Archive for October, 2013

Oct 14 2013

Your email won’t be any safer over here

I’m not sure why anyone has the illusion that their data would be safer in Europe than it might be in the US.  While some of the countries in Europe seem to have better laws for protecting email, it’s not a clear cut thing and there are always trade-offs.  While they might have better protections for data at rest, while in transit it might be fair game, or vice versa.  Plus, if you’re an American, you’re the foreigner to those nations, so many of the protections you might think you’re getting are null and void for you.

Rather than simply speculate, as many of us do, Cyrus Farivar at Ars Technica has written an article, Europe Won’t Save You: Why Email is Probably Safer in the US.  If you examine the laws closely, you’ll find that while countries like Germany appear to have stronger privacy laws, some of the caveats and edge cases make a lie of that appearance.  In this particular example, German law puts a  gag order in place by default that prevents your service provider from notifying you in case they’re served with a subpoena or similar device.  Think on that for a moment: if your service provider is served, you’ll never hear about it by default, rather than only when the large intelligence agencies take an interest in you.

Since I moved to the UK I’ve been hip deep in similar arguments with regards to cloud service providers.  Many folks in and around Europe seem to think that their own laws will somehow protect them from the threat of having their data raided by the NSA or some other, even more shadowy US organization.  But the reality is that in many countries they have less protection from their own governments than they do from the US.  Which barely scratches the fact that the core internet routers in many, if not all, countries are compromised by multiple governments, who are getting feeds of every packet that flows across their infrastructure.

The other concern that I hear quite often is about US businesses and information leaving the European Union.  I find this concern interesting, and believe it is likely to be a much more legitimate issue.  In the EU, the data protection laws appear to be much stronger than they are in the US, especially the Safe Harbor Principles.  But the reality is that businesses see the value of having as much personal information as they can get their hands on, so Safe Harbor is given lip service, while the businesses find ways to get around these requirements.  Or in many cases, ask users to opt out of some of the protections to get additional functionality out of a site.

Don’t think that hosting your email or other service is going to protect you if a government wants to get its digital fingers into your email.  As Farivar points out, the closest thing you’ll have to privacy is if you store your email on your own devices and encrypt it with your own encryption keys.  Storing it anywhere else leaves you open to all sorts of questionable privacy laws between you and your hosting provider.  You can’t just consider the jurisdiction you’re in, you have to consider every route your data might take between point A and point Z.  Being the Internet, you’ll never know exactly what route that is going to be.

Personally, I’m not pulling the plug on my Gmail account any time soon.  No government is worse than Google when it comes to intrusive monitoring of your email, lets be honest.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Your email won’t be any safer over here

Oct 13 2013

Time to change DNS methods

I’m going to ignore the whole question of whether or not social engineering is ‘hacking’ for now.  The difference between the two is mostly academic, since the effect of having your site hacked due to a weakness in the code and having all your traffic redirected to a site that the bad guys own is immaterial.  Either way, your company is effectively serving up something other than the page you intended, which is what really matters.

There have been a number of high profile sites that have recently been attacked through their DNS registrar.  Registrars are the companies who are responsible for keeping track of who owns which domains and providing the base DNS information for where to find the systems associated with a domain.  In theory, they’re supposed to be some of the most heavily defended type of enterprise on the Internet.  But the practice is different from theory, and even registrars have their weaknesses.  In the case of, this appears to be social engineering attacks.

The latest victims of social engineering attacks were Rapid7 and the Metasploit project, as were AVG Antivirus, Avira and WhatsApp.  What’s almost funny about the latest attack is that the attackers had to send a fax in as part of the change request to make the changes.  To think that a technology that had it’s heyday in the 80’s would be the method used to attack companies in the second decade of the 21st century is amusing.  Hopefully has already begun reviewing their processes to prevent a similar event from happening again in the future.  And, again hopefully, other registrars are learning from the mistakes of and reevaluating their own processes.

There is something companies can do to lessen the chance of a similar attack happening to them, called a registrar lock. This isn’t a step a lot of companies have taken yet, since it slows down the change process by requiring the administrator to first unlock the domain before making any changes, a step that has varying complexity depending on the registrar.  Also, not all registrars support locking, so this isn’t always an available option.  If your registrar doesn’t support registrar locking, it’s time to push for it or consider a new registrar.  That last part usually gets their attention.

I do understand the pressure the registrars are under; on one hand they have to secure their clients’ DNS records, but on the other they have to be flexible for clients who have a hard time understanding the basics of DNS.  It’s not an enviable position to be in.  Which is why registrars have to work harder to prepare for social engineering attacks than most other businesses out there.  But understanding the pressure doesn’t mean I cut them any slack for failing in their duty.

Update: Add two more to the compromised list, Bitdefender and ESET.  And again is the common point of weakness.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Time to change DNS methods

Oct 12 2013

Can DevOps become SecOps?

Published by under Simple Security

This is an incomplete thought.

This week I saw Gene Kim give his talk on DevOps and The Phoenix Project for the first time. I’d read the book and loved it, but I’d never seen Gene put life into the concepts himself.  I was mesmerized by by his animation and energy in the presentation.

What at I couldn’t help thinking is, how can this be translated into security?  DevOps has a security component, but it’s the collaboration between development and operations that makes this work.  So how can that collaboration be expanded to cover the whole business?  I’m probably expressing this poorly, but I think we need to work towards a business model where the whole business thinks of security as simply a part of how they think about how security is part of the fabric of what we do, rather than the bolt on it is now.

I’m going to have to give this a lot more thought, but I’m glad I got to see him talk rather than simply reading his book.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

Oct 07 2013

Explain it to me

Published by under General,Hacking,Humor

I’ve never hidden the fact that I’m a bit of a rebel.  Okay, to be honest, I’m proud of being a stubborn contrarian who’s going to do what he thinks necessary, despite what it might cost in the future.  Part of the reason is that I’ve always been smarter than average and I feel that I see and understand things in ways many others don’t or can’t.  And as long as I’m being honest, I also enjoy the chaos this engenders and the ability to thumb my nose at convention and authority.  I like upsetting people’s preconceived notions and making them think about things they might normally shy away from contemplating.  I want improvement over the present and I despise the status quo.  And I don’t think I’m at all unique amongst security professionals; we’re almost all rebels to one degree or another.

I believe people who love security as a career are similar to me in large part.  We’re people who see a problem that needs to be solved, puzzles that need to be unlocked and mysteries begging to be revealed.  Constant learning is something that is the hallmark of a good security professional.  If you look at the most successful hackers, they got to the top because they can’t pick up a piece of electrical equipment or software without trying to see how it works.  We want to understand, to unlock and hopefully to gain just a little more knowledge about how the world around us works.  And yes, I include ‘hackers’ in the continuum of security professionals, as a subgroup who tends to embrace the chaos more than the more corporate professional.

Let me give you an example.  Over the summer at a small conference in Las Vegas, a select group of us met at a restaurant for dinner, a not uncommon occurrence for that time of year.  What was a little unusual was that when we sat down, the waitress handed the group a set of iPads with the drink and food menus on them.  Apparently we were meant to place our orders through these devices and the waitress would magically bring them out several minutes later.  But you should have seen eyes light up around the table as everyone started considering how to break out of the menu app and make the system do things the restaurant had never meant for their app to do.  It was like Christmas in July!  Needless to say, it was only a few minutes before we had to hand one of the iPads back to the waitress with an explanation of “Umm, we think this one is broken, it shows another restaurant’s menu.”  They’d figured out how the tool worked, unlocked the puzzle and had some fun, all in one fell swoop.  This curiosity is the core of who we are.

This need to understand is one of the things that makes many security professionals hard to work with.  We don’t take orders well, or at least I don’t.  We want to understand the underlying logic of a decision; we want to understand the thought process that went into making the decision and why it’s the best decision.  “Because it’s always been done this way” is the bane of our existence; when was the last time anyone examined why of that way?  Does doing it that way still make sense?  Is there a better way of doing it?  Does doing this actually accomplish our goal, or is it just busy work?  Managers don’t want to explain, they just want to get the task done, despite the fact that the task might not be leading towards the actual goal, but away from it instead.  And sometimes that’s the right thing to do.

We, as security professionals and hackers of the reality around us, have to be aware of this need to understand and unlock within ourselves and take steps to counteract it when appropriate.  Personally, it’s hard for me to accept “this is just the way it needs to be done”, but sometimes that’s the correct path.  Those moments are relatively rare; I prefer to have the people giving me direction to explain what it is they hope to accomplish and let me figure out how to do it best.  In the main, we have the time to discuss, to understand and to come to an optimal solution for the problem, and often if we take the time to do so, we realize the problem we were really trying to solve is not the problem we thought we were trying to solve.

It’s always important to understand your own motivations in decision making.  It’s also important to understand the motivations of the people around you in that same process.  I don’t claim that every security professional is driven by chaos and curiosity, but most of the ones I gravitate towards are.  We see chaos as a method to drive improvement.  But being aware of that motivation and how it influences the decisions we make will help us not only make the right decisions, it will help make those decisions in a way that is less stressful for us and those around us.

So let your coworkers know that you’re not challenging them, you’re challenging the decision making process and seeking to understand why a decision was made.  You want to understand what the goal was and how the decision leads to that goal.  But also understand that sometimes the analysis of a decision is not a luxury that can be afforded at a particular point in time.  There are times where we just have to take orders and shut up.  It seems to go against the grain of who we are, but it’s an unfortunate necessity in some cases.

I’m lucky in that I’m at a point in my career, in my life and in my role that I’m not only accepted as someone who’s supposed to question the decision making processes, it’s expected of me.  You can’t be a ‘thought leader’ if you never question authority, never question the status quo, never  question the reasoning that brought us to this point.  But I also have to be cognizant of the fact that what is generally one of my strengths can also be one of my greatest weaknesses if I’m not careful.  Giving into the desire to understand when things just need to get done leads to frustration for everyone involved, and harmful to the mission when done at the wrong time.

I may be grossly generalizing my own rebellion onto the entire security and hacker community.  I know a lot of people are going to say, “I’m not at all like that”, and they may be right.  Each of us have our own unique set of motivators that push us into the decisions we make.  But this is a set of motivators I see as a commonality in the community I live in.  Understanding your own motivations is one of the best ways to combat the frustration we often feel when dealing with people who don’t see the world as a puzzle like we do.  And knowing they don’t see it the same way might help us communicate in ways that settle some of their frustrations as well.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

5 responses so far

Oct 06 2013

Invasive monitoring at next Winter Olympics

If you have plans to go to the next Winter Olympics, in Sochi, Russia, prepare to have any and all of your electronic communications monitored.  The Guardian has found paperwork, including procurement documents and tenders, looking for the technology needed to monitor all communications to and from the Olympic venue.  We have to assume that this means all phone calls, all wifi access and is very likely to include ways to break into other, supposedly encrypted, channels such as Skype and the TOR network.

It’s really nothing new to think of governments monitoring the communications going on at the Olympics, but the sheer size and depth to which the Russian government will be monitoring is more than a bit daunting.  Given the current environment and the fact that citizens from every walk of life are more sensitive than ever to being spied upon, it’s very likely that this will receive more attention than if it had happened at the London Olympics.  And because it’s Russia that’s doing the monitoring, rather than a western power, it makes it more suspect in many people’s eyes.

One of the scary aspects the Guardian story hints at is that monitoring won’t be aimed simply at the security and safety of attendees of the Olympics, it will also be aimed at political dissidents and ‘illegal’ activities, such as gay rights activism.  Adding to that the probability that all data captured during the Olympics is going to be stored indefinitely and analyzed in depth, anyone who holds views that are unpopular in Russian government should be very, very nervous.  I won’t be surprised to see a number of Russian citizens who attend the Olympics arrested three to six months later as the government gets around to analyzing their communications.  Or to have these communications surfacing years later to embarrass dissidents.

Yes, I’m paranoid.  But if I have an opportunity to attend the Olympics in Sochi, I’ll have to think twice before accepting it.  I’ll take a number of precautions similar to what I’d take if I was attending a big event in China: burner phone with a local SIM, laptop that will be retired after the event, email address that only gets used during the Olympics, just for starters.  I’d also be very cognizant of the fact that I’m being monitored every moment, with my movements being analyzed by computer algorithms as well as human agents.  Most importantly, I would avoid any reading that would raise my paranoia level higher than it already was before or during the trip.

Most people will be oblivious to the monitoring at the Olympic games.  And for most people, that’s a price they’re willing to pay in order to see one of the biggest events in the world.  Which could be the right decision for the average Joe.  But if you’re not the average Joe, if you have opinions or tendencies that are unpopular with the Russian government, think twice about taking some precautions before you head to the Olympics in 2014.

Last of all, remember, the monitoring of electronic communications will just part of the equation.  There will be mics and cameras everywhere as well.  Probably even the bathrooms.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Invasive monitoring at next Winter Olympics

Oct 03 2013

Not so anonymous

Published by under Government,Privacy,Risk

Maintaining anonymity on the Internet is hard.  And it’s only getting harder as governments get savvy about how to track down people who are doing “bad things”.  All it takes is one little mistake and you’re cover is completely blown.  This applies to criminals as much as it does to political activists, something to keep in mind as you wander the web and express your opinions: OPSEC (Operations Security) is hard.

We have two recent examples of this.  The Dread Pirate Roberts mastermind of Silk Roads, an online drug trafficking site that has been around for years, was arrested this week, and in part it appears that all it took was a few simple mistakes.  One mistake was accessing the servers controlling Silk Road from an internet cafe near the hotel he was staying in at the time.  Another was using an Gmail address that had additional contact information, at least if you have a subpoena forcing Google to disclose that information.  Apparent the final straw was when “Dread Pirate Roberts” tried to get fake ID’s sent to his real address.  Connecting your digital and physical identities like this is generally a bad idea.

The other story is that thirteen members of Anonymous have now been indicted on charges related to attacks against the MPAA, RIAA and several financial institutions.  When Anonymous started attacking as a form of protest, they thought that the use of tools like LOIC and HOIC would keep them from being caught, because they’d be part of a crowd and hard to track down.  That was a laughable assertion, primarily because the tools make no effort to hide the source of their traffic and makes tracking it back fairly simple.  It’s more an issue of having the time and will to hunt down a nuisance than technical difficulty.  But if you add hacking of web sites and other federal crimes to the list, you might find that the FBI suddenly has the will needed to find you.  Funny, that.

The difficulty of maintaining on the Internet is much higher than most people understand.  All it takes is logging in from the wrong location once or using an address that’s linked to your real world identity and you’re toast.  Which makes it all the more amazing that th3J35t3r has managed to maintain some anonymity for a number of years now.  Makes you think maybe he has people helping him maintain that anonymity in all sorts of places.

It’s only going to get harder to retain any sort of secrecy associated with identity as time goes by.  Due, in part, to American spying, Brazil is considering creating their own ‘Internet’.  The ITU is seriously considering taking control of the Internet away from American companies and allowing various countries to implement their own controls at their borders.  Many of the proposed changes would require end users to explicitly tie their identity to their browsing and Internet activity.  The idea of a balkanized or country specific Internet with borders, was once thought of as a laughable idea, but now might be a very real possibility.

If you’re planning on doing ‘bad things’ on the Internet, remember that keeping your identity a secret is hard now and it’s only going to get more difficult as time goes by.  Both of the examples I used are clearly criminal actions, but it’s our governments who get to decide what ‘bad things’ are; the opinion that you felt free to express today might be added to that classification at any time.  Since everything you’re doing online is now being kept in databases for future reference, keep in mind that what you’ve already said could some day be considered ‘bad’.  May you live in interesting times.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Not so anonymous

Oct 02 2013

Malicious compliance from Lavabit

This was a brilliant move from Ladar Levison, the owner of the now shuttered private email service, Lavabit.  When the FBI compelled him to give up the encryption keys to his service for Edward Snowden, Levison complied, though quite a bit maliciously; the keys were given to the FBI in printed form on 11 pages of 4 point font.  I’m not sure why 5 512-bit encryption keys would require 11 pages at that size, but I have to approve of his method of delivery.

The disturbing part of this story isn’t how Levison delivered the keys to the FBI, but rather the overreach of the FBI to try to read the email of one person.  Apparently, the FBI agents weren’t satisfied with having the keys required to decrypt their target’s email, they actually wanted the master encryption keys to Lavabit’s entire archive.  This would have given them access to the email of 400,000 people who had subscribed to the Lavabit service, the equivalent of the city of Milwaukee.  It’s still not clear why this level of access is needed in order to investigate the crimes of one person, which the judge apparently agreed with, since he quashed the motion as well as the motion to put a gag order on Levison.

I’ve never had the opportunity to meet Levison, so I can’t make any comments on his personality or ethics, but I have to applaud his efforts to protect the privacy of his clients, to the point of having to close his business.  If Microsoft, Google and other tech giants had shown even a fraction of his willpower to push back on a law enforcement regime that has been pushing it’s power to the edge of abuse and past it, we’d be having a very different discussion in public right now.  Except most citizens of the US have already forgotten that this conversation is even going on.  Europe, on the other hand, is very aware.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Malicious compliance from Lavabit

Oct 02 2013

UK wants a cyber defense force, just like the US

The UK has been following the US government lead on a number of things.  Earlier this year they launched a plan called the Cyber Information Sharing Partnership (CISP) to promote information sharing between the UK government and critical infrastructure providers within the UK.  This somewhat mirrors the long term efforts in the US under the umbrella of the Information Sharing and Analysis Center (ISAC) that has been going on for some time.  In both cases the goal seems to be enabling a communication channel that allows government to share information with industry insiders in order to protect themselves better.  If this follows the US patter, the CISP program will spend much of its first few years building up trust with the participating companies.  However, the relationship between business and government is slightly different in the UK, something I’m finding out up close and personally, which might change the equation in favor of building that trust much faster.

Two additional efforts that mirror things happening in the US.  The first is a plan to create a cyber defence force in the UK called the Joint Cyber Reserve Unit (I wonder if they’ll call it ‘J Crew’).  The JCRU will have the ability to protect UK computer systems and if needed perform “cyber strikes” against ‘enemies’, though both of those terms are poorly defined at this point in time.  The US has been working on a similar capability in the military for a number of years and there have been stories about a non-military version of this effort, but very little news of what is really being done in the US has leaked out.  I strongly suspect that the UK version of this effort will be similarly quiet, working almost entirely behind the scenes.

The second effort is an accreditation program run by the UK’s GCHQ (the equivalent of the US NSA) to perform testing of security professionals in the form of a CESG Certified Professional.  There are six types of certification ranging from Practitioner to IT Security Officer.  It’s unclear exactly what will be tested for without a lot of digging, but it looks like an interesting effort.  It’s got to be better than the US efforts that basically state security professionals need to have their CISSP.  I plan on taking a much longer look at this in order to see if any of the accreditations are appropriate for me to apply for personally.

Our governments are obviously sharing a lot of experience on the spying front, but it’s nice to see them sharing information on the security front as well.  Maybe the US can learn a little from the UK’s efforts at accreditation.  I’m not going to hold my breath though.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on UK wants a cyber defense force, just like the US

« Prev