Network Security Blog

Unless you were hiding under a rock the last few weeks you’ve probably heard about the Stop Online Piracy Act (SOPA), Protect IP Act (PIPA) and their even more evil brother Anti-counterfiting Trade Agreement (ACTA).  Many sites went dark last week, including Securosis, in protest and SOPA/PIPA were at least stalemated for the moment, if not entirely defeated.  And since it’s a big story, we decided to discuss it at great length, probably saying many things that have been said by much smarter people than us.  At least we hope it’s the smart people we’re agreeing with.

Zach was unavailable tonight, so we had to pull in two special guests in order to replace him.  First off, Rich’s partner in crime at Securosis, Adrian Lane, joins us.  Second, we’re joined by Liquid Matrix author and friend of the show, Jamie Arlen, aka @myrcurial.  Jamie brings a little bit of an outsider’s viewpoint to the conversation as he’s not native to the Phoenix area and comes to us from north of the border.

No real show notes tonight, if you’re intersted in learning more about SOPA/PIPA/ACTA, do a little Googling.  Or just go to the Electronic Frontier Foundations web site.

Network Security Podcast, Episode 265, January 24, 2012

Time:  55:00

Tonight’s music:  Signs are Signs by The Midnight Hour

I generally try to stay out of the political arena on the blog, mostly because politics is such a contentious topic in and of itself.  And I’ve been staying away from SOPA in particular because there’s been so much coverage that one more voice added to the choir wouldn’t have done anything.  The music and movie companies once again tried to introduce legislature that made pirating content a crime and gave the entertainment industry incredible power to police the internet and block any site they felt *might* link to copyrighted content.  But we, the Internet, rose up in unison as major sites blacked themselves out in protest and support for the legislation is suddenly falling away as if the Stop Online Piracy Act might be toxic.  Yay Us, we won and the bad entertainment industry was put in it’s place.  War’s over and we can all go back to our daily lives.  At least that’s what it seems like in a nutshell to me.

But it’s not over, not by a long shot.  In an oddly coincidental case of good timing, yesterday the US Government took down the site Megaupload, a hugely popular file sharing site.  Since this event probably took months of planning to set up, the timing probably was mostly accidental, though I wouldn’t be surprised to find out the date got accelerated a little in response to this week’s Internet blackout.  And in response to that, the group Anonymous started a DDoS campaign¹ against the likes of the White House, the FBI, DoJ, MPAA, RIAA and a number of other sites using the LOIC tool.  There are quite likely one or two other groups using some of the noise created by Anonymous in order to perform some slightly quieter attacks under cover.  And according to my count, the move is now back to the Government, probably coming in the form of a kinder, gentler form of SOPA or additional site take downs.

The movie and music distribution engines only see the Internet as a method for taking money out of their pockets.  The technorati see the Internet as a boon and the current distribution model used by the entertainment industry as antiquated and only serving the big studios, not the artists.  There’s a certain amount of truth to both arguments, though I find myself far more in line with the thought that the entertainment industry has refuse to adapt as technology and societal norms have changed, so they have to pay the price.  This is a lesson Kodak is learning the hard way.  Now the real battle of finding out if we make the technology and society bow to laws that are counter to how we want to act or if we change the laws to be more in line with how people want to act in the first place.

The ethics of file-sharing aren’t really important to the folks backing legislation like SOPA, they’re defending a business model and nothing more.  Therefore, they have to continue to push for this legislature in one form or another in order to gather more power to bolster a dying business model.  They have no choice, other than completely reworking the way they do business, which is more risky than doing battle in the court systems.  While the Internet may have risen up and smashed down the SOPA legislation today, it’s the long haul of trying to get the power clauses passed into law that the lawyers excel at.  Expect to see several more forms of this Act come up for  consideration and votes, later this year.

The interesting part will be see how the dynamics between the creation of laws and the Internet change over the coming year.  Between blackouts in protest and DDoS in protest, it’s clear that a lot of attention can be drawn to an issue very quickly.  But can it be sustained and will these forms of protest have any long term affect?  Part of what led to the uproar against SOPA was the technical infeasibility (or possibly stupidity) of the act; what would happen if the backers of SOPA created something that was more reasonable and technically possible to combat piracy? Will the resistance fade if something more palatable comes along?  I somehow doubt it, but more I doubt I’ll have a chance to find out, since a compromise like that isn’t even something I believe the entertainment industry could even conceive of.  It’s more likely we’ll continue to have a chance to see the evolution of the Internet as a political force.

So the back and forth between content distributors and pirates will continue, with the ball now in the government’s court.  There could be more take downs like Megaupload.com, the folks who supplied the thralls for LOIC could find FBI agents at their doorsteps, or there might be a lull while newer legislation is created.  But the reality is that what we’ve seen in the last few weeks is just an early set of skirmishes on the battlefield.  What the next step in the escalation is remains to be seen, on both sides.
 
¹I know where that graphic came from! 

Still feels a little funny to be putting the ’12′ in the year column, doesn’t it?  I’m sure the feeling will go away by March or April.  And it’s getting started as an interesting year already, with Symantec’s source code and courts approving warrantless GPS monitoring.  I bet neither of those were captured in the “Top 11 Predictions for 2012″ so many pundits and bloggers put out at the end of the year.

Personally, I’m starting the new year with a ton of writing to do.  Despite my best efforts, I didn’t blog as much as I would have liked to in the last few months, but I know that has to change.  I have to start writing for the Akamai blog, I’ve got information for the Security Bloggers Meetup to post and I get several offers a month to write for other publications.  Then there’s the internal projects that are in motion, at least one of which is requiring me to think in new and interesting ways in order to get concepts on a page properly.  Plus I’ve got lots of interesting toys at work to play with; what questions would you be looking for answers for if you had access to the logs for a significant portion of the Internet?  That’s actually a serious question I have to blog about some day soon.  I’d like to hear what people want to see in a report.

And speaking of the Security Bloggers Meetup, I was nominated for two Social Security Awards last week.  Rich Mogull, Zach Lanier and I were nominated for the work we do on the Network Security Blog and I was nominated for Best Post for my “Curing the Credit Card Cancer” post.  Rich and I both sit on the committee that puts together the Security Bloggers Meetup, though neither of us works on the Social Security Awards, so before this year, we’d ruled that everyone on the committee was not eligible to be nominated.  Alan Shimel changed the rule this year; he felt that since we had nothing to do with the SSA’s, it was unfair to exclude us.  So, go vote for us. I’d love a chance to beat PauldotCom and the other contenders for Best Security Podcast.  I’ve read the other blog posts, I don’t have much of a chance for the Single Best Post. 

Open Tabs 01/09/12

• Lax security exposes voice mail to hacking, study says – Yes, using an easily spoofed phone # as your single method of authentication sucks.
• Kuwait wants to put an end to anonymous accounts on twitter – So they can put dissenting voices in prison.  I wonder if our politicians will follow?
• 440,783 “Silent SMS” used to track German suspect in 2010 – There may be a common thread to what I find interesting lately.
• Boot Hezbollah from Twitter or we sue, group says - Wha??  It would be censorship if it was the government asking for this.
• Stuxnet weapon has at least 4 cousins: Researchers – Who would have suspected that Stuxnet was only the first wave? (Hint: think everyone)
• No warrant needed for GPS monitoring, judge rules – This one worries me a lot.  You’re home may still be your castle, but your car definitely isn’t.
• Why Twitter’s “verified account” failure matters – Because, no matter what they do, identity is malleable and hard to prove.
• Defensive search-and-destroy ‘virus’ delivered to Japanese government – Maybe not directly related to Stuxnet, but the same general idea.
• Lilupophilupop SQL injections attack top 1 million infected URLs – Don’t try to pronounce the name of this attack.
• Symantec confirms hackers accessed source code of two enterprise security products – Two older products, but still in use in some locations, I’m sure.

Christmas is over!  I hope yours was good, but I personally find the whole build up and let down stressful and I’m glad when it’s done with.  Especially the part where my kids are home from school for a week and whine every time I tell them to get out of the house for a little while before I have to hurt them.  Not that I’d actually hurt my kids, but it’s sometimes the only threat that will get them moving. 

There have been some interesting stories leading up to Christmas and it’ll be interesting to see what’s been happening behind the scenes while the majority of us have been chomping on candy and ripping open our presents.  I have nothing to support the theory yet, but I strongly suspect most of the bad guys left their tools running while they took some time off, so their might be reports of compromises in the not too distant future.  After all, there were a couple of reports that came out before the weekend, perhaps hoping to get ignored and bypassed in Christmas craziness.

A quick thought on the boycott of GoDaddy over the SOPA legislation.  GoDaddy is such a minor player in this realm and probably signed on to the legislation like a little brother following his older brother, Big Media; they wanted to sound and act cool in the eyes of everyone else without having the faintest idea that what they were doing had real world consequences.  Boycotting GoDaddy is like bullying the little brother when what you really want to do is punch the elder brother in the eye!  It’s ineffective, both in the long run and in the short term, to boycott GoDaddy when what we should really be doing is making the larger players behind SOPA aware this is an evil and unacceptable way to try to regulate the internet.  A crowdsourced version of the list of supporters on the list is available as a Google doc.  If you really want to do something important, boycott some of the big boys on the list and quit going to their movies and buying their products. 

Open Tabs – 12/26/11

• Chinese computer hackers hit U.S. Chamber of Commerce – I wonder what our hackers are doing to the Chinese behind the scenes.  Not the vocal ones on the con scene, the ones employed by the Three Letter Agencies.  Never mind, we don’t do that, do we.
• LOIC (Low Orbit Ion Cannon) – DoS attacking tool – The tool is old news, but this is a pretty good writeup.  If you want to know more though, one of my co-workers could tell you a few things more about how it works.
• The Thought Leader … One year later – Chris Eng’s further harpooning of the information security thought leaders.  I know about half of the video applies to me at least as much as it does anyone else. 
• How hackers gave Subway a $30 million lesson in point-of-sale security – There’s another meaning for POS, especially when you don’t bother changing default passwords and trust owners to follow procedures.
• The Dark side of B-Sides – I’m staying out of this fight, since I know all the players.  But I know there’s a lot of truth to both sides of the stories, and the sooner this can be opened up and the aired out, the better for everyone involved.
• Hackers steal data on millions of Chinese net users – No need for nefarious government hackers when criminals will hack into Chinese sites because they data they hold might be worth something.
• Insurance against cyber attacks expected to boom – Let’s just insure our systems rather than taking the time to secure them!  Because the insurance companies won’t place caveats on what’s ensured and what constitutes a breach of contract to include poor maintenance control, will they?  “What do you mean our insurance doesn’t cover this?” is a phrase I expect to hear once cyber insurance (I shudder at the name) becomes common place.
• Congress calls on Twitter to block Taliban – Oh yeah, because it takes so much to set up another account and tell everyone to go there instead.  And because censorship should always be one of the first tools used by a free, democratic system.  These people spend too much time thinking in hyperbole and too little time thinking in reality.

Long night last night.  We went to something called a pirate gift party; sort of like a white elephant gift (cheap, person A can take a gift from the table or steal from person B) except most of the gifts were wrapped in tinfoil cleverly disguised to hide their true nature.  Two minor variations from a normal white elephant gift is that there is no limit to the number of times gifts can be stolen per turn and no one gets to open the gifts until the last gift is chosen from the table.  This led to an interesting ‘defense’ strategy; since there was a gift that was wrapped to look like Thor’s Hammer that my Spawn wanted, they worked together to make sure they kept it at all cost.  Basically, when person A stole the hammer from whoever was holding it, that Spawn would steal his brother’s gift, and that Spawn would steal the hammer back.  This was a pretty good strategy, until Spawn1 lost concentration at one point and went after a different shiny object.  It all ended up good in the end, though another pair challenged the Spawn to a game of endurance to see who wanted the hammer the most.  It ended up being a 15 minute round robin of gifts being stolen and restolen that left everyone laughing.  Oh, and “Thor’s Hammer” ended up being a cleverly disguised box with chocolate and money in it, with a broom handle that was acting as the handle.

Oh, and very importantly, It’s that time of the year! Security Bloggers Meetup invites have gone out.

Open Tabs 12/18/11:

• California creates special unit to fight computer crimes – It’s about time.
• Silicon Valley execs blast SOPA in open letter – I’m afraid that no matter how much we blast this piece of crud, it’s going to happen.  They’ll slip it by us some day, just watch.
• Mandates can’t alter facts – Here’s the letter itself, explaining why SOPA wouldn’t work in the long run
• China-based hacking of 760 companies reflects an undeclared Cyber Cold War – At least they didn’t say ‘APT’. 
• China’s cyberwar - More on the situation with China
• French President’s residence ‘busted’ for BitTorrent piracy – I wonder what it would look like if we started looking at our own Congressmen’s IP’s in YouHaveDownloaded.com?
• Researchers:  Google gamed browser report that dissed Firefox – NSS Labs is disputing findings in a recent report by Accuvant.  

Usually I try to find the time to blog first thing in the morning, but today was way too busy to allow for anything nearly as relaxing as blogging.  I spent two days traveling to and from a client site last week and then two more days at the BayThreat conference, with only Sunday at home to relax and play Skyrim … I mean spend with the family.  BayThreat was a ton of fun; my co-worker Mike Smith gave a presentation called “Zerging is for Chumps” and another friend, Gillis Jones gave his first talk, “Show me the Money”, just to name a few.  It’s interesting to go to a convention where you can almost talk to every attendee if you put your mind to it.  And you know I gave it a pretty good try.  Anyway, I’m off for more flying around the country again this week and have a ton to do in the mean time, so this may be the only chance I get to post this week, other than the podcast.  Presuming I can get that done with Zach this week.

Open tabs, 12/12/11:

• The iPhone is about to become the FBI’s newest crime-fighting partner – To check fingerprints faster, not to look at phone logs. For now at least.
• Kaspersky Lab quits Business Software Alliance to protest SOPA – Way to go, Kaspersky!  Glad someone in the community is doing something solid about this horrible idea.
• My keynote talk at BSides DFW – I can’t watch!
• Senator wants answers from DHS over domain name seizures – We’re no longer the land of the free when the DHS is charged with treating potential piracy as if it was an act of terrorism.  They have way too much power to grab and forget without judicial oversight!
• MPAA Boss:  If the Chinese censor the Internet without a problem, why can’t the US? – People like this are why the DHS needs oversight.  And shouldn’t be involved in copyright enforcement to begin with.  
• The Infosec Naughty List & the Twelve Charlatans of Christmas – I’m just glad I didn’t make the list.  Or did I, by inclusion?
• Who knows what Youhavedownloaded.com – I’m of mixed feelings about this site.  Not surprised they can track you that easily, though.

When Rich isn’t around to take up most of the time, Zach can actually
be pulled out of his shell to talk for a little while.  Or maybe it’s
just when there are two hosts on the podcast there’s more time to talk. 
In any case, Martin and Zach went a little long this week as well as
deep into paranoia land.  And there’s so much in the news right now to
push us there.  It’s kind of scary when you start to realize that as
much communication as modern technologies allow, they also allow a lot
of very deep surveillance.  Which we as a society seem to be okay with.

Network Security Podcast, Episode 261, December 6, 2011
Time: 42:13

Show Notes:

• India asks Google, Facebook to screen user content
  
• Carrier IQ:  The Real Story
  
• 9 Reasons Wired readers should wear their tinfoil hats
  
• The impact of cloud computing on IT jobs
  
• C|Net Download.com is now bundling Nmap with malware!
  
• RIM issues statement about the Playbook Dingleberry root
  
• Top 25 security influencers you should be following
  
• Tonight’s music:  Echoes and Falls by Senor Happy (in honor of the echo chamber)

Whether you call it Veteran’s Day, Pocky Day,Binary Day or something else, it’s Friday, I don’t know about you, but I’m looking forward to this weekend and spending some time with friends.  Being a parent, I don’t get out for adult time as much as I once did, which makes the rare occassions all that much more special.

If you know a veteran, today would be a good day to tell them thanks.  I ‘repaired’ radios long ago and far away on a little artillery base in Germany.  I put repair in quotes because our job was to say “Yep, it’s broken”, replace the radio and send the broken one off for repair by someone who actually did electronics troubleshooting.  I was lucky and my enlistment was during a relatively peaceful time, but we have hundreds of thousands vets out there who saw events and actions most of us can’t even imagine.  Please respect them for their sacrifices.

I haven’t done this in a few days, so there’s a lot of built up articles.

Open Tabs 11/11/11:

• Anonymous blasts El Salvador offline – I guess they found some soft targets.  
• How your signature can propel your security career – How are you putting your signature on the security at your company?  Don’t do what everyone else has done.
• Top 10 Security Voices on Twitter – I didn’t like @jgamblins list; half of the accounts on it are businesses.  Who would be on your Top 10 Security Voices list?
• Supreme Court justices concerned about pervasive, technology-enabled government surveillance – As they should be!  Wait until the government admits they’re also turning on the microphones and other sensors in your phone.  And don’t think they aren’t.  
• Judges weigh phone tracking – A little more to feed your paranoia.
• Doom, gloom and infosec – Of course our career field isn’t all feces and stench, but it’s not roses and cake either.  
• Cisco CSO:  Infosec pros should get back to basics – Yes, let’s quit buying all of Cisco’s blinky light solutions and get back to patching and policy.  That’s what he meant, isn’t it?
• ‘Biggest cybercriminal takedown in history’ – The hyperbole isn’t Brian Krebs’, but the rest of the article is some great stuff.  DNS can be dangerous stuff.
• Steam database hacked.  Encrypted credit card information and passwords compromised – First thing I had the spawn do when they got home from school yesterday was change their passwords!

I had a great time at BSides DFW this weekend!  Michelle Klinger, Joseph Sokoly and the whole crew of volunteers who made the event happen did such an awesome job of putting it together and the Microsoft tech center was the perfect place to have it.  Not that Jayson Street didn’t make a few of the security guards nervous from time to time.  And the rest of us nervous when he thought no one was watching where he was thinking of getting into.  I gave the closing key note speech, which went well despite the fact I was as nervous as I think it’s possible for me to be.  It’s worth giving the talk again some time, after I’ve tightened it up and loosened up a bit myself.  Just remember to challenge all our current security wisdom.

Saturday was November 5th, Guy Faulkes day, and despite it being a high holiday for Anonymous, nothing much seems to have happened.  They did pop Adidas last week, but that was supposedly a prequel to their main event this weekend.  On a more positive note, Brad Smith is doing slightly better, though he is still comatose and has pnemonia.  If you can, spare a few dollars to help Brad and his wife pay for medical bills; if you can’t, keep him in your prayers.  Brad has helped a lot of people in the security community and it’s time to help him in return.

Open Tabs 11/08/11

• Pictures from BSidesDFW – I’m the big guy in the green BSides SF shirt.  I know I don’t look like I sound.
• It pays to be the face of Anonymous – “Now my weed dealer won’t come by….” You can’t make this stuff up!
• Hackers worming way into utilities – No surprise to us, but maybe the idea will worm it’s way into the mind of someone who can do something about it.
• Feds try to prevent War of the Worlds-style panic over national emergency alert – This is a test.  This is only a test.  Please don’t panic!
• Ex-U.S. general urges frank talk on cyber weapons – We’re behind the curve and maybe behind the eight ball.
• De-lousing E-PARASITE – More on this moronic legislation
• Down the Rabbithole Episode 5 – I love Brian Stiekes thinking.  We both think information security is fundamentally broken.
• iPhone security bug lets innocent-looking apps go bad – And Apple shoots Charlie Miller (or at least his developer account) for being the messenger.

It’s almost time to hop in the car and head for #BSidesDFW (I even think in hashtags some days) in about an hour.  I find it annoying that I have to leave the house about 3 hours before my flight to have any chance of making it, since it takes 90 minutes to get to the airport and about 45 minutes to get through the TSA checkpoint most of the time.  I was joking around on Twitter earlier this week and said I’d vote for the first Presidential candidate, Republican or Democrat, who promised to abolish the TSA; it turned out that Ron Paul had already made that promise, but we’ll see if he’s still slugging it out by the time the primaries roll around.  In any case, I need to get packed up and head out.  I’m going to try to get a few interviews at BSidesDFW for the podcast, since there are so many interesting people speaking tomorrow. 

Open Tabs 11/04/11:

• Untrusted Certificate Store to be updated – Microsoft delists another certificate authority
• DHS looking for a new CISO – If you want the role, more power to you!  I wouldn’t touch it with a 10′ pole, personally
• Security Ostriches and Disintermediation – Big words from Mike Rothman about HD Moore’s Law
• CIA following Twitter, Facebook – Why would this surprise anyone in the security field?
• China scorns U.S. cyber espionage charges – Another big surprise, China is denying any wrong doing and acting all indignant.  
• Syria crackdown aided by U.S.-Europe spy gear – There’s more and more evidence that US technologies are being used to support oppressive regimes.  And I don’t think it will stop any time soon. 
• Most firms don’t coordinate security planning – We need to learn to integrate better with the board room, that’s a fact.
• Mike Dahn and me from Hacker Halted – I’m going to close my eyes and ears, I can’t stand to see myself in video.