti-replay and encryption.

This will allow your systems to only communicate with allowed trusted domain members. In doing this, you can restrict inbound network access (actually this applies to both ingress and egress controls but the easiest quick win is to secure the incoming connections and then restrict egress when the system architecture has been updated). This restriction can easily be limited to host security groups that consist of only selected of domain member hosts and these hosts can be set differently by user and host in group policy.

DaaS and local admin rights

Desktop as a Service (DaaS) has many benefits to an organisation, not simply security. This is of course if it is managed well. Like anything, a system ignored is one that will quickly decay.

Today I will note a major security benefit that DaaS offers.

This is the ability to remove local Administrator rights.

Laptops and tablets can be locked down. The issue is that any system with physical access is difficult to maintain in a secured state. Physical access allows a local user to do many things that they should not be allowed to do. There are always means to bypass even the best physical controls when you own/physically control a host.

DaaS of course removes the ability to access the device physically. More, some providers allow you to encrypt the drives (or at leats the virtualised data. At worst, there are always free solutions such as TrueCrypt as well as a number of commercial disk encryption products that work on cloud based systems.

With group policy (and I will document this step by step soon) in a DaaS system, you can lock local access away from your users and they cannot use physical access tricks to bypass these controls.

The user CAN have local access and rights on a tablet or notebook system. These can be set as the user desires with any silly application they like. This can be a risk to their personal data, but the access to protected data will be held remote.

More, DaaS can be coupled with NAP and NAC. When the user’s system connects, it can be validated to ensure that a firewall is enabled, that anti-malware solutions are up to date and that other controls are at least enabled when the user is working on the secured desktop.

Some of the biggest security issues we see come from the way we see a business system as a personal system. In restricting business use to the DaaS platform, the user can have a personal system when still maintaining a separate access to a secured system.

In adding applications, the user does this removed from the organisation data. There are still ways to attack any system, but the controls are simpler to maintain in a DaaS based solution then they are in a series of snowflakes (that is the range of disparate systems that make up the average IT operation).

Once I am past the current conference schedule and training program, I will document a detailed how to guide that will help you to enable  Group Policy to manage such a system.

Monday, 24 October 2011

Hakin9


I have the first part of an article in this issue of hakin9.org. The next issue (on 22 December) will contain the second part.

Exploiting format Strings with Python

In this article we will look at format strings in the C and C++ programming languages. In particular, how these may be abused.

http://hakin9.org/exploiting-software-0211-exploit-format-strings-with-python-2/

The end of Hearsay

In law, when presenting evidence to a court, there exists a rule on the exclusion of hearsay as evidence.

Before admitting evidence, a court will generally ensure that it is both the relevant to the case and also evaluate it to ensure that it satisfactorily fulfils what it is claimed to provide. A court needs to determine whether the evidence is hearsay and otherwise determine its admissibility.

Evidence is hearsay where a statement in court repeats a statement made out of court in order to prove the truth of the content of the out-of-court statement.”[1] An example of hearsay evidence would apply where a suspect has sent an e-mail purporting to have committed a crime. Law enforcement officials would still need other evidence (such as a confession) to prove this fact.

The rules of Scientific Evidence apply to digital forensics. In the US, Daubert v. Merrell Dow Pharmaceuticals, [509 U.S. 579 (1993)] set the standard for evaluating scientific evidence. The test developed in this case consists of:

1. A determination whether the theory or technique is capable of or has been tested;

2. The existence and maintenance of standards controlling techniques of operation and whether these are likely to result in a high known or potential error rate;

3. As to whether the theory or technique has been rigorously subjected to peer review and publication; and

4. If the theory or technique is subject to “general acceptance” within the relevant scientific community.

For the most part (and even though error rates have not been established the most digital forensic tools) electronic evidence has been accepted by the courts scientific evidence. Currently, the most effective approach to validating the methodologies and approach used by an investigator remains peer review. For this reason, it remains good practice to have another investigator double check any findings using multiple tools or techniques to ensure the reliability and repeatability of the process.

But what is this for the future and why will we no longer have Hearsay?

We already have an Internet of things more than people. The number of automated devices and servers has exceeded the number of users on the Internet for a couple years now and with IP addressing issued to light bulbs and FMCGs in coming years, we could see 100 billion nodes online at any time.

These are devices that all interact and can be correlated. Recently, it has been shown that Skype can be used to correlate IP addressing from this service with Bo torrent P2P traffic.The future will be one where purchases are matched and items can be used to trace movements and more.

Think of it, you have purchased a can of Coke with an IP address based on an RFID tag. You pay using a Visa Smart wave chip card. The smart checkout links the IP of the can with the card ID. Later, the can is located at a bin outside a premises you stated you did not go to. All of this adds together to form an evidence trail.

The future of the courts is one of digital evidence.

An email were you stated that you did something may not be admissible, but the business and automated processes surrounding devices are admissible. These are not hearsay.

In an Internet of things, we have a world of automated processes – all of which are admissible. They remove the requirements for hearsay as they capture and record automatically.

In coming years, more and more of what we say and do will be recorded. There will hardly be a street corner without a camera, hardly a playground without a microphone. This will happening, it is already and the tide has swept in so far that there is no stoping it or even now time to build a barrier to gain time.

What we now do matters, for we can make this a world where these changes will work for the betterment of society or we can allow little brother to take the place of big.

 


[1] Hoey, 1996

Zero-Days

It is a different world. Forget the 30,000 people in “computer security” that the PLA have in China wearing uniforms. Think of the 150-160k external “consultants”. These are people with Microsoft, Adobe etc. source code. They know zero-days before we do. This is the thing, it is a different world. When we find zero-days, expect that others have been using them for months.

Basically, we have a team of more people than Microsoft employs with the goal of finding and exploiting the vulnerabilities in computer systems. These are generally Microsoft systems as there are simply more of them. You attack the system with the largest user base to get the best return on investment.

Basically, we have many times the number of people looking through source code in China than Microsoft does. This was supplied to the Chinese as a part of the conditions of trade in China. The result, well there have not been too many formal vulnerability releases by the Chinese government.

So we have around 10 Chinese software testers for each person coding in Microsoft, and yet Microsoft finds bugs, external parties find bugs, but the Chinese groups do not?

Well they do not release them at least.

Generally speaking and from the perspective of criminal groups, zero-days are the last issue we need to concern ourselves with.

This is a little different when we look at state-players.

These Chinese groups are yet to issue a single CVE for all of the effort the expend on analysing the source code that Microsoft and others have provided.

Knowing of a vulnerability and defending yourself against its exploitation is one thing, but we have many skilled groups in China. It is not too difficult to create vulnerabilities given source code and time.

We keep wondering how

I find it remarkably surprizing that we wonder how systems are exploited and data extruded time and again from locations in China and we are not looking at the fact that China is expending MORE effort than Microsoft and the rest of the information security world as a whole in looking for vulnerabilities in the Microsoft software platform and yet they are not actually releasing vulnerabilities.

Food for thought.

The coming world

EVERYTHING is changing. In a decade, even the traditional manner which we have engaged in HUMINT will be gone (this is human intelligence), never to exist again. Why? Well we have systems already that allow facial recognition and validation. The technologies will allow the “bad guys” to match Identities in just a few years. For example, as different as people have told me I look I have looked in photos and more, and though people do not recognise me in different guises, computers do and will. We will need HUMINT, but it will be a different and new form we have not seen before.

As a silly example, I have an image of a “character” I portray for fancy dress parties and the like named Gilbert Dibley.

0805091906400008050919065800

08050919062300

When these are compared to my profile image, it seems to some a different person. This of course is a silly exaggerated example. I am not suggesting that those involved in HUMINT dress up funny, just that even these images are linked to my professional or personal life.

Simple small changes, for instance I shaved my beard this year make big differences to how we see one another, these are not changes that fool a computer.

imageimage

A computer can already match these pictures with the facial structure of my skull and say if I am the same persona as is portrayed (me) in my profile image. Without major facial reconstruction, I will show up in images.

We can expect that the images of those working for the NSA, OICI, CIA etc. will be recorded in time. The persona that is us will be recorded from yearbooks and personal images on. In time, those images that are used in undercover work will be no more.

For instance, a police detective does not start as a detective. S/He starts in joining the force and there are always records of this. These are pictures and images from graduations and just general life in training. Then you move to a uniform. Again, there are records.

Worse, we cannot control the images that others have. Image search techniques in coming years with more computational power and the growing use of mobile devices mean that we can expect to see ourselves online, not from our own actions, but in those of others. That image taken by a tourist as you brush by may we searchable and give away your location.

Right now, we have a system based on obscurity. This works now to some extent, but it will not in the coming decades. When images from our entire life are on disparate systems, we will be able to be traced, traced and our lives reviewed.

We can even try and make this illegal, but the thing is, criminals do illegal things. Making it more expensive to commit a crime and be caught makes the reactions of criminals worse. They are more likely to become brutal and shot first ask later.

The thing with exponential computing power growth and decrease in cost is that in a decade the “bad guys” will have access to all of this material. What we create for good also leads to other uses. A hammer can be used to build as well s to destroy.

 

Some say I am opposed to privacy

Not at all, I just see that it is going to be blown out of the water with the technological changes that are coming. I am not against privacy, I simply do not see that anything we do will be private one day.

The ethics of this can be debated all we like, but the process of change has already started. The time for this debate was a decade ago and we missed it. I see this as the moral equivalent of debating why a volcano causes destruction. It just does and no matter what we try to tell it, it will react as it will with no desire or thought. It is simply a force of nature. The genie never goes back into the bottle.

The changes we are seeing are similarly a force that we can do little about as much as some lament this and want change to cease.

Well, we are at the point we were a decade ago with regards to security. We can lead change or let it roll over us. We can look at the gaping holes and do something to ensure these existing breaches to not expand until it creates a rift we cannot know how to close, or we can act. That is act now.

Right now, we have a choice. Soon we may not.

On Friendship

We allow ourselves to be hurt. It is not those I do not know nor care for that can ever hurt me. It is only those I call friends and more.

Over the weekend I was hurt by a person I cared about. I live an ocean away from this person and I have only met him at a few SANS conferences when I am in the USA, but I have helped this person and talked via email.

This may seem strange, but we can form strong bonds through electronic media. At times we can share more in this media than we actually do face to face. I have many people whom I call friends that I have not met in person. Others, I have come to meet only after years of knowing them online.

When you interact in groups, we form communities and we create more than a basic sharing of technical knowledge. Limiting ourselves to sharing of technical knowledge and no more is a recipe for collapse. As humans, we form bonds and relate to our community stronger than we do to “outsiders”. In sharing, we become more capable of finding those people we can turn to in times of stress and crisis (such as even a system compromise at work).

My betrayal (and I will not name the person) came when that person was involved in a group discussion. It was bad enough when they did not stand up and say something when I was accused by this group (most of whom I do not care about at all). We are all guilty of this at time, I have been earlier in my life though I have learned and now I do try and support those I know (even many whom I dislike).

I have even (as a forensic expert) been attacked for my religious convictions in court when giving testimony. It is not a good tact I will say as many judges go to church and others do not appreciate these slurs. But it does occur. Although I (other than this weekend and outside my church group) do not talk of religion a good deal, I believe strongly. I also believe that others have the right of their own belief and I do not preach to those who do not wish to hear.

Not standing by ones fiends and even acquaintances is one this. Peer pressure effects us even as adults. To join into the fray is another.

This person I called a friend said they doubted my credentials as well. In itself this was not a lot, but added to the other comments it fuelled far more. I will say what friends do, they ask friends to explain if they are uncertain. It is not as hard as it seems. In my case, I would have  provided anything requested to quench the concerns that person had.

Far more information than I would and shall even post on here.

When it is a comment from a person we do not know, an error is fact is one thing, it is a different matter when it is a friend.

As an example, I was accused of not caring about privacy and the fact that it will be easier to tack and trace people over the weekend. This is not true and I do not know the person who said this, so it means little to me. that individual clearly does not know what I value and seek.

I had pointed out how the future will have FMCGs such as Coke cans with IP addresses. It will, there are already projects for this. These are not my projects and I could not stop the tide of change if I wanted. The economics benefits are far too great and the organisations who embrace this will thrive and in true Darwinistic fashion, the less fit will not survive. So do not shoot the messenger, try and do something and act to ensure that security is built into the project rather than tacked on after the fact.

Due to the nature of another interaction, I had asked what was being said about me to another I know. They found out and sent me a copy of emails and chat logs.

We should really start to understand that we are coming into a world with far less privacy. It is not by choice, but it is how it is evolving. We live in a world when more will be online and when hearsay will give way to electronic evidence. What you say in a group is no longer your own. What you say even in private to another may not be. It is a world where little outside your own thoughts will be truly private. If you share, others also have copies.

Many are not used to this and try to go to the golden age that never existed. The only constant is change and we cannot stop it. We can try and make the world better and guide the tide of change a little, but we cannot make the changes that are in play stop.

It is no longer even now what you post that matters, it is the actions of those you have surrounding you. We are all human and we all make mistakes. I certainly have and do. That stated, I am not afraid of my failings. I let people know what they are as those around me help make sure that I am reminded of my fallacies. In allowing all to see my flaws, I can work on them and I would hope become a better man.

I have been told that I should not say such things. That doing so may impact my chances at a public policy position one day. Well, if there is a position that will not allow me to be human that I need to change from being open and sharing for, then I do not want it. Not now, not ever, I will be open and honest to the best of my ability. That means as an emotive and caring man, not as a figure of marble without flaw or failing.

It is not about being a better Christian, Muslim, Buddhist, or whatever. It is about being a better man (or woman as the case may be). I should learn, but in some lessons of the world and not of the heart, I will not learn and I will again allow myself to be hurt. I refuse to close myself to people I think of as friends. Some of these people will manage in coming years to hurt me deeply as one has in the last week. The option of closing myself and stopping pain is not a choice I will take. It is not a choice that leads to growth.

Sometimes we have to risk being hurt even when we know that the certainty remains that one day we will be hurt for the gains are far greater.

I have been betrayed in the past as well. I fail as a business man in many ways. No for my businesses but as I care. I had started a company, DeMorgan back in the 90’s. I sold it and was rewarded fairly well, though it could have been better.

I did learn that as much as you try and be fair, there is no such thing. After I had sold the company, it was stripped a first time and the assets and contracts were liquidated. The staff would have been left with nothing. I could have left this as it was. I guess most would have. I did not.

I paid the liquidators and purchased the company back. I did not have to, but I started the new firm with any staff member we had before with full pay, the vacation time they had formerly accrued as well as the super and more.

I learned from that exertion that people do not care or that most (there are always some that do not follow the rule) do not understand loyalty. In fact, nobody I hired then worked as hard, cared as much. They all (bar one) came to expect that it was their lot in life to be bailed out. They expected that I would save them, not that they would work to make something, but that they are owed a living. This is a flaw in society. We have this anti-capitalistic ideal and believe that we are owed something.

The reality is we are not, we are simply owed the wage we agree to work for and any other conditions in a contract. Anything more is a gift we should (and rarely are) thankful for.

Society, corporations and anything else we deem to name does not owe us or any other a living. We owe society. The simple answer is if you do not like the role you have and you think you should earn more, then change jobs. All that stated, I was stabbed in the back from those former employees who after having been bailed out of troubles they had ended in by myself and my soon to be former wife had and expressed no loyalty.

I do not learn in some ways. This is my nature. I will still befriend people I should not and I will suffer for it. It has been long enough now that I can tell these stories without causing damage other than to feelings of those who prefer things remain silent. That said, this is not something that actually helps us.

In remaining silent, we all suffer.

It is more than seven years, so I will also document how staff I had trusted, people I called friends sold out their profession. This really should have gone to court. It did not at the bequest of the senior management and council of the Australian Stock Exchange Ltd. My company at the time and fronted by myself ran the security systems for the ASX.

In a tale of why checks and validation is necessary, a staff member  at DeMorgan has created a backdoor into the trading systems. Luckily I had found this and alerted the management at the ASX prior to its being exploited, but the damage could have been great. It did start a long battle as the chairman of the board of my company told me to shut-up about it.

He thought exposing the company was wrong. We should have fixed the issue and left the ASX in the dark. I did not. I will detail this and more.

 

I am human, I have flaws and failings as we all do. Those who attempt to say they do not are hiding for whatever reason and are not being honest. Myself, I would rather be judged as the flawed man I am than the perceived but dishonest talking head some would say I should be.

 

All said, I will continue.

I have set myself a goal and I work at completing my tasks until it is impossible to achieve them or they have succeeded.

As I said, I will provide details of the good, the bad and all other.

Sunday, 23 October 2011

Security News and Views

The weekly podcast is up. I have made this a thought piece for this week only.

http://craigswright.podbean.com/2011/10/22/security-news-and-views/

The coming future

Right now, disk storage doubles each year in capacity. CPU power doubles each 18 months. Fibre speeds and capacity double each 9 months.

This is exponential growth in a wide scale. This is the type of technological change that economists call disruptive change. There is not a visionary on Earth who can forecast what this will truly mean in 20 years. Even 10 years is astounding. Just take some of the figures that this leads to by 2020:

  • Hard disk drives (likely memory based and at phenomenal speeds and with low power sleep states that provide an instant start capacity). Two (2) Petabytes of storage in a personal device.
  • CPU speeds of 100 times those we have now.
  • Wireless network bandwidth of 100 Gigabytes/Sec or mere.

This means that we can expect low power Internet tablets for less than a $1. These will be able to make free VoIP calls. Anywhere to Anywhere.

This is a world where in just 9 years, nearly everything will go online. I have already noted how FMCGs will have IP addresses and that even light globes are going online. The future is one where a simple embedded Linux controller will cost less than a cent for a 100 devices.

The digital divide is changing. Right now, only the rich nations have the necessary levels of access to the Internet and ecommerce. The future is one where even the poorest of countries will have complete access.

Think what this means for forensics. For privacy (or the end of).

MORE!

Start to think what this means for politics. In 10 years we will have low cost tablets. These will be disposable thin and easy to hide with access to the Internet. This is anywhere anytime. This will even mean access in places such as North Korea where Internet access is extremely restricted.

You may say that this will still pose an issue.

After all, the levels of literacy in many developing nations is low. Here is the rub, applications that talk to you are already available. SIRI is not new. I have been using Dragon Voice type for a decade now, but it is a CPU hog. Well, that is changing and these systems are improving. Further, I have “RealVoices” that offer a truly human sounding voice from the PC.

In 2020, we will have a future when any person anyplace on Earth can talk to any other person. This is instant translation of over 100 languages to any other. Of seeing text displayed on screen in any language from any language.

These are not idle claims, they are existing technologies that right now take large systems, but which in time (only a few years) will run on a device smaller than a watch.

Even in a nation as isolated and as poor as North Korea will see radical changes. Ask yourself what these device costs lead to. Think of the pamphlet drops we have seen in the past. In the future, it will cost less than it does to drop a piece of paper to drop a set of digital devices on a village.

Tablets that seem as if magic to the people who have been isolated from technology so long. Devices that will open the world, politics and learning to the poorest peoples on Earth.

Just imagine for a moment

Let your mind wander. For even with all I am saying, there is nothing I can state that will cover the changes, the fundamental differences that will develop from this by 2030. We are entering a new Era, a new world. There is no way to change this fact now, we have already past the point of no return.

Imagine for a moment in the coming years that you are that poor villager or peasant in North Korea. You have been isolated for your entire life. You have seen and heard little with only the doubts and false knowledge provided by your “leader”.

Now, suddenly a device is dropped in a crate from an airborne mission. Far too many at once for even a totalitarian regime to stop.

This device talks to you in your own language. It answer questions. It provides knowledge freely. It shows pictures and videos. Anything you ask. You can see news, you can listen to speeches from the UN or movie stars in your own language (instantly translated).

You can access a wealth of classic books and if you cannot read these will be translated and read to you in your native dialect.

On Education

Think for a moment what this will be in regards to education. The existing school and University systems will be exposed to increasing competition. Not local competition any longer, but International. The best teachers will be able to teach from anywhere. I already have students in multiple countries.

In time, we will choose not from a small list of subjects offered in a local high school, but from a global collection and wealth of knowledge that is beyond my ability to contemplate fully. It is beyond any individuals power to truly grasp.

Add holographic technology.

Right now, personal projection technology is expensive, power hungry and available only to the rich. There are already companies creating virtual board rooms where the members are projected into a room they do not inhabit at the time. This is a 2.5 dimensional effect right now. A decade will change this. It will also make it simple and inexpensive. In the coming decade, projection devices will be a simple feature in phones. There are some already in development with this technology.

 

This is just a taste. I will write more on this topic. We have to start thinking and planning now for the future is coming. What we make of it will depend on how we act now. A decade is a very short time.