Network Security Blog

I spent the week at the Hacker Halted conference in Miami and had a great time.  Except for the part where my iPad gave me an error message stating it needed to be restored from back up and commenced a reboot cycle.  Which lasted until Wednesday afternoon.  Nothing like being at a security convention and having mysterious issues with your electronics.  Talk about having your paranoia spike off the chart!  My talk with Mike Dahn on Compliance in the Cloud (it really is about more than just PCI) was well received and we should see our interview with Tony from InfoSec Island within the next couple of days online.  I’m glad to be home with the family for a little while before hitting the road next week to speak at BSides DFW.  I actually get to give the closing presentation.  No pressure there.  But in the mean time, I have an appointment to keep with my coworker Josh Corman and Rapid 7′s HD Moore to talk about Josh’s idea, “HD Moore’s Law”. 

Open Tabs 10/28/11

• Op-ed:  The shocking strangeness of our 25yo digital privacy law – Why can’t we write laws that are broadly applicable?
• Who else was hit by the RSA attackers – One hell of a list.  And one hell of a wake up call for the industry as a whole.
• #SecBiz or the better answer to Martin’s question – I’m glad the Down the Security Rabbithole podcast I’ve been doing with Rafal Los has sparked some thought.
• First Circuit finds that fraud mitigation costs … – Long title to say that at least one court believes you should be able to sue to recoup your personal mitigation costs after a breach.
• Where is your Chaos Monkey? – It’s an interesting idea to purposely fail some of your infrastructure at random intervals to make sure your stuff works.
• Disastrous IP legislation is back … and it’s worse than ever – I got to speak to Kevin Bankston from the EFF at Hacker Halted.  When an EFF lawyer tells you something is the worst piece of legislation he’s ever seen, you know it has to be a steaming pile of crud.  Please, please, please contact your legislators and let them know this can’t be allowed to pass!
• Looks like Congress has declared war on the Internet – A lot more information on this atrocious legislation

If you fly with any regularity, you know exactly how bad things have gotten with the TSA invading your space and your privacy.  Naked x-ray machines, intrusive pat downs and TSO’s who think their position gives them the right and responsibility to embarrass people who are simply trying to get to a destination.  All in all, flying is now one of the most stressful activities the average American has to deal with.  Hopefully pressure from the public will turn the tide on the current efforts by the TSA to ‘protect’ us at the expense of our basic liberties, but I don’t see it happening overnight.  In the mean time, you need to know what your rights are when dealing with the TSA.   Thankfully Saizai has created a two page PDF that explains what your rights are when dealing with the TSA and who to call if you think you’re rights are being violated.  This PDF is something you should have a copy of on your phone, on your computer and printed out so you can carry with you when you fly.  Seriously, it’s that valuable.  Saizai says he updates the document fairly regularly, but just in case I’m also making a static copy of it available just in case.  By the way, it also includes information about the photography rules of various airports around the nation, another good piece of information you may need to protect you from overzealous TSO’s who want to believe it’s illegal to photograph them at work (it’s not, at most airports)

A few years ago Mike Rothman over at Securosis dubbed me “Captain Privacy”.  And thanks to my wife’s sense of humor, I even have a cape and domino mask (but no tights, for which everyone is thankful).  I like my privacy and I often argue against movements by our government to erode the controls protecting our privacy.  And this is one of the more subtle points that Mike and other people miss about me: I am not arguing against the government having the ability to spy on people when they need to, I’m arguing for strong controls around the ability and judicial oversight to ensure that the ability to monitor citizens isn’t abused.  To some it’s a very subtle difference, but to me it’s an incredibly important distinction. 

So it should come as no surprise to anyone that I’m thrilled that the 6th Circuit Court of Appeals has ruled that email is protected by the Fourth Amendment.  For years now law enforcement has been arguing that there should be no expectation of privacy for your email on corporate and cloud services (like Gmail) and that there was no need to get a search warrant prior to seizing copies of email records from service providers.  In other words, since your email is hanging out on a public service provider’s servers, they felt they could just walk in at any time, demand a copy of your email and no one would tell you until you were served up with an arrest warrant.  No due process, no judicial oversight, just quietly take what you want whenever you want it.  Understand why the police would want this power, but I also believe that it’s something that’s just waiting to be severely abused, if it hasn’t been already.

This is an appeals court, so it is possible that the ruling could be overturned by the Supreme Court if it got to that level, but it’s unlikely.  The 6th Circuit Court made it very clear that you and I have every right to expect our email to be as secure from covert observation as our physical mail.  Which means that police and federal officers can monitor it if they can prove to a judge that it’s necessary and appropriate.  And that’s all Captain Privacy really wants for Christmas, the knowledge that someone is double-checking what our LEO’s are doing and making sure that due process is being followed.

My friend Adrian Lane, over at Securosis, finds the best toys to play with.   This one, called Spokeo, lets you search on a name and see what sort of personal information is out there about that person.  Like Adrian, I always search on myself first, wanting to see what sort of information is out there about me.  And there’s a lot of it; even someone like myself who wishes they had some privacy leaks a lot of information, even if its just in public records.  Luckily I have a father with the same name, so our information is a little mixed up, with a sprinkling of misinformation added in.  If I can’t have privacy, having false information available to search engines is a good second.

The funniest part of looking up myself was finding my house in Streetview, which is offered directly in the Spokeo interface, then turning the camera around to see myself getting out of the car.  The picture’s about two years old, but it still jogged some memories of seeing the Google car drive by.  The picture is blurring and it’d be hard to recognize me from it, but there it is.  Being in a public place (the road), I’m not surprised to be photographed, but it does serve as a reminder of how often we’re being photographed in public, even if we are seldom aware of it.  That is to say that people who don’t live with a mild form of paranoia are seldom aware of. 

I urge you to read “So…I got detained by the TSA at the airport today“.  There are no federal laws and few state laws that prohibit you from recording a TSO(transport security officer) in the pursuit of their duties.  In fact the TSA actually encourages it.  But many TSO’s and supporting law enforcement agents never got the memo, so you may end up getting harassed if they think you’re doing something wrong.  Flying Fish has a good story about how to deal with the issue and how to deal with the TSA and law enforcement in a reasonable, calm manner and come out okay.  Not everyone has his contacts, but that’s not really the point of the post.

But more important than the post itself was one of the comments, with all the contact information you need to get in touch directly with the TSA offices of Civil Liberties and the Ombudsman .  I now have this information entered into my cell phone and will use it next time if I have to.  I have a funny feeling if it gets to the point of my having to make the call, things will have already gone beyond my comfort point, but better to have them and not need them than the other way around.

deltaGOLFflyer

I’m not going to weigh in on the whole TSA whine fest that’s going on; I agree that the TSA has gone too far and needs to have their collar yanked on to settle them down.  But a whole bunch of us complaining on Twitter isn’t going to do much, neither are lengthy blog posts.  Quite frankly most of us have too little exposure to be taken seriously on the national stage.  I got my own whining in early, so now I’m trying to gather some information on how to be effective.

But we do have people we can contact who do have some pull, starting with our federal legislators, who are easy enough to find and monitor on the Project Vote Smart site.  I didn’t notice a political slant either way to the site, it appears to just be reporting the facts and is easy to use.  Writing to your Senator (mine is Barbara Boxer) will be slightly more effective than Twitter, at least an intern somewhere will tally your complaint.  Two other places that you can write that I’ve been told will have slightly more impact is your airline and their lobbying firm.  Explain your position in terms of how it impacts your business and how it will impact their bottom line.  The SourceWatch wiki supplied me with contact information for United Airlines and their lobbyist firms.  I’ll let you know if I hear anything back from them.  I had a friend on Twitter explain this, basically you want to start any emails you send by talking about the money, then end with little side notes like ‘protection from unreasonable search and seizure.’  It’s easier for many people to understand money issues than those of Constitutional rights.

The TSA does have a way to report a complaint, though I don’t know of anyone who’s done it so far and what the results have been.  Personally I’d be afraid of getting added to a watch list.  What might be more helpful is to read the official TSA Blog.  For instance, did you know it’s actually allowable by TSA rules to photograph a TSO in pursuit of their duties?  That is if the state and local laws allow it, which they don’t in many states.  So far California appears to.

The current pat downs and back scatter x-ray’s are both issues that need to be addressed.  As is the over-reach of the TSA to grab power at airports.  But observing and talking about them don’t do much good unless we follow up with some sort of action.  If you have some better ideas of who to contact, please leave a comment.

‘Nuff said!

If you’re not already scared of the people who want to listen in to your phones, then this video won’t worry you.

I really respect the work folks like J. Alex Halderman and the other folks at the Freedom to Tinker blog do.  We all know there’s a lot of corruption, or at least room for error, in the real world voting infrastructure.  It’s understandable, there are a lot of edge cases and special considerations that make subverting the process on purpose or by accident almost a requirement.  But we have a lot of checks and balances in place to detect and hopefully prevent the vast majority of the subversion of the voting process.  Simply having a physical ballot that has to be counted goes a long way as a detective measure.  But as we move quickly towards an online, electronic voting infrastructure, we lose one of the most basic protections of our voting process, that same physical token, the ballot.

And the companies building the various evoting solutions aren’t helping matters any; the majority of these companies espouse how secure their systems are without ever letting an independent third party test them.  Indeed, in many cases, they fight tooth and nail if anyone so much as hints that independent testing might be a good idea.  Or worse, someone tries to test a voting solution without their explicit permission.  And as most people in security know, even if you don’t allow testing by qualified security personnel, any product that is exposed to the Internet is going to get plenty of ‘free testing’ whether you want it to or not.

So I was very pleasantly surprised to see that Washington DC had decided to open up their new ‘Digital Vote by Mail’ pilot project to testing early and a group of researchers had taken them up on the challenge.  Not surprisingly, J. Alex Halderman and his crew were able to subvert the system and make it jump through nearly any hoop they wanted.  They found a vulnerability in the underlying system that encrypts the pdf ballots that allowed them to create a shell-injection attack and take over.  This vulnerability had nothing to do with Adobe, so don’t blame them this time.  After that, they could do anything they wanted to the system.

Surprisingly, it looks like the folks at the DC Board of Elections and Ethics believe they have the problem solved; they’re opening the site to testing again until this Friday.  They’ve made a the sourcecode available, you can request you’re own testing credentials, you can play with the live application.  I have to give them kudos, they’ve done nearly everything I could ask for when it comes to rolling out an eVoting system.  About the only thing I wish they’d do is give the testing more time, but at that point I’m just whining about details.  I’m hoping they can make it work to give everyone who’s overseas a chance to vote quickly and easily.

One last thought:  This solution may be secure by November, but will it remain secure?  It’s a computer system, it will require patches, it will have configuration changes made by system administrators.  So will they be able to maintain it in a manner that will prevent other vulnerabilities from creeping in?  In the long run, I’m almost certain the answer to this question is no, since we have multi-billion dollar companies and governments that can’t effectively secure their own systems.  And the bad guys only need to find one hole in the system, as we all know.

I make no secret of how much I value privacy.  Which is weird coming from someone like myself who spends so much time on social networking, blogging and generally shouting my activities to the world.  But I control most of that information, which is what privacy is all about in the digital age.  So why am I talking about letting my wife track my every move?  Because I received a press release about the Family Tracker application for the iPhone and iPad, and rather than just go on a diatribe about how such a system could be misused, I have decided that for the next few weeks I will voluntarily give my wife the ability to track the location of my iPhone anywhere it goes.  And since I’m almost never without my iPhone, it means she’ll be able to track my movement at all times.  Besides, she just gave me “the Look” when I asked if it was okay for me to track her movements; allowing her to track me was obviously a healthier choice.

I don’t like the idea of tracking of people, especially if they don’t know about it.  The potential for abuse far outweighs the benefits in most cases.  Whether it’s a spouse or parent abusing the tracking, someone abusing access to the vendor or law enforcement legally tracking someone, I get very nervous about what CAN happen.  So when I got the press release for Family Tracker and an offer for promotional codes, I decided it was time to bite the bullet that is my paranoia and see how a tracking program like this is used in real life. 

I travel.  A lot.  In the next few weeks I’ll be crossing the country several times and I’ll be gone from home more than I’ll be there.  I post my travel schedule on several calendars around my office, so which city I’m in is rarely a question and I use FourSquare enough that my location has never really been a mystery anyway.  But I’ve always been in control of both of these methods of tracking and giving my family a tool to tell where I am almost every moment of the day is new and interesting experience for me.  I suspect that my wife will look me up once or twice and then ignore the application 99% of the time.  But she has surprised me before.

I’ve set it up so I can track myself and my iPhone from my iPad, so even if my wife doesn’t want to track me, I can still find out more about what the program is capable off.  And unless I do something stupid that involves the police, I doubt anyone else will want to track me.  If anyone really wants to know my whereabouts, there’s more than enough information already on the Internet to find me if someone takes the time.  This will just make it a little easier.

So through the end of the month my little social experiment will be running. After that, we’ll see.  It may be that my wife likes being able to track me.  Or she may just say, “Meh.  If I want to know where you are, I’ll just call.”  I’m almost as interested in seeing how she uses Family Tracker as I am in seeing if she thinks being able to track me is worthwhile.  I honestly don’t know which way she’ll decide.

After the break is the information the folks at LogSat sent me when I expressed interest in their product, which covers several important questions about how Family Tracker works.
Continue Reading »