Archive for January, 2014

Jan 24 2014

Can’t get there from here

I’ve had an interesting problem for the last few days.  I can’t get to the Hack in the Box site, HITB.org, or the HITB NL site from my home near London.  Turns out I can’t get to the THC.org site or rokabear.com either.  That makes four hacking conferences who’s sites I can’t get to.  And I’m not the only one, since apparently a number of people who are using Virgin Media in the UK as their ISP can’t get to these sites, while other people on other ISP’s in Britain can get to all four of these sites.  I can even get to them if I log into my corporate VPN, just not while the traffic is flowing out through my home network.  I’m not going to accuse Virgin Media of blocking these sites, but I’m also not ruling chicanery on their part out as a cause either.  I also make no claims that I poses the network kung-fu to verify that any of my testing is more than scratching the surface of this problem.

So here’s how this all started:  Yesterday morning I decided I saw a tweet that the early bird sign up for Hack in the Box Amsterdam was going to end soon.  I know some of the organizers of the event, I’ve wanted to go for a long time, so I decided to get my ticket early and save the company a few bucks.  I opened up a new tab in Chrome, typed in haxpo.nl and … nothing, the request timed out.  Hmm.  Ping gave me an IP, so the DNS records were resolving, but the site itself was timing out.  I switched to the work computer, to find the same thing was happening.  The I logged into the corporate VPN and tried again, suddenly everything worked.  Curious.

At first I thought this might be a stupid DNS trick played at the ISP, so I changed my DNS resolvers to a pair of servers I have relative certainty aren’t going to play tricks, Google’s 8.8.8.8 and the DNS server from my old ISP back in the US, Sonic.net (who I highly recommend, BTW).  This didn’t change anything, I still couldn’t get to HITB.  I had to get working, so I did what any smart security professional does, I threw up a couple of tweets to see if anyone else was experiencing similar issues.  And it turns out there were a number of people, all using Virgin Media, who had the identical problem.  This is how I found out that THC and Rokabear are also not accessible for us.

As yesterday went by, I got more and more confirmations that none of these hacking sites are available for those of us on Virgin Media.  At first I thought it might simply be VM blackholing the sites, but VM’s social media person sent me a link to review who was being blocked by court order by Virgin Media.  I didn’t find any of the hacking sites listed in this, besides which Virgin Media actually throws up a warning banner page when they block a page, they don’t simply blackhole the traffic.  They will limit your internet access if they feel you’re downloading too many big files during peak usage hours, but that’s a discussion for another day.

The next step was tracert.  I a little chagrined to admit I didn’t think of tracert earlier in the process, but to be honest, I haven’t really needed to use it in a while.  What I found was a bit interesting (and no, you don’t get the first two hops in my network chain, you have no need to know what my router’s IP is).

 C:\Users\Martin>tracert www.hitb.org

Tracing route to www.hitb.org [199.58.210.36]

3     9 ms     7 ms     7 ms  glfd-core-2b-ae3-2352.network.virginmedia.net [8.4.31.225]

 4    11 ms     7 ms     7 ms  popl-bb-1b-ae3-0.network.virginmedia.net [213.10.159.245]

 5    10 ms    11 ms    10 ms  nrth-bb-1b-et-700-0.network.virginmedia.net [62.53.175.53]

 6    11 ms    15 ms    14 ms  tele-ic-4-ae0-0.network.virginmedia.net [62.253.74.18]

 7    13 ms    16 ms    14 ms  be3000.ccr21.lon02.atlas.cogentco.com [130.117.1.141]

 8    16 ms    14 ms    16 ms  be2328.ccr21.lon01.atlas.cogentco.com [130.117.4.85]

 9    17 ms    15 ms    16 ms  be2317.mpd22.lon13.atlas.cogentco.com [154.54.73.177]

10    88 ms   102 ms   103 ms  be2350.mpd22.jfk02.atlas.cogentco.com [154.54.30.185]

11    99 ms   100 ms    91 ms  be2150.mpd21.dca01.atlas.cogentco.com [154.54.31.129]

12    97 ms    94 ms    96 ms  be2177.ccr41.iad02.atlas.cogentco.com [154.54.41.205]

13   102 ms   100 ms   105 ms  te2-1.ccr01.iad01.atlas.cogentco.com [154.54.31..62]

14   101 ms   210 ms   211 ms  te4-1.ccr01.iad06.atlas.cogentco.com [154.54.85.8]

15    90 ms    91 ms    99 ms  edge03-iad-ge0.lionlink.net [38.122.66.186]

16    90 ms    94 ms    98 ms  23.29.62.12

17  nlayer.lionlink.net [67.208.163.153]  reports: Destination net unreachable.

Rather than doing what I thought would be the logical thing and simply hoping across the channel and hitting Amsterdam fairly directly, my traffic leaves the VM network through Cogent Networks, hits a few systems in the US owned by a company called Lionlink Networks LLC and dies.  So my traffic leaves the UK, travels to Switzerland, then to the US, over to Washington DC and then dies.  And this happens with four separate hacker conference sites, but doesn’t appear to happen anywhere else.  Oh, and all four hacking sites take the same basic route and all die shortly after hitting LionLink.  Hmmmm.

I know I’m a professional paranoid.  I know how BGP works and that it’s not unusual for traffic to bounce around the internet and go way, way, way, out of what a human would consider a direct route, but the fact that all four EU hacking sites all route back to the US and that they all die when they hit Lionlink is more than a little suspicious to me.  It’s almost like someone is routing the traffic through Switzerland and the US so it can be monitored for hacker activity, since both countries have laws that allow for the capture of traffic that transgresses their borders.  But of course, that would just be paranoid.  Or it would have been in a pre-Snowden world.  In a post-Snowden world, I have to assume most of my traffic is being monitored for anomalous behavior and that the only reason I noticed is because someone at Lionlink screwed up a routing table, exposing the subterfuge.  But that would just be my paranoia speaking, wouldn’t it?

I’m hoping someone with deeper understanding of the dark magiks of the Internets can dig into this and share their findings with me.  It’s interesting that this routing problem is only happening to people on Virgin Media and it’s interesting that the traffic is being routed through Switzerland and the US.  What I have isn’t conclusive proof of anything; it’s just an interesting traffic pattern at this point in time.  I’m hoping there’s a less sinister explanation for what’s going on than the one I’m positing.  If you look into this, please share your findings with me.  I might just be looking at things all wrong but I want to learn from this experience whether I’m right or not.

Thanks to @gsuberland, @clappymonkey, @sawaba @tomaszmiklas, @module0x90 and others who helped verify some of my testing on twitter last night.  And special thanks to @l33tdawg for snooping and making sure I got signed up for HITB.

Update – And here it is, a much more believable explanation than spying, route leakage.  So much for my pre-dawn ramblings.

From Hacker News on Ycombinator:

This is a route leak, plain and simple. Don’t forget to apply Occam’s Razor. All of those sites which are “coincidentally” misbehaving are located in the same /24.

This is what is actually happening. Virgin Media peers with Cogent. Virgin prefers routes from peers over transit. Cogent is turrible at provisioning and filtering, and is a large international transit provider.

Let’s look at the route from Cogent’s perspective:

 

  BGP routing table entry for 199.58.210.0/24, version 2031309347
  Paths: (1 available, best #1, table Default-IP-Routing-Table)
    54098 11557 4436 40015 54876
      38.122.66.186 (metric 10105011) from 154.54.66.76 (154.54.66.76)
        Origin incomplete, metric 0, localpref 130, valid, internal, best
        Community: 174:3092 174:10031 174:20999 174:21001 174:22013

If Cogent was competent at filtering, they’d never learn a route transiting 4436 via a customer port in the first place, but most likely someone at Lionlink (54098) is leaking from one of their transit providers (Sidera, 11557) to another (Cogent, 174).

Also, traffic passing through Switzerland is a red herring — the poster is using a geoip database to look up where a Cogent router is. GeoIP databases are typically populated by user activity, e.g., mobile devices phoning home to get wifi-based location, credit card txns, etc. None of this traffic comes from a ptp interface address on a core router. GeoIP databases tend to have a resolution of about a /24, whereas infrastructure netblocks tend to be chopped up into /30s or /31s for ptp links and /32s for loopbacks, so two adjacent /32s could physically be located in wildly different parts of the world. More than likely, that IP address was previously assigned to a customer. The more accurate source of information would be the router’s hostname, which clearly indicates that it is in London. The handoff between Virgin and Cogent almost certainly happens at Telehouse in the Docklands.

If someone were, in fact, trying to intercept your traffic, they could almost certainly do so without you noticing (at least at layer 3.)

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 23 2014

But first, BSides…

I’m looking forward to this year’s pilgrimage to San Francisco.  Not that it’s ever been a pilgrimage before, since I lived 60 miles away, but now that I live near London, it’s a much longer trip.  I’ll be arriving in San Francisco a few days early for a couple of reasons.  The first is to visit my family and friends in the Bay Area, who I haven’t seen since I moved away.  The second reason is to attend BSides SF on Sunday and Monday.  Which, in many ways, is also a visit to friends I haven’t seen since moving.

Let’s assume for a second you’ve never attended a BSides event.  It’s community led, it’s free, and each one is unique.  BSides SF is being held in the DNA Lounge, which has been a fixture in San Francisco for as long as I can remember.  Think of a funky, grungy, dark underground bar.  Then add in a couple of hundred hackers, security devotees and a few people who happened to find their way into the event with little or no idea of what’s going on.  The talks range from first time speakers (something that’s strongly encouraged) to some of the best speakers in the realm who want to step outside the confines of a business conference to talk about things that aren’t quite politically correct.  Finally, add in a healthy dose of chaos and an even healthier sprinkling of community and you have some idea of what BSides is.  But unless you actually attend, my description is never going to be adequate to capture the true energy of the event.

I make no bones about it, for me conferences are about meeting the people there, not about the talks.  However, the talks at BSides tend to take a higher priority than they do elsewhere.  While some of the talks are a bit rougher than those at conferences you pay for, the fact that people are speaking with unfiltered passion more than makes up for it.  And a number of the talks simply couldn’t be given at a corporate event.  I’m looking forward to Morgan Marquis-Boire’s (aka @headhntr) talk, even though he hasn’t publicly stated what it’ll be about yet.  Morgan has worked on uncovering a number of government surveillance schemes around the globe, so anything he’s chosen to talk about has to be interesting.  Along the same lines, Christopher Soghoian’s talk about living in a post-Snowden world is a must for me, even though I often find myself disagreeing with with what Chris says publicly.  What can I say, privacy has always been a favorite topic of mine and has never been something that’s more in need of open, public discussion.

I’m also looking forward to seeing three of my friends on one panel, Jack Daniel, Wendy Nather and Javvad Malik discussing how to talk to an analyst, or rather how not to talk to an analyst.  Javvad gave an excellent PK (20 slides, 20 second per slide) talk at RSA EU covering all the horrible slides he sees again and again as an analyst.  The trio will be entertaining at the least, and I might even learn a little about talking to analysts myself.  Ping Yan’s talk on using intelligence looks interesting and has potential for my day job, so I’m going to try to find a seat for that talk as well.  And I have to support my podcast co-host Zach Lanier, even though I usually understand about half of what he’s presenting on any given occasion.

There are other interesting talks, if I can sit through the talks I’ve already mentioned, it’ll probably be the most I’ve seen at one conference in a long time.  I have a pretty short attention (Squirrel!) span, and I’d rather be talking with the presenters than simply listening to them passively.   I’ll have a mic and my Zoom H4, so it’s entirely possible I’ll be able to get a few of them to spend a few minutes doing exactly that.  Which means I can share the conversations with you as well.

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 21 2014

Faking Safe Harbor compliance

Published by under General

If you’ve ever had to deal with data privacy laws, then you’ve probably heard of the EU Safe Harbor framework.  These are basically a set of 7 basic guidelines (Notice, Choice, Onward Transfer, Security, Data Integrity, Access & Enforcement)  that govern how any US company doing business in the EU will treat private information.  Doesn’t sound too bad, but the reality is that Safe Harbor is a bit of a pain to comply with, since there are different interpretations of the rules for nearly every country in the EU.  The rules in one country, say Italy, might be relatively short and easy to understand, while the rules in another, maybe Germany, might be long, complex and convoluted.  The general outline is the same for all countries, but they get to decide their own specific implimentations.  You can see that this might make it a little hard to comply with the Safe Harbor framework, even though the laws all orginate from the same framework

So it doesn’t surprise me too much to find out that the Federal Trade Commision has announced that a dozen companies, including Level 3 and a few football teams (??), have violated the Safe Harbor rules.  According to Gigaom, the violations are technical in nature, rather than being willful violations.  This means they were probably tracking visitors using cookies in the wrong way or retaining information about their clients they shouldn’t have.  It wouldn’t take much, since in some countries an IP address can be considered privately identifiable information (PII) and retaining that information would be a violation.  On the other hand, I can fully believe that companies such as the accounting firms named in the violoations knew they were keeping information they shouldn’t, but had to in order to perform the roles they’re paid to do.  

I believe one of the points that’s easy to miss in the article is probably the most important: “US companies have been deceiving people by using out-of-date certification marks”.  In other words, these companies at one time had been self-certified or audited by a third-party, but let this lapse and continued to do business and sell products by stating they were Safe Harbor certified.  If the FTC did an audit of their own records, made a list of the organizations that let their certifications and then investigated those organizations, it would explain why these people made the list.  It would also be a warning shot across the bow for other companies that have let their compliance lapse, and an indicator that there are a lot more companies that might be facing scrutiny in the future.  If your company has Safe Harbor responsibilities, I’d definitely review your own compliance level.

I can almost guarantee that Safe Harbor will be getting a lot more attention this year than it has in the past.  The US is, and will be for some time to come, under the microscope by EU governments and organizations.  The NSA efforts uncovered by Snowden make this a given, just as they make the handwaving by the FTC a given.  This probably marks the first time that the FTC has taken Safe Harbor seriously in quite some time, but it won’t be the last.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

Jan 19 2014

Prepping for RSA

It’s funny.  There are two distinctive groups I get invites to meet with at the RSA conference: the early invites from companies that are hungry for coverage, any coverage, and the last minute invites from companies who didn’t get as many interviews as they’d like and are looking to fill one or two last interviews from second (or third [or fourth]) tier ‘press’ such as myself.  There are a few invites that come somewhere in the middle, but they stil tend to gravitate towards one of those two ends of the spectrum.  And it makes setting up a schedule for RSA extremely hard sometimes, since I tend to want to leave one or two slots open to make time for the last minute invites I find intesting.

Speaking of interesting, I think the most interesting story of the conference will be the boycott by a few speakers and the reasons behind it.  I wonder how many of the company representatives I speak with are even going to be aware of the fact that a boycott is happening and if it will affect them in any way.  As I’ve said before, I’m not really in support of the boycott, but I understand the reasons a number of professionals are supporting it and I think they have every right to.  So asking other attendees and sponsors how they think the boycott has affected them should get some interesting responses.

In any case, now it’s time to start responding to the invitations to meet I’ve already gotten and try to figure out how I can fit everything in along side my professional duties.  Many years I’ve created microcasts throughout the conference, something that’s incredibly hard to find the time and energy to do.  Last year I mostly abandoned them, but I think I’m going to try to do microcasts again.  But I reserve the right to drop them if time doesn’t allow for it.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet

Jan 06 2014

Still going to RSA

In the last couple of weeks Mikko Hyponnen from anti-virus company F-Secure announced that he won’t be speaking at the RSA Conference in San Francisco at the end of February.  His reasoning is that the company, RSA, colluded with the NSA for a fee of $10 million in order to get a weakened version of a random number generator included in the public standards, a move that makes the whole suite of encryption standards easier to crack.  As Mikko points out, RSA has not admitted to this accusation, but they haven’t denied it either.    So Mikko has pulled his talk and has publicly stated that as a foreigner, he doesn’t feel right supporting the conference.  I understand his sentiment, I see what he’s hoping to accomplish.  But I don’t think boycotting will do much, other than gain Mikko a little bit of attention short term and harm his reputation long term.

The first problem with boycotting the conference is that RSAC is, for all intents and purposes, a side company from the RSA corporation.  It has it’s own management structure, it’s own bottom line, it’s own profit and loss reporting.  And it’s only a small fraction of the overall revenue stream of the corporation. As such, any impact that boycotting the conference might have is going to be highly dilluted when it reaches the management of the central corporation.  Yes, at some point in a meeting it will be discussed that a speaker has withdrawn over NSA concerns, maybe even a dozen other speakers will join in a show of allegance.  But the conference organizers will simply pick from the dozens of alternative speakers of nearly equal capability and move on.  Senior management might lose two or three minutes of sleep that night, but nothing more.  And any impact that having a particular speaker boycott has can easily be written off as being from other, much larger changes that RSA is making to the conference lay out this year. 

The second problem I have is that while Mikko has stated he’ll be boycotting the RSA Conference, he’s said absolutely nothing about F-Secure boycotting.  As a vendor, I know that marketing departments have to commit to the conference at least a year in advance and I’ve heard that some commit to multi-year contracts in order to get better pricing.  The small booths at either end of the halls cost tens of thousands of dollars, while the big booths in the center of the floor cost the vendors several hundred thousand dollars when all is said and done.  If Mikko wanted to make a statement that would really be heard, he’d have F-Secure withdraw from the RSA Conference this year and for the next few years.  Except he can’t.  Any vendor that’s mid-size or larger in the security field has to be at the RSA conference.  In many cases, this conference is the keystone for the whole marketing effort of the year, and any talk of a boycott would be immediately quashed as an impossibility.  Quite frankly, if you’re a security vendor and you don’t have a presence at RSA, you’re not really a security vendor and everyone knows it.  

The third issue I have with the boycott has nothing to do with Mikko and is closely related to the vendor point; it’s become a popular meme since Mikko’s announcement for security professionals to say they’re going to boycott RSA as well.  I’ll be honest, I’ve never paid to go to RSA, I’ve always had a press pass, gone as a vendor, or gone as a speaker, more than once as all three at the same time.  But even if I was, the money I’d pay to go to RSA is still insignificant when you compare it to what the organization makes off of the sponsors.  It would take a huge number of attendees failing to show up in order to make an impact.  Given the growth rate of the converence over the last few years, it’s most likely that even a thousand people joining up in a boycott would simply lead to a flat growth rate at best.  Additionally, similar to vendors, most people who are attending and have their company pay for it have already purchased their tickets and a boycott at this point would be more detrimental to them than it could be to the RSA Conference.

If you think that NSA has been behaving badly and you really want to have an impact, go to the event and talk to people at the event.  If you’re a speaker, change your talk to include a slide or ten about what you believe RSA has done wrong.  You might be right or you might be wrong, but you’ll have a chance to tell your story to the several hundred people in your audience.  If you’re an attendee, go to the conference and talk to other attendees, tell them why you think the RSA Corporation has crossed the line and spread the word.  You gain almost nothing by throwing a temper tantrum and leaving the playground.  But if you attend, talk to people and raise awareness of the issues, you let others know that something isn’t right, something needs to be changed.

I wish Mikko the best, and maybe his boycott has raised awareness some.  But all the people who say “Me too!” aren’t going to have an impact.  They might feel better about themselves for a short period of time, but all their really doing is cutting themselves off from one of the biggest events in security.  It’s better to attend, be social and spread your opinions that opt out and leave your voice unheard.  I’m attending as a blogger, as a podcaster, as a speaker (panelist, really) and as a vendor.  It would have more impact on me and my career to boycott than it ever would to the RSA corporation.  

If you really want to send the RSA Corporation, quit buying their products and tell them why.  Now that’s a message they’ll hear loud and clear.

 

 

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

8 responses so far

Jan 05 2014

Much needed vacation

Published by under General,Personal,Risk

I’m back after a two week self-inforced haitus from all things security and work related.  For the last 14 days, I haven’t checked emails, I haven’t been on twitter, I haven’t checked the news, I haven’t read the news sites.  I’ve simply spent time with my family, played Minecraft, watched anime and eaten my way through the Christmas holidays.  And there was gifts in there somewhere as well.  Vacation started as a weekend in Munich, but the vast majority of it was spent at home near London with no deadlines, except a couple of shopping trips with the wife and kids.  All in all, it was one of the most relaxing times I’ve had in years.  And it was sorely needed.

All jobs are stressful to one degree or another, it’s just a fact of life.  But security is a more stressful job then most.  I’ve done a few panels with other security professionals talking about the stress we face, and we’ve done (okay, mainly folks like Jack Daniel and K.C. Yerrid have done) some research into it and found that our high stress is an actual fact, not just something we say to make ourselves feel more important.  Our chosen career is difficult to be good at, we’re constantly under multiple conflicting demands and it almost never slows down.  Is it any wonder that we feel stressed?

It’s almost a joke when you talk to security professionals about substance abuse in our industry.  It’s nearly expected of people to get stupid at conferences.  But it’s not a joke at all, something that was graphically illustrated by the loss of Barnaby Jack last year.  Substance abuse may not be an industry wide problem, but it’s definitely something that we need to be aware of.  I can think of at least half a dozen people who I’ve jokingly made comments about in the last couple of years who might be in real danger.  Most of them know they can come to me if they need support, but I know that’s the best I can do if they don’t want to change.  How many people do you know in a similar position?  Have you expressed concern or at least let them know you will help if they ask?

It’s not my place to get preachy or say I’m any better than anyone else, but I do think we need to be aware and check our own stress levels from time to time.  Let your friends in the industry know you’ll support them if they need help, but more importantly, know when you need to take a break and get away from the  whole scene once in a while.  We do important work, but we can’t do it if we’re too wrapped up in our own problems to function properly.  

Now to get caught up on two weeks of work emails.  Luckily, most of my co-workers took the Christmas holidays off, at least in part, so it won’t be quite as bad as it could be.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

No responses yet