Morning sports fans! No, I don't care if it's not morning here nor where ever you are, but it's morning somewhere. Also it will eventually be morning, so I'm counting it. Well, my recent increased blogging is due to me being constantly mentioned on the HappyFace podcast, which is done by my friends. They have challenged me to post at least once a week so that they can talk about me more, so let's see how long I can keep it up. Now first (and only) order of business today is ethical hacking.
So, recently this happened (All the articles I have found say pretty much the same thing, so I won't link to anymore). Glenn Mangham has been sentenced to 8 months in prison for computer misuse, more specifically hacking Facebook. "But, wait! He's an ethical hacker. He's one of the good guys!" You say excitedly. No, dear reader, not quite. Yes, yes, there is the whole £7,000/$7,000 from Yahoo! and whatnot, but there is a slight twist to this little tale. So, lets start by clearing up exactly what we are talking about.
An ethical hacker, or white hat, is a hacker who spends their time finding vulnerabilities in systems, applications, websites and pretty much anything that's connected to anything. Once they find such a vulnerability, they record the details of what they did and send it to the creators and/or maintainers of this product. Companies respond in many ways to this, ranging from a thank you e-mail to cash rewards to a job offer.
A malicious hacker, or black hat, is not so nice. Upon finding a vulnerability, they will try and exploit it for personal gain, normally for money. Of course they can record the details and share it with others, but now with the makers of the product. Once they are found out, the companies tend to come down on them pretty hard and fines and jail time normally ensues.
So, that's all nice and clear cut and very much black and white, if you will pardon the pun. Sadly, the real world is not so clear cut, as evidenced by this case. There are times when a person will at times be a black hat and at times be a white hat, somewhat of a grey hat if you will. A white hat may use their skills for some personal gain, in a very black hat kind of way and on the flip side, a black hat may actually do some white hat work.
To illustrate this further, let's look a bit more at Glenn Mangham. He did some white hat work for Yahoo!, which is all well and good. But then he hacked into Facebook in a very devious manner. Now from what I gather, he uploaded some malicious code to the puzzles server which Facebook uses to test potential employees and gained access to the internal system. Now, here's where it gets really devious.
From what I have read it seem he managed to impersonate a Facebook employee, get his password reset and thus gain access to all of Facebook's servers. He then proceeded to download important data to an external drive and delete all evidence of his little visit, or so he thought. Turns out that Facebook actually found out about this and it cost them something to the tune of $200,000. Now that's a pretty penny and a chunk of change.
Two very important things come to my mind here and those are:
1) To the best of knowledge, Glenn Mangham didn't inform Facebook, thus disqualifying him as an ethical hacker
2) He entered a guilty plea
Having considered that, he is definitely guilty of hacking, or computer misuse in legalese, and should be punished for his crime. The whole argument that he is an "ethical hacker" hold no water whatsoever. There's not much more to say, so I;m going to leave it at that. Good night sports fans! (Again same argument as above :P)
Showing posts with label internet. Show all posts
Showing posts with label internet. Show all posts
Sunday, 26 February 2012
Sunday, 19 February 2012
Activism vs. Vadalism, Digitally speaking
Howdy sports fans (this is here to stay), I know I've been away but I'll try and be better. Having said that I realise how often I say that and don't fully go through. Please don't hate me *cute face*. Moving on, let's talk about the difference between digital activism and digital vandalism. Let's start off by talking about a term I hate, which you will know is a long list, if you have been reading my blog. More to the point todays hated word is "hacktivism."
Hacktavism is a portmanteau of "hacking" and "activism" and is basically "activism by means of hacking." Which basically a roundabout way of saying "the (perceived good) ends justify the (blatantly wrong) means." The basic idea is that you, as a hacktavist, hack somebody/something to make a point or a statement, but really you are pretty much doing this. Yes, that sketch does exaggerate for comic effect, but you get the point.
Of course, the very first thing that comes to most people's minds when they hear the word hacktivist is Anonymous. I have written about some of their activities before and as you may or may not know, I'm not really a fan. They started of playing pranks on people and general trolling, which was OK by me. They said we are doing just for lulz (yea LulSec also has the same kind of problem). Then they got a bit more political and most recently, but I still think that they are being a tad juvenile about it.
"But, then what is the grown up thing to do?" you may be asking, oh intrepid reader. Well, let me tell you. There was, and is still some, raging going on about SOPA/PIPA (yes, yes, I'm going to write more about this, after I've done more reading) and quite rightly so. People sent letters to their senators, congressmen/congresswomen and representatives and registered protests in the conventional way. And, then something magical happened - a proper online protest: the SOPA blackout.
Basically a large number of websites, big and small, replaced all their content with a black page explaining what they are protesting and why. Some people didn't get the memo, so this happened, but overall I think it was a success. Almost instantly a SOPA/PIPA lost a lot of support and were then shelved. Normal service resumed the next day and everybody was happy. In all of this, nothing illegal was done and nobody was harmed, inconvenienced maybe, but no real harm was done.
Compare that to the very next day when Kim Dotcom (Who goes and changes their surname to Dotcom? I mean really? Does he want to be mocked?) et al. were arrested and what Anonymous did. They took down the websites for
Unfortunately, law enforcement really has no idea to deal with these kinds of digital vandals, due to several reasons. I'm not sure there is an easy solution to this, but who knows? So, in short, you can protest via digital means, but there is a right way and a wrong way to do it and sadly the wrong way is more prevalent.
Hacktavism is a portmanteau of "hacking" and "activism" and is basically "activism by means of hacking." Which basically a roundabout way of saying "the (perceived good) ends justify the (blatantly wrong) means." The basic idea is that you, as a hacktavist, hack somebody/something to make a point or a statement, but really you are pretty much doing this. Yes, that sketch does exaggerate for comic effect, but you get the point.
Of course, the very first thing that comes to most people's minds when they hear the word hacktivist is Anonymous. I have written about some of their activities before and as you may or may not know, I'm not really a fan. They started of playing pranks on people and general trolling, which was OK by me. They said we are doing just for lulz (yea LulSec also has the same kind of problem). Then they got a bit more political and most recently, but I still think that they are being a tad juvenile about it.
"But, then what is the grown up thing to do?" you may be asking, oh intrepid reader. Well, let me tell you. There was, and is still some, raging going on about SOPA/PIPA (yes, yes, I'm going to write more about this, after I've done more reading) and quite rightly so. People sent letters to their senators, congressmen/congresswomen and representatives and registered protests in the conventional way. And, then something magical happened - a proper online protest: the SOPA blackout.
Basically a large number of websites, big and small, replaced all their content with a black page explaining what they are protesting and why. Some people didn't get the memo, so this happened, but overall I think it was a success. Almost instantly a SOPA/PIPA lost a lot of support and were then shelved. Normal service resumed the next day and everybody was happy. In all of this, nothing illegal was done and nobody was harmed, inconvenienced maybe, but no real harm was done.
Compare that to the very next day when Kim Dotcom (Who goes and changes their surname to Dotcom? I mean really? Does he want to be mocked?) et al. were arrested and what Anonymous did. They took down the websites for
- , which is whole other kettle of fish. This is basically vandalism, even though it is not the standard defacement type of vandalism you may be thinking of, but the point still stands. Not to mention the fact that it is illegal, but well.
Unfortunately, law enforcement really has no idea to deal with these kinds of digital vandals, due to several reasons. I'm not sure there is an easy solution to this, but who knows? So, in short, you can protest via digital means, but there is a right way and a wrong way to do it and sadly the wrong way is more prevalent.
Monday, 6 February 2012
Megaupload (Because I was guilted into it)
Greetings sports fans. So I did say I was going to this post in my last post (I've added a link this in there) and I'm actually doing it. The main reason is that my friend Jamie mentioned me in the his podcast (highly recommended) and said that he would provide his listeners with a link to this if and when I do write it. Commence guilt trip. But, that's enough blabbering from me, down to the matter at hand: Why nobody has Megaupload go-ed bye-bye?
So, if you are reading this, you are either connected to the Internet or I finally got that book deal I wanted. For now, let's assume you have Internet access. One of the really interesting uses of the Internet is storing files online so that they can be accessed by many people. There were several really creative and some down right moronic ways thought of to this, but the one that really took off were called "file lockers."
Anywho, the concept of a file locker is simple: You sign up and you get some storage space on a server. You can then upload files and manage who can access them. You make it public, so that anybody can download it, or private, so that only you and/or selected other persons could download it. Of course, we all know there is no such thing as a free lunch, so "where's the money?" you ask. Well, let me tell you.
Some file lockers charged for their services, but some, like Megauplaod, were freemium. What they did is they put ads on the site and before you download something, unless you paid the membership fees. Sounds reasonable, right? Yes and then it gets hinky. So, not only did you have ads, but it seems that the site paid uploaders every time a file was downloaded. Not only that, but files that were not downloaded frequently enough were removed. But, it gets even more sinister and here's where the illegality comes in.
It's obvious that if somebody uploads illegal copies of TV, movies and music, then it will get downloaded more often than a picture of me on the beach. This pretty much encourages illegal file sharing. If offending content was found, it was removed, however it is alleged that the user accounts were not suspended or terminated. I have a distinct memory of reading somewhere that uploaders could pay to upload anonymously, thus even if the content was marked as illegal, it could be taken down, but not traced back to them. I cannot for the life of me find that article again and thus state this as a recollection that I can not back up. Moving swiftly on.
There was also the related website Megavideo, which was also somewhat devious. It has been alleged that all this infringing content was not searchable through the site's main search functionality, but was accessible to those who had the link. Again there is the same allegations of content being taken down without punishing the offenders and so on and so forth. Although there was a de jure legal use for the site, the de facto primary use was for the distribution of illegal content. So, the United States Government decided to do something about this.
About 2 years ago (2009), criminal investigations were started into the activities of Megaupload Inc., with a whole lot of red tape. The company itself is based in Hong Kong and a lot of the key people, including founder and chief Kim Dotcom, were in New Zealand. Well this went on for 2 years and we arrive in the present. Actually more like the recent past, but here we go.
A few months earlier, the US government had brought forth two acts called the Stop Online Piracy Act (SOPA) and the Proctect IP Act (PIPA) and this got everybody up in arms. That's a whole other kettle of fish, to be fried on another day. The main point is on January 18th 2012, a large number of websites "blacked out" and replaced their normal content with a page explaining why they are protesting SOPA and PIPA. On January 20th 2012, Dotcom and associates were arrested (alt article) and several assets were seized in a multi-country raid.
A large number of people think that this was a sort of backlash reaction to the blackouts, but it was in fact timed to coincide with a party Dotcom was hosting at his house, so that all the eggs would be in one basket, so to speak. These arrests were the culmination of a 2 year long investigation, with the cooperation of the police in all countries involved. Of course, nobody bothered to check that and Anonymous did their usual retaliation bit. Although the charges are being laid by the US, the police in all the countries involved were a part of the investigation, thus solving any jurisdictional issues.
I will be a little evil at this time and point out that there were millions of dollars worth of stuff seized, including some art, tech and a few luxury cars.There were also large accounts frozen and so on. The irony here is a large number of people justify piracy by saying it only affects the super rich guys in the super rich studios/labels, which kind of describes these guys. Not really sure why everybody is so vociferously supporting them, but I'm sure they have some really good reasons. Let's look at how exactly Megaupload is defending themselves.
The main defense that has been put forward is either "The majority of our traffic (and therefore business) was legitimate" or "we always took down infringing content." The first defense is, in my opinion, a big steaming pile of shit. That is like saying "You can't shut down my shop because only 10% of my income is from selling drugs." I don't at all doubt that there were users who were using in a fully legal manner, but that's really beside the point. The point put forward is that those in charge were aware of this infringement and actively promoted it. As for the second argument, takedowns were only effected if provided if a notice was provided and as said before there was no real punishment for the uploaders.
There is sort of the further complication that of them trying to rip off youtube, but that's something I haven't really looked at and don't feel well informed enough to comment. I would recommend that you read the linked article.
So, in all of this a lot of facts got jumbled up and a lot of people assumed things that were not true. There facts a touch murky, but with a bit of time, one can wade through and see what's going on. I guess it was a matter of bad timing on a couple of fronts. The bottom line is that they have been arrested, denied bail and will face an extradition hearing on February 22 2012. For now, Megaupload is gone and I don't think it's going to come back any time soon.
So, if you are reading this, you are either connected to the Internet or I finally got that book deal I wanted. For now, let's assume you have Internet access. One of the really interesting uses of the Internet is storing files online so that they can be accessed by many people. There were several really creative and some down right moronic ways thought of to this, but the one that really took off were called "file lockers."
Anywho, the concept of a file locker is simple: You sign up and you get some storage space on a server. You can then upload files and manage who can access them. You make it public, so that anybody can download it, or private, so that only you and/or selected other persons could download it. Of course, we all know there is no such thing as a free lunch, so "where's the money?" you ask. Well, let me tell you.
Some file lockers charged for their services, but some, like Megauplaod, were freemium. What they did is they put ads on the site and before you download something, unless you paid the membership fees. Sounds reasonable, right? Yes and then it gets hinky. So, not only did you have ads, but it seems that the site paid uploaders every time a file was downloaded. Not only that, but files that were not downloaded frequently enough were removed. But, it gets even more sinister and here's where the illegality comes in.
It's obvious that if somebody uploads illegal copies of TV, movies and music, then it will get downloaded more often than a picture of me on the beach. This pretty much encourages illegal file sharing. If offending content was found, it was removed, however it is alleged that the user accounts were not suspended or terminated. I have a distinct memory of reading somewhere that uploaders could pay to upload anonymously, thus even if the content was marked as illegal, it could be taken down, but not traced back to them. I cannot for the life of me find that article again and thus state this as a recollection that I can not back up. Moving swiftly on.
There was also the related website Megavideo, which was also somewhat devious. It has been alleged that all this infringing content was not searchable through the site's main search functionality, but was accessible to those who had the link. Again there is the same allegations of content being taken down without punishing the offenders and so on and so forth. Although there was a de jure legal use for the site, the de facto primary use was for the distribution of illegal content. So, the United States Government decided to do something about this.
About 2 years ago (2009), criminal investigations were started into the activities of Megaupload Inc., with a whole lot of red tape. The company itself is based in Hong Kong and a lot of the key people, including founder and chief Kim Dotcom, were in New Zealand. Well this went on for 2 years and we arrive in the present. Actually more like the recent past, but here we go.
A few months earlier, the US government had brought forth two acts called the Stop Online Piracy Act (SOPA) and the Proctect IP Act (PIPA) and this got everybody up in arms. That's a whole other kettle of fish, to be fried on another day. The main point is on January 18th 2012, a large number of websites "blacked out" and replaced their normal content with a page explaining why they are protesting SOPA and PIPA. On January 20th 2012, Dotcom and associates were arrested (alt article) and several assets were seized in a multi-country raid.
A large number of people think that this was a sort of backlash reaction to the blackouts, but it was in fact timed to coincide with a party Dotcom was hosting at his house, so that all the eggs would be in one basket, so to speak. These arrests were the culmination of a 2 year long investigation, with the cooperation of the police in all countries involved. Of course, nobody bothered to check that and Anonymous did their usual retaliation bit. Although the charges are being laid by the US, the police in all the countries involved were a part of the investigation, thus solving any jurisdictional issues.
I will be a little evil at this time and point out that there were millions of dollars worth of stuff seized, including some art, tech and a few luxury cars.There were also large accounts frozen and so on. The irony here is a large number of people justify piracy by saying it only affects the super rich guys in the super rich studios/labels, which kind of describes these guys. Not really sure why everybody is so vociferously supporting them, but I'm sure they have some really good reasons. Let's look at how exactly Megaupload is defending themselves.
The main defense that has been put forward is either "The majority of our traffic (and therefore business) was legitimate" or "we always took down infringing content." The first defense is, in my opinion, a big steaming pile of shit. That is like saying "You can't shut down my shop because only 10% of my income is from selling drugs." I don't at all doubt that there were users who were using in a fully legal manner, but that's really beside the point. The point put forward is that those in charge were aware of this infringement and actively promoted it. As for the second argument, takedowns were only effected if provided if a notice was provided and as said before there was no real punishment for the uploaders.
There is sort of the further complication that of them trying to rip off youtube, but that's something I haven't really looked at and don't feel well informed enough to comment. I would recommend that you read the linked article.
So, in all of this a lot of facts got jumbled up and a lot of people assumed things that were not true. There facts a touch murky, but with a bit of time, one can wade through and see what's going on. I guess it was a matter of bad timing on a couple of fronts. The bottom line is that they have been arrested, denied bail and will face an extradition hearing on February 22 2012. For now, Megaupload is gone and I don't think it's going to come back any time soon.
Sunday, 29 January 2012
TVShack (let's get this one out of the way shall we)
Alrighty then sports fans, I'm back. There's been quite a bit of stuff happening and I really hope that I can catch up with it all. So here we go. I'm going have a pick at TVShack and MegaUpload, which have been the focus of the media recently. So, let's start with the earlier story of TVShack shall we?
TVShack was a very popular streaming site for TV shows, movies, music videos and the like. It was a fairly unique one in the way it operated. TVShack was not simply a link site, that is to say a site simply with a list of links to streaming videos of the content, they went half a step further. Although they did not host any of the videos themselves, but instead embedded the videos into their site. What was really the problem here was the nature of the videos posted.
By now I am sure you have guessed, or more likely know, that these videos were illegal copies of movies and TV series. On June 30 2010, the domain TVShack.net, amongst others, was seized and replaced with what many would call an "evil message from the man." Of course, TVShack.cc (.cc is the TLD for the Cocos Islands, which is an Australian territory) was created as a replacement (see bottom of this article) with all the same content on it, remember that there were videos embedded in the site. A few short months later in November, British police paid a visit to the creator of the site, one Mr. Richard O'Dwyer of Sheffield.
The site was brought down and Mr O'Dwyer was arrested on charges of copyright infringement. Further the United States requested that he be extradited to face trial in America. Of course his lawyers stated fervently that the site contained no infringing content, but merely links to said content, which reported as such by the media. You'll note that I stressed on the fact that he embedded (again with the stress) the content on his website. For all intents and purposes that is pretty much the same as hosting the content yourself.
Now I have been searching long and hard for literature on this subject and frankly, I am a bit disappointed. Practically every article I have read so far maintains, sometimes in very strong words, that site simply linked to infringing content, which is false. There is then the further assertion that the "dual-criminality" argument required for extradition fails as he did not download any of the content himself. Well, I can neither confirm nor deny this, but if he did watch any of the links on his website, which is quite possible, a copy of the video will have been stored on his computer, thus counting as a download.
Now, I say it's quite possible because of how TVShack worked. Users would submit links to the site for consideration. These links would then be checked by the moderators to ensure that they were indeed what they said. Once checked, the video would then be embedded in the site. So, if Mr. O'Dwyer did watch one of these videos, then it would technically be a download.
No, I'm not trying to point out technicalities to prove the case against him, I am pointing out counter-arguments to the technicalities proposed by his lawyers. Well, long story short, it was recently ruled that he shall be extradited to the States. A lot of people cried foul that this was done at this time due to SOPA/PIPA, but it has been an ongoing case for a while, he appeared before a magistrate in June 2011.
Long story short, the magistrate ruled that he may be extradited. It is my understanding that if found guilty he stands to get up to 10 years in prison, but we will simply have to wait and see how it goes.
TVShack was a very popular streaming site for TV shows, movies, music videos and the like. It was a fairly unique one in the way it operated. TVShack was not simply a link site, that is to say a site simply with a list of links to streaming videos of the content, they went half a step further. Although they did not host any of the videos themselves, but instead embedded the videos into their site. What was really the problem here was the nature of the videos posted.
By now I am sure you have guessed, or more likely know, that these videos were illegal copies of movies and TV series. On June 30 2010, the domain TVShack.net, amongst others, was seized and replaced with what many would call an "evil message from the man." Of course, TVShack.cc (.cc is the TLD for the Cocos Islands, which is an Australian territory) was created as a replacement (see bottom of this article) with all the same content on it, remember that there were videos embedded in the site. A few short months later in November, British police paid a visit to the creator of the site, one Mr. Richard O'Dwyer of Sheffield.
The site was brought down and Mr O'Dwyer was arrested on charges of copyright infringement. Further the United States requested that he be extradited to face trial in America. Of course his lawyers stated fervently that the site contained no infringing content, but merely links to said content, which reported as such by the media. You'll note that I stressed on the fact that he embedded (again with the stress) the content on his website. For all intents and purposes that is pretty much the same as hosting the content yourself.
Now I have been searching long and hard for literature on this subject and frankly, I am a bit disappointed. Practically every article I have read so far maintains, sometimes in very strong words, that site simply linked to infringing content, which is false. There is then the further assertion that the "dual-criminality" argument required for extradition fails as he did not download any of the content himself. Well, I can neither confirm nor deny this, but if he did watch any of the links on his website, which is quite possible, a copy of the video will have been stored on his computer, thus counting as a download.
Now, I say it's quite possible because of how TVShack worked. Users would submit links to the site for consideration. These links would then be checked by the moderators to ensure that they were indeed what they said. Once checked, the video would then be embedded in the site. So, if Mr. O'Dwyer did watch one of these videos, then it would technically be a download.
No, I'm not trying to point out technicalities to prove the case against him, I am pointing out counter-arguments to the technicalities proposed by his lawyers. Well, long story short, it was recently ruled that he shall be extradited to the States. A lot of people cried foul that this was done at this time due to SOPA/PIPA, but it has been an ongoing case for a while, he appeared before a magistrate in June 2011.
Long story short, the magistrate ruled that he may be extradited. It is my understanding that if found guilty he stands to get up to 10 years in prison, but we will simply have to wait and see how it goes.
Saturday, 26 November 2011
When responsible disclosure is not the responsible thing to do.
Greetings sports fans! (I really like this. Yeah, this is going to be a thing from now on.) Today I want to fill you into one of the most asked question in the field of computer security: "Who should I tell about my latest discovery?" There are few possible answers to that questions, most commonly (in order of size): nobody, the people involved, the people affected, the research community, everybody and for completeness TeH I/\/t3W3bzzz!!1!! It's not always clear what the real answer is, or even if there is a real answer, as we shall soon see.
So, lets start of with the case I am most familiar with, as it is what I do, theoretical constructive cryptography. Sounds fancy, don't it? Basically, what I do is I look at existing schemes and try to make a better one, by either improving the extant scheme or creating a new one. In this case it's obvious that what you have now found should be shared with at least the research community and maybe the whole world if it has any real-world applications/impacts/etc. The same goes for the implementation side of cryptography.
one would assume advances in constructions or protocols are somewhat non-threating to the security of any other system. That is normally, the case, if we consider only the security of a system. A better version of a extant protocol may pose a financial threat to any parties selling the afore mentioned protocol, but it would not compromise it in any other way. The real difference is on "The Other Side of the Coin." (Heyooo!)
All silly self-referencing puns aside, what I am really referring to is cryptanalysis. These are the guys whose job it is to take cryptographic schemes and find ways to break them. They sound evil, right? Well they aren't. The idea behind cryptanalysis is to find out which schemes can and can not be broken by using a variety of techniques. If a given scheme, or indeed a class of schemes, is broken, it gives cryptographers insight to what they should not do. You may think of cryptanalysts as safety inspectors.
Now, here's the problem. Consider this, I make a new and particularly bad crypto scheme, let call it AVeryBadIdea or AVBI (C)(TM)(Pat. Pend.). I publish this scheme and I'm happy. A cryptanalyst has a look at it and breaks it completely within days of its publication. They publish the attack and life goes on. Number of people affected: 2. Doesn't sound like a problem? Well, consider the following scenario: I sell this very same cryptosystem to a couple of small time businesses to secure their data, blah, blah. Now when the attack comes out, number of people affected: 2 + all the people who bought AVBI.
Let's take this a step further. What is AVBI is used for something important, say credit cards. Well, then when if they system is broken, we have a problem. Now every credit card in existence is at threat of being used by malicious parties. Affected people: 2 + banks + credit institutions + everybody who has a credit card. Here the responsible thing to do is to tell the banks and credit institutions and they can try and find a remedy for it. The wrong thing to do is tell everybody else first.
Then you get into more complex issues. A large number of schemes have one "master secret." The gist of it is that if anybody knew this they could do whatever they wanted and not be found out. Suppose AVBI is now an industry standard of some description or the other. Somebody comes up with an attack that allows them to recover the master secret and indeed they do. What do they do? Tell the industry governing body? Sounds like a good idea right?
It is, if the concerned party/parties are not overtly hostile. The classical example of this is HDCP, as explained by Niels Ferguson. On the flip side you have the Stony Brook researchers who released the source code that allows you to do this. It's quite a grey area and I'm not sure there is a real right answer to this. There is a middle ground, which is publishing the idea of the attack, but not releasing the implementation. I believe this is what has been done by my colleagues at the Ruhr University of Bochum wrt their recent work on HDCP. However, this does also leave open the question: Could someone develop a similar attack on their own? It's possible, but then consider that the master secret is already out there, so is it really a bigger threat?
There is scope for even more potential pitfalls and possible permutations of the present problem regarding all participating parties (that's a lot of p's) and the water can get even more murky. Yes, there are clear cut consequences of cryptographic and cryptanalytic creations (and a few c's), but not always. There is so much room for error and personal judgment and it can be quite a burden trying to tackle such a dilemma. So in short, responsible disclosure can be an irresponsible thing to do.
So, lets start of with the case I am most familiar with, as it is what I do, theoretical constructive cryptography. Sounds fancy, don't it? Basically, what I do is I look at existing schemes and try to make a better one, by either improving the extant scheme or creating a new one. In this case it's obvious that what you have now found should be shared with at least the research community and maybe the whole world if it has any real-world applications/impacts/etc. The same goes for the implementation side of cryptography.
one would assume advances in constructions or protocols are somewhat non-threating to the security of any other system. That is normally, the case, if we consider only the security of a system. A better version of a extant protocol may pose a financial threat to any parties selling the afore mentioned protocol, but it would not compromise it in any other way. The real difference is on "The Other Side of the Coin." (Heyooo!)
All silly self-referencing puns aside, what I am really referring to is cryptanalysis. These are the guys whose job it is to take cryptographic schemes and find ways to break them. They sound evil, right? Well they aren't. The idea behind cryptanalysis is to find out which schemes can and can not be broken by using a variety of techniques. If a given scheme, or indeed a class of schemes, is broken, it gives cryptographers insight to what they should not do. You may think of cryptanalysts as safety inspectors.
Now, here's the problem. Consider this, I make a new and particularly bad crypto scheme, let call it AVeryBadIdea or AVBI (C)(TM)(Pat. Pend.). I publish this scheme and I'm happy. A cryptanalyst has a look at it and breaks it completely within days of its publication. They publish the attack and life goes on. Number of people affected: 2. Doesn't sound like a problem? Well, consider the following scenario: I sell this very same cryptosystem to a couple of small time businesses to secure their data, blah, blah. Now when the attack comes out, number of people affected: 2 + all the people who bought AVBI.
Let's take this a step further. What is AVBI is used for something important, say credit cards. Well, then when if they system is broken, we have a problem. Now every credit card in existence is at threat of being used by malicious parties. Affected people: 2 + banks + credit institutions + everybody who has a credit card. Here the responsible thing to do is to tell the banks and credit institutions and they can try and find a remedy for it. The wrong thing to do is tell everybody else first.
Then you get into more complex issues. A large number of schemes have one "master secret." The gist of it is that if anybody knew this they could do whatever they wanted and not be found out. Suppose AVBI is now an industry standard of some description or the other. Somebody comes up with an attack that allows them to recover the master secret and indeed they do. What do they do? Tell the industry governing body? Sounds like a good idea right?
It is, if the concerned party/parties are not overtly hostile. The classical example of this is HDCP, as explained by Niels Ferguson. On the flip side you have the Stony Brook researchers who released the source code that allows you to do this. It's quite a grey area and I'm not sure there is a real right answer to this. There is a middle ground, which is publishing the idea of the attack, but not releasing the implementation. I believe this is what has been done by my colleagues at the Ruhr University of Bochum wrt their recent work on HDCP. However, this does also leave open the question: Could someone develop a similar attack on their own? It's possible, but then consider that the master secret is already out there, so is it really a bigger threat?
There is scope for even more potential pitfalls and possible permutations of the present problem regarding all participating parties (that's a lot of p's) and the water can get even more murky. Yes, there are clear cut consequences of cryptographic and cryptanalytic creations (and a few c's), but not always. There is so much room for error and personal judgment and it can be quite a burden trying to tackle such a dilemma. So in short, responsible disclosure can be an irresponsible thing to do.
Sunday, 9 October 2011
Privacy? Is that a vegtable?
So, here we are opening this can of worms. Yeah I know there are other stories that going on, but I'm working on a couple of posts, which should surface sometime soon. OK, so let's talk about privacy on the Internet. It's the one thing you will hear over and over again "There is no privacy on the Internet." Which is part of the truth, but not the whole truth.
This is normally the cry of the anti-social narwhal (not an actual meme, yet!) against social networks, but it is a smidge unfair. The main complaint people have is that all your information is out there and anybody can see it and so on and so forth. Well, yes because you put it out there. It's like complaining that your diary contains all these personal and embarrassing things about you. Yes, in this case the diary is actually owned by somebody else, but you knew what you were getting into. There really is no way around, except you know not posting stuff like that on social networks.
Another issue regarding matter of posting stuff is visibility. People seem to be unable to comprehend the very basic fact that stuff you post will be visible to other people. You can control who those people are, granted it is not always in the most obvious way. There always exists some mechanism to limit the visibility of your post. There are countless stories of students putting up statuses about teachers they added and employees doing the same with employers.
Well, let's say you mastered all the above, there is still one small problem. The people you are sharing this content with may not be so discerning. This is especially true for "amusing" content, exemplified best by the sites Lamebook and Failbook. Both these sites allow users to post screenshots of post on Facebook, or any other social network in the case of Failbook, that they found amusing. The best are then shared on these sites for consumption by the general public.
Even as I write this I can hear the anti-social narwhal (this should totally be a meme) bellowing in my ears "BUT WHAT ABOUT THE PRIVACY!!!" Well these sites do apply some discretion and redact names and profile pictures so as the preserve the identity of the posters. This does not always work. The trouble is that most posts get submitted to both sites. The really good ones show up on both. And well if you mess up the redaction then it gets a bit hinky.
A perfect example of this is the following post on Lamebook and Failbook. Lamebook redacted the surnames and Failbook redacted the forenames. The end result is that you found the original people and the original post. In all fairness this post is public so there is not really much of an issue of privacy at this point, but try tell that to a narwhal (don't ask, I'm just going with it now).
So, in conclusion children: be aware of what you post on the Internet, for there are no secrets. Also, always brush your teeth before going to bed.
This is normally the cry of the anti-social narwhal (not an actual meme, yet!) against social networks, but it is a smidge unfair. The main complaint people have is that all your information is out there and anybody can see it and so on and so forth. Well, yes because you put it out there. It's like complaining that your diary contains all these personal and embarrassing things about you. Yes, in this case the diary is actually owned by somebody else, but you knew what you were getting into. There really is no way around, except you know not posting stuff like that on social networks.
Another issue regarding matter of posting stuff is visibility. People seem to be unable to comprehend the very basic fact that stuff you post will be visible to other people. You can control who those people are, granted it is not always in the most obvious way. There always exists some mechanism to limit the visibility of your post. There are countless stories of students putting up statuses about teachers they added and employees doing the same with employers.
Well, let's say you mastered all the above, there is still one small problem. The people you are sharing this content with may not be so discerning. This is especially true for "amusing" content, exemplified best by the sites Lamebook and Failbook. Both these sites allow users to post screenshots of post on Facebook, or any other social network in the case of Failbook, that they found amusing. The best are then shared on these sites for consumption by the general public.
Even as I write this I can hear the anti-social narwhal (this should totally be a meme) bellowing in my ears "BUT WHAT ABOUT THE PRIVACY!!!" Well these sites do apply some discretion and redact names and profile pictures so as the preserve the identity of the posters. This does not always work. The trouble is that most posts get submitted to both sites. The really good ones show up on both. And well if you mess up the redaction then it gets a bit hinky.
A perfect example of this is the following post on Lamebook and Failbook. Lamebook redacted the surnames and Failbook redacted the forenames. The end result is that you found the original people and the original post. In all fairness this post is public so there is not really much of an issue of privacy at this point, but try tell that to a narwhal (don't ask, I'm just going with it now).
So, in conclusion children: be aware of what you post on the Internet, for there are no secrets. Also, always brush your teeth before going to bed.
Monday, 12 September 2011
Hackers = Mobsters?
Ok, so as promised: post number 2 of today (just to be pedantic, my today). So, I recently read this in which President Obama said that he wants hackers will be treated, for the purposes of the law, in a manner similar to that of organised crime. Yes, people, that means mobsters, as in Tony Montana or Al Capone. That does make hackers sound so much cooler now that we are imagining them in pinstripe suits and not nerdy T-Shirts, but we must question the validity of this.
My main objection to this is the term "organized", not only due to the fact that I prefer British spelling, but mainly because, it's not always true. Yes, one could say that LulzSec is/was somewhat akin to the famed "Cosa Nostra," but they do indeed prove to be the exception to the rule. The next closest thing is Anonymous, but they are at best a loose collection of similar-ish minded individuals, who got together for one job and then disbanded. Of course some members will carry out attacks in unison after that, but it would almost certainly not be the whole group again.
Further more, there is a somewhat implicit assumption of some form of heirarchy amongst hackers. There may well be "senior" and "junior" member of the group and there may well be some people with more influence or more authority, but no really chain of command, so to speak. To the best of my knowledge there is no Godfather in hacker communities. So, here again the organised argument breaks down.
Of course, the previous is in the case where there is actually more than one person involved. It is neither impossible nor uncommon, for a single hacker to mounts attacks on a fairly large scale. Yes, I know that the article states that "complex and sophisticated electronic crimes are rarely perpetrated by a lone individual," but there have been reports of single attackers mounted somewhat complex attacks. Granted, they may have obtained resources from other individuals/groups, but they did mainly act alone. In the case of this single perpetrator, the term organised seems to be a dash irrelevant. I can imagine that the lawmen would be well pressed to somehow fits such a scenario into these laws.
Furthermore one would assume that the Racketeer Influenced and Corrupt Organizations (RICO) Act would be the basis for this new version of the Computer Fraud and Abuse Act (CFAA). I am not a legal expert, but I can imagine that this would be quite challenging. You see, these two classes of criminals live and operate in very different environments, thus making any sort of an analogy difficult. However, this idea is not without merit.
Recently, this story emerged. An Australian blogger wrote about domain-name fraud and found himself in a spot of bother. He was, and still is from what I gather, being DDoSed. The thing is that the log files show the traffic coming from non-existent websites, which are actually death threats to him. One example is “http://lastwarning-shutdown-yourblog-or-die-withyourparklogic.com”. This does seem to be very much like old school mafia behaviour, which lends great credence to this new idea.
So, although it may not be IMHO the best way to go about, it is not without its merits. As this develops further, it may even become an excellent law. Until, all we can do is wait and see.
My main objection to this is the term "organized", not only due to the fact that I prefer British spelling, but mainly because, it's not always true. Yes, one could say that LulzSec is/was somewhat akin to the famed "Cosa Nostra," but they do indeed prove to be the exception to the rule. The next closest thing is Anonymous, but they are at best a loose collection of similar-ish minded individuals, who got together for one job and then disbanded. Of course some members will carry out attacks in unison after that, but it would almost certainly not be the whole group again.
Further more, there is a somewhat implicit assumption of some form of heirarchy amongst hackers. There may well be "senior" and "junior" member of the group and there may well be some people with more influence or more authority, but no really chain of command, so to speak. To the best of my knowledge there is no Godfather in hacker communities. So, here again the organised argument breaks down.
Of course, the previous is in the case where there is actually more than one person involved. It is neither impossible nor uncommon, for a single hacker to mounts attacks on a fairly large scale. Yes, I know that the article states that "complex and sophisticated electronic crimes are rarely perpetrated by a lone individual," but there have been reports of single attackers mounted somewhat complex attacks. Granted, they may have obtained resources from other individuals/groups, but they did mainly act alone. In the case of this single perpetrator, the term organised seems to be a dash irrelevant. I can imagine that the lawmen would be well pressed to somehow fits such a scenario into these laws.
Furthermore one would assume that the Racketeer Influenced and Corrupt Organizations (RICO) Act would be the basis for this new version of the Computer Fraud and Abuse Act (CFAA). I am not a legal expert, but I can imagine that this would be quite challenging. You see, these two classes of criminals live and operate in very different environments, thus making any sort of an analogy difficult. However, this idea is not without merit.
Recently, this story emerged. An Australian blogger wrote about domain-name fraud and found himself in a spot of bother. He was, and still is from what I gather, being DDoSed. The thing is that the log files show the traffic coming from non-existent websites, which are actually death threats to him. One example is “http://lastwarning-shutdown-yourblog-or-die-withyourparklogic.com”. This does seem to be very much like old school mafia behaviour, which lends great credence to this new idea.
So, although it may not be IMHO the best way to go about, it is not without its merits. As this develops further, it may even become an excellent law. Until, all we can do is wait and see.
Sunday, 11 September 2011
(Distributed) Denial of Service attacks, intentional or otherwise.
So, I have been away for a bit and thus the lack of posting. So to make that up, there will be two posts today and at least one more this week. Right, lets get into its shall we? Today's topic is (Distributed) Denial of Service attacks and how they can be inadvertently caused. So, first off, what exactly is is a Denial of Service (DoS) and indeed a Distributed Denial of Service (DDoS) attack.
A Denial of Service (DoS) attack involves sending an excessive amounts of data/requests/pings to a server with the aim of overloading the server so that legitimate users can not access the server. Imagine the following scenario: there is an office with an information counter. Normally, people would walk up tot he counter, get the information they need and then leave. After this the next person does the same and so on and so forth. A DoS would essentially be one person standing at the counter and asking so many questions that nobody else can get up to the counter.
A Distributed DoS (DDoS) is the same thing, except with one minor difference. In a standard DoS, there is only one attacker and one attacking system. In a DDoS, there may still be one attacker, but there are several systems that involved in the attack. For all intents and purposes, DoS attacks really only exist in textbooks, so we will only consider DDoS attacks.
So, now that we know what DDoS attacks are, let's look at how they happen. The normal scenario is that our attacker(s) pick a target and then bombard them with request. At a technical level, there are several ways to this in an intelligent ways, but the simplest is just overwhelming the server with requests. I would rather not get into the details, because to be quite honest, I find them inane and boring. SO, let's just say there are many ways of doing it.
Now, if you recall I did say we were going to discuss how one may inadvertently perform a DDoS. First off, we need to realise that different websites require different levels of hardware. Right at the top you have the likes of Google, who require server farms of sizes that are difficult to fathom. Then you go down to the bottom, where you have tiny websites that get a couple of hits a week, which probably run on a single machine. Obviously, the smaller the server, the easier it is to DDoS.Now, the unintentional DDoS attacks happen to theses smaller sites. How you ask? Well simple, they get very popular, very fast.
There a few ways you can achieve this. Firstly, start off a small website and then becomes popular. Then when you post new content, number of people accessing your site goes through the roof and your site becomes temporarily unavailable. Don't think this is possible? I refer you to a delightful webcomic (in a manner of speaking) The Oatmeal, run by Matthew Inman. He even says something about it on his Facebook page. He does somewhat DDoS himself, by being awesome!
Another way is best explained by using Stephen Fry as an example. Stephen had built up quite a fan base as an entertainer and television personality over the years, so when he ended up in Twitter, well naturally he had a smattering of followers (myself included). He is quite an avid user and apart from the usual tweets of his current activities (and of course his tweets for charity), he does tweet links to amusing content from time to time. The moment that tweet hits the net, there are thousands of people clicking that link and well it has caused more that one site to go down.
As we can see in both cases, neither party had any malicious intent towards the sites that they inadvertently DDoS'ed, but it did happen. The unfortunate part of this is that there is no way to defend against it. Well, there is the no practical way to defend against it. Of course, everybody could use industrial size server farms, but that is not really practical. There may be some sort of gains made if everything was hosted in the cloud, but I'm not sure how feasible that is.
A Denial of Service (DoS) attack involves sending an excessive amounts of data/requests/pings to a server with the aim of overloading the server so that legitimate users can not access the server. Imagine the following scenario: there is an office with an information counter. Normally, people would walk up tot he counter, get the information they need and then leave. After this the next person does the same and so on and so forth. A DoS would essentially be one person standing at the counter and asking so many questions that nobody else can get up to the counter.
A Distributed DoS (DDoS) is the same thing, except with one minor difference. In a standard DoS, there is only one attacker and one attacking system. In a DDoS, there may still be one attacker, but there are several systems that involved in the attack. For all intents and purposes, DoS attacks really only exist in textbooks, so we will only consider DDoS attacks.
So, now that we know what DDoS attacks are, let's look at how they happen. The normal scenario is that our attacker(s) pick a target and then bombard them with request. At a technical level, there are several ways to this in an intelligent ways, but the simplest is just overwhelming the server with requests. I would rather not get into the details, because to be quite honest, I find them inane and boring. SO, let's just say there are many ways of doing it.
Now, if you recall I did say we were going to discuss how one may inadvertently perform a DDoS. First off, we need to realise that different websites require different levels of hardware. Right at the top you have the likes of Google, who require server farms of sizes that are difficult to fathom. Then you go down to the bottom, where you have tiny websites that get a couple of hits a week, which probably run on a single machine. Obviously, the smaller the server, the easier it is to DDoS.Now, the unintentional DDoS attacks happen to theses smaller sites. How you ask? Well simple, they get very popular, very fast.
There a few ways you can achieve this. Firstly, start off a small website and then becomes popular. Then when you post new content, number of people accessing your site goes through the roof and your site becomes temporarily unavailable. Don't think this is possible? I refer you to a delightful webcomic (in a manner of speaking) The Oatmeal, run by Matthew Inman. He even says something about it on his Facebook page. He does somewhat DDoS himself, by being awesome!
Another way is best explained by using Stephen Fry as an example. Stephen had built up quite a fan base as an entertainer and television personality over the years, so when he ended up in Twitter, well naturally he had a smattering of followers (myself included). He is quite an avid user and apart from the usual tweets of his current activities (and of course his tweets for charity), he does tweet links to amusing content from time to time. The moment that tweet hits the net, there are thousands of people clicking that link and well it has caused more that one site to go down.
As we can see in both cases, neither party had any malicious intent towards the sites that they inadvertently DDoS'ed, but it did happen. The unfortunate part of this is that there is no way to defend against it. Well, there is the no practical way to defend against it. Of course, everybody could use industrial size server farms, but that is not really practical. There may be some sort of gains made if everything was hosted in the cloud, but I'm not sure how feasible that is.
Thursday, 18 August 2011
rankmyhack.com - WHY?
So, recently it has come to my attention that there is a website called rankmyhack.com [twitter account] (at last attempt the site was unreachable and isup.me said it looks down) which basically encourages the general populous to hack stuff, post details of it and get points based on how good it was. So, something simple like logging into a system where they left the guest account open would score minimal points, but a more complex exploit, such as say a SQL injection, would score more. Sounds fun right?
WRONG! I for one will tell how important it is to secure your web-facing interfaces, devices and any combination thereof till the cows come home, but there is a proper way to do that. There are some standard known practices and counter-measures against exploits that you can put in place. Of course this process is fairly mechanical and does not account for human ingenuity.
Tiger Teams (that term always makes me think of this), enter stage left. Now a Tiger Team or Red Team is a bunch of inhouse or outsourced hackers whose sole job is to attack the system. They do this in a contained environment and report all the exploits the the developers who then correct any flaws. Ideally, they will find everything, but there is no guarantee of that. If they are good, they will find most of them.
That's the normal way of doing it. This site however basically sets the dogs loose on every single person on the Internet. You, my dear beloved reader are at risk. If you are reading this, it is a safe assumption that you have access to the Internet. A further safe assumption is that you have at least one e-mail account. BOOM! Target numero uno. But it gets better. Do you have: Facebook? Twitter? Social media sites? Other sites? Your own website? Smartphone? All targets. There are a plethora more and I will not list them all but you get the idea.
The very idea that a website would be dedicated to this kind of malicious and illegal behaviour is utterly beyond me. Why don't we have a website dedicated to videos of us crashing our cars into walls and rate those? ratemycrash.com! Brilliant idea! And as I typed that, I realised that it probably exists, which it does. When I saw that page, my soul died a little bit. But I digress.
This website is the digital equivalent of a bunch of mobsters gathered around a dinner table bragging about all the crimes they have committed. Yes, I know I have shown a little bit of annoyance at the Black Hat conferences and the like, but in the end it is serious security research. I know they sexy it up and throw in a bit of FUD but at the end of the day it is valid research with some useful insights and is helpful in the design of future systems.
This site, not so much. It also helps further perpetuate the whole image of hackers portrayed in the media. You may remember my previous comment about the green on black terminals. Yeah, that's all there. There are times when people do things which we don't agree on and we move on. Then there are times when people do things and it just about turns you into a misanthrope. This isn't one of the latter, but it sure as hell ain't helping!
WRONG! I for one will tell how important it is to secure your web-facing interfaces, devices and any combination thereof till the cows come home, but there is a proper way to do that. There are some standard known practices and counter-measures against exploits that you can put in place. Of course this process is fairly mechanical and does not account for human ingenuity.
Tiger Teams (that term always makes me think of this), enter stage left. Now a Tiger Team or Red Team is a bunch of inhouse or outsourced hackers whose sole job is to attack the system. They do this in a contained environment and report all the exploits the the developers who then correct any flaws. Ideally, they will find everything, but there is no guarantee of that. If they are good, they will find most of them.
That's the normal way of doing it. This site however basically sets the dogs loose on every single person on the Internet. You, my dear beloved reader are at risk. If you are reading this, it is a safe assumption that you have access to the Internet. A further safe assumption is that you have at least one e-mail account. BOOM! Target numero uno. But it gets better. Do you have: Facebook? Twitter? Social media sites? Other sites? Your own website? Smartphone? All targets. There are a plethora more and I will not list them all but you get the idea.
The very idea that a website would be dedicated to this kind of malicious and illegal behaviour is utterly beyond me. Why don't we have a website dedicated to videos of us crashing our cars into walls and rate those? ratemycrash.com! Brilliant idea! And as I typed that, I realised that it probably exists, which it does. When I saw that page, my soul died a little bit. But I digress.
This website is the digital equivalent of a bunch of mobsters gathered around a dinner table bragging about all the crimes they have committed. Yes, I know I have shown a little bit of annoyance at the Black Hat conferences and the like, but in the end it is serious security research. I know they sexy it up and throw in a bit of FUD but at the end of the day it is valid research with some useful insights and is helpful in the design of future systems.
This site, not so much. It also helps further perpetuate the whole image of hackers portrayed in the media. You may remember my previous comment about the green on black terminals. Yeah, that's all there. There are times when people do things which we don't agree on and we move on. Then there are times when people do things and it just about turns you into a misanthrope. This isn't one of the latter, but it sure as hell ain't helping!
Sunday, 14 August 2011
Black Hat and the constant accompyning headlines!
So, recently there was the Black Hat conference in Vegas. For those of you who are less informed, this is basically a large gathering of security researchers presenting their latest findings. And by findings I mean what they have recently broken. Most people dub this a "hacker" conference which is not to unreasonable, but I have one issue with it. The media coverage of it.
The only reason the term "hacker" is used is to sound sexy to the media. They hear that word and they are doing backflips through rings of fire to get the story. And as we are aware the media doesn't always get it right when reporting computer security related issues. Black hat presentations are geared to getting the media attention and causing a bit of a frenzy.
A prime example of that is Don Bailey's presentation which was entitled "War Texting: Identifying and Interacting with Devices on the Telephone Network" which does raise some valid points about connectivity of critical devices (details in another post) but it was also well marketed. He showed that he could unlock cars just by sending a few text messages. When normal people hear something like "vulnerability in FPGA-based control systems" or something similar they do not really know what it means.
Say "I can unlock your car with my phone" and they are scared. Don did say (quote in this article) "I could care less if I could unlock a car door. It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat." Which is basically my grievance. As security researchers, we have to sexy up our ideas and then present them to the general populous. Which in turn leads to what I would deem to be an inconvenience.
If you want media attention, then you research on topics that you can sell with a little bit of FUD. Which does restrict your scope quite a lot. This then has a further effect that people view security researchers as only doing this kind of research. This leaves the more theoretical people, like myself, out in the cold, so to speak. Which may or may not be a bad thing, I am not really sure, but I am very sure that it does grind my gears a smidge.
The only reason the term "hacker" is used is to sound sexy to the media. They hear that word and they are doing backflips through rings of fire to get the story. And as we are aware the media doesn't always get it right when reporting computer security related issues. Black hat presentations are geared to getting the media attention and causing a bit of a frenzy.
A prime example of that is Don Bailey's presentation which was entitled "War Texting: Identifying and Interacting with Devices on the Telephone Network" which does raise some valid points about connectivity of critical devices (details in another post) but it was also well marketed. He showed that he could unlock cars just by sending a few text messages. When normal people hear something like "vulnerability in FPGA-based control systems" or something similar they do not really know what it means.
Say "I can unlock your car with my phone" and they are scared. Don did say (quote in this article) "I could care less if I could unlock a car door. It's cool. It's sexy. But the same system is used to control phone, power, traffic systems. I think that's the real threat." Which is basically my grievance. As security researchers, we have to sexy up our ideas and then present them to the general populous. Which in turn leads to what I would deem to be an inconvenience.
If you want media attention, then you research on topics that you can sell with a little bit of FUD. Which does restrict your scope quite a lot. This then has a further effect that people view security researchers as only doing this kind of research. This leaves the more theoretical people, like myself, out in the cold, so to speak. Which may or may not be a bad thing, I am not really sure, but I am very sure that it does grind my gears a smidge.
Wednesday, 27 July 2011
Security the MS way: Protecting you from yourself!
I have always maintained that Microsoft's security policy is essentially to stop you from doing anything stupid. The concept in itself is fairly sound, but the implementation is not. In the classic Operating System debate of Windows versus Linux, the biggest point Linux users make is that they can modify any part of the operating system to suit their needs and desires. When I used Windows XP, I had found all the little secrets to get my machine to do what I wanted it to do. But, I digress.
Microsoft basically adopted the "protect the users from themselves" approach in earnest in Windows Vista. There are several reason why I (and others) am not too fond of Vista, but that aside. The idea is sound in theory, but the implemenatation of it left so much to be desired. In hiding all the knifes from the kids, they also hid all the forks and spoons. Yes, I agree that some of the functionalities should not be available to normal users, but it should be available to admin users.
A whole plethora of useful features were hidden, but we shan't go into that now. The main thing is this article. Now I know I'm a bit late to jump onto this, but I have been a tad lazy. Moving on. So it seems that Hotmail will ban common and quite frankly shit passwords. This is a good and a bad thing.
As I have pointed out before, passwords can be tricky things. For something iek your e-mail account, you need a decent password. So now if Hotmail will reject your password because it's shit, that good right? Well, yes and no. It does stop dictionary attacks, however it drastically changes the search space.
Previously, an attacker would run dictionary attacks in the hope that somebody was a fool. Now that cannot happen then the system is foolproof right? Yes, but to quote Douglas Adams "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." It may sound a touch misanthropic, but people are stupid.
Eventually what is going to happen is that people will find that people will find the least complex passwords that pass through the Hotmail filter and then use those passwords repeatedly. Now dictionary based attacks kick in again, just with a new dictionary. The dictionaries may be larger than previously, but it may not be a significant amount.
So, it is a good idea and I am very much in favour of this, but it could also backfire. Only time will tell, we shall wait and see.
Microsoft basically adopted the "protect the users from themselves" approach in earnest in Windows Vista. There are several reason why I (and others) am not too fond of Vista, but that aside. The idea is sound in theory, but the implemenatation of it left so much to be desired. In hiding all the knifes from the kids, they also hid all the forks and spoons. Yes, I agree that some of the functionalities should not be available to normal users, but it should be available to admin users.
A whole plethora of useful features were hidden, but we shan't go into that now. The main thing is this article. Now I know I'm a bit late to jump onto this, but I have been a tad lazy. Moving on. So it seems that Hotmail will ban common and quite frankly shit passwords. This is a good and a bad thing.
As I have pointed out before, passwords can be tricky things. For something iek your e-mail account, you need a decent password. So now if Hotmail will reject your password because it's shit, that good right? Well, yes and no. It does stop dictionary attacks, however it drastically changes the search space.
Previously, an attacker would run dictionary attacks in the hope that somebody was a fool. Now that cannot happen then the system is foolproof right? Yes, but to quote Douglas Adams "A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools." It may sound a touch misanthropic, but people are stupid.
Eventually what is going to happen is that people will find that people will find the least complex passwords that pass through the Hotmail filter and then use those passwords repeatedly. Now dictionary based attacks kick in again, just with a new dictionary. The dictionaries may be larger than previously, but it may not be a significant amount.
So, it is a good idea and I am very much in favour of this, but it could also backfire. Only time will tell, we shall wait and see.
Saturday, 25 June 2011
Why is digital money may be a bad idea.
Basically right after I posted this, I read this. Kind of an "I told you so" moment. But apart from that I am at a lack of words for this. I've been staring at my screen for a couple of days now and I have nothing (useful or insightful) to write. Apart from the fact that this whole real currency-bitcoin exchange is a little bit hinky and this is one of the problems you can have with it. For this post, please insert the accustomed amount of wit, cynicism and all that jazz you are used to. Thanks :)
Monday, 20 June 2011
Let's talk money, digital money!
Alrighty then, I'm going to assume that everybody has some basic understanding of the concept of money. Next, I assume you all have some idea of how to spend money online using things like paypal, credit cards, debit cards and so forth. Also, the reason nobody that people shouldn't be able to steal your details and thus your money, if it's all done right, depends heavily on crypto. Best way to explain what I do, is to ask "Have you ever bought anything online?" When they answer in the affirmative, then I say "You're welcome."
All levity aside, let's talk about money. Money is official looking paper and bits of metal that carry some value. This value is backed by some central authority. This would normally be the central bank of the country, but could be larger such as the Eurozone. There's a whole lot of economics behind how and why this works, inflation, deflation, devaluation, exchange rates etc that I don't even pretend to understand. We all accept this at face value and move with our lives.
In the online world, it's basically the same thing. The authorities may have changed to credit card issuers, certification authorities and others, but the principle remains the same. Now, this idea doesn't sit too well with the über-privacy people. They are now afraid of all the digital "paper trail", if you will, that is created by all of this. They say that if we can use crypto to secure our transactions, then why not use it to preserve our privacy and create anonymity.
Well, there is quite a lot of cryptographic research in the field of what we like to call e-cash. All this research is completely agnostic of the economic aspects and focuses on the crypto stuff. Until a few days ago, I thought there was no real implementation of any sort of e-cash. Then I heard about Bitcoin. Just as a brief side-note, cryptographers love coins. It's some what of a convention that all randomness is generated using coins and that all e-cash schemes are described in terms of coins. There is good reasoning behind it, but I shan't go into details.
So, back to Bitcoin, which is "the first decentralised digital currency" according to the introductory video. They then go on to explain how it all works and what the advantages are. I'll just recap it for you, for completeness. Bitcoins works using identifiers called addresses, which are essentially random strings. Each user gets 1 when they download the client software. They can then create more so as to have different types of payments come and/or go to/from different addresses. All of these are tied to the same wallet. So if person has addresses a and b then sending money to either address would be the same. This is how anonymity is preserved.
When Bitcoins are sent from person to person, the transaction is hashed and signed. The hash value and digital signature are then verified by the the other users in the system. Once a transaction is verified, the Bitcoins are added to and subtracted from the relevant accounts. This is the decentralised aspect. In normal e-commerce transactions, the verification would be done by a centralised authority such as a bank or clearing house. With Bitcoins this is done in a peer-to-peer (P2P) manner. Another interesting thing is that Bitcoins are super divisible. You can go down to 0.00000001BTC. Which is the advantage of having a digital currency.
So I thought I'll give this a try. So, I downloaded the client software and started reading through the literature and all the wikis and got a feeling for how this all works. There is a whole sub-culture built based around bitcoins and it is quite fascinating. There are entire forums and IRC channels dedicated to the provision of trade in and using Bitcoins. However, as I dug deeper I discovered two very interesting points.
Firstly, Bitcoins are more of a commodity than a currency IMHO. I would like to think of Bitcoins as digital gold. This analogy is fairly apt given the way the currency works, especially with respect to generation. The generation of Bitcoins is called "mining" and involves essentially finding a pre-image for a hash function. Now this requires huge amounts of computations, but once done, a "block" is created. The creation of this block gives the creator some Bitcoins, at time of writing this stands at 50BTC. For those of us that do not have a super computer, there are still options.
The basic technique is called "pooled mining." Here what you do is you combine your computational power and split up the profits according to how much work you did. One way of doing this, if you have a reasonable large amount of computational power, is to join a mining pool. There are several ways this can be done and there are a few technical details that need to considered. Mostly these depend on a central server, which is ironically what Bitcoin was trying to avoid. For those of us with less computational power, there are alternatives, such as this (BTW if you are feeling really nice, you could try and generate a few coins for me here or you could just send some to 1KbnDDaS3UTAMZkqHSJwGuWgdApQr3wAqp).
However, there are other ways. Carrying on the gold analogy, there are people who own gold but have never even been near a mine. How? They buy it! The same goes for Bitcoins. There are some marketplaces where you can buy and sell Bitcoins for real money. It's fairly easy to compare to say a fresh fish market, let's say. Basically, the fishermen catch the fish (in this case they mine Bitcoins) and then go to a fixed place to sell it. The public knows this place and come there to buy some fish (or in our case Bitcoins). The reason I use the fish market analogy is that there is some haggling and negotiations involved, which is not unlike the Bitcoin marketplaces. In this places you can buy and/or sell Bitcoins for USD, GBP, EUR, or even SLL, the currency of Second Life. Not kidding on the last one.
Which sort of brings me to the second point. Even though Bitcoin is supposed to be decentralised, it seems to be doing it's best to achieve the exact opposite. The whole idea is to not trust this one monolithic central institution, but instead distribute the trust amongst all participants in the system, that is using P2P. There is always some sort of large trust placed in central entities, of varying size, but the point still remains. Transaction verification is still very much P2P, but not much else is. And therein lie the problems.
"With great power comes great responsibility" said Uncle Ben, rightly so. In the mining context, there are ways that servers and miners can cheat. The details of this are fairly technical and thus I will skip them. The essence is that if you control a large enough share of the mining pool, you can control the outcome of the pool, in that who receives how much money. Some people would argue that such attacks are infeasible, but I think they are possible. Further more, with all the multiple currency exchanges, it's not unlikely that somebody could be making, or trying to make, money speculating of price rises and drops. The problem here is that because it's so decentralised, there is the risk of somebody "making a run on the currency." I'm not entirely sure I know how that works, but I believe them.
The most recent problem that has surfaced is that of theft. All the "money" is stored locally on your hard drive in a single file called "wallet.dat". After reading a few of the forums, it became painfully obvious that everybody knows exactly what this file is and what it does. I thought to myself "That's quite a nice target for an attack". Hey presto, somebody did it. The thing with attacks of this kind is that they are pretty much untraceable. Remember, Bitcoin operates on anonymous identities, so even if you get the address that the money was sent to, you don't really learn anything.
So, there are some really cool things about Bitcoin and some not so cool things. I really have no strong opinions about it either way at this point in time. I am just going to let things develop and see what happens. There is a lot of talk about how these may be used to buy and sell drugs, which could lead to the whole thing being shut down, but we shall have to wait and see.
All levity aside, let's talk about money. Money is official looking paper and bits of metal that carry some value. This value is backed by some central authority. This would normally be the central bank of the country, but could be larger such as the Eurozone. There's a whole lot of economics behind how and why this works, inflation, deflation, devaluation, exchange rates etc that I don't even pretend to understand. We all accept this at face value and move with our lives.
In the online world, it's basically the same thing. The authorities may have changed to credit card issuers, certification authorities and others, but the principle remains the same. Now, this idea doesn't sit too well with the über-privacy people. They are now afraid of all the digital "paper trail", if you will, that is created by all of this. They say that if we can use crypto to secure our transactions, then why not use it to preserve our privacy and create anonymity.
Well, there is quite a lot of cryptographic research in the field of what we like to call e-cash. All this research is completely agnostic of the economic aspects and focuses on the crypto stuff. Until a few days ago, I thought there was no real implementation of any sort of e-cash. Then I heard about Bitcoin. Just as a brief side-note, cryptographers love coins. It's some what of a convention that all randomness is generated using coins and that all e-cash schemes are described in terms of coins. There is good reasoning behind it, but I shan't go into details.
So, back to Bitcoin, which is "the first decentralised digital currency" according to the introductory video. They then go on to explain how it all works and what the advantages are. I'll just recap it for you, for completeness. Bitcoins works using identifiers called addresses, which are essentially random strings. Each user gets 1 when they download the client software. They can then create more so as to have different types of payments come and/or go to/from different addresses. All of these are tied to the same wallet. So if person has addresses a and b then sending money to either address would be the same. This is how anonymity is preserved.
When Bitcoins are sent from person to person, the transaction is hashed and signed. The hash value and digital signature are then verified by the the other users in the system. Once a transaction is verified, the Bitcoins are added to and subtracted from the relevant accounts. This is the decentralised aspect. In normal e-commerce transactions, the verification would be done by a centralised authority such as a bank or clearing house. With Bitcoins this is done in a peer-to-peer (P2P) manner. Another interesting thing is that Bitcoins are super divisible. You can go down to 0.00000001BTC. Which is the advantage of having a digital currency.
So I thought I'll give this a try. So, I downloaded the client software and started reading through the literature and all the wikis and got a feeling for how this all works. There is a whole sub-culture built based around bitcoins and it is quite fascinating. There are entire forums and IRC channels dedicated to the provision of trade in and using Bitcoins. However, as I dug deeper I discovered two very interesting points.
Firstly, Bitcoins are more of a commodity than a currency IMHO. I would like to think of Bitcoins as digital gold. This analogy is fairly apt given the way the currency works, especially with respect to generation. The generation of Bitcoins is called "mining" and involves essentially finding a pre-image for a hash function. Now this requires huge amounts of computations, but once done, a "block" is created. The creation of this block gives the creator some Bitcoins, at time of writing this stands at 50BTC. For those of us that do not have a super computer, there are still options.
The basic technique is called "pooled mining." Here what you do is you combine your computational power and split up the profits according to how much work you did. One way of doing this, if you have a reasonable large amount of computational power, is to join a mining pool. There are several ways this can be done and there are a few technical details that need to considered. Mostly these depend on a central server, which is ironically what Bitcoin was trying to avoid. For those of us with less computational power, there are alternatives, such as this (BTW if you are feeling really nice, you could try and generate a few coins for me here or you could just send some to 1KbnDDaS3UTAMZkqHSJwGuWgdApQr3wAqp).
However, there are other ways. Carrying on the gold analogy, there are people who own gold but have never even been near a mine. How? They buy it! The same goes for Bitcoins. There are some marketplaces where you can buy and sell Bitcoins for real money. It's fairly easy to compare to say a fresh fish market, let's say. Basically, the fishermen catch the fish (in this case they mine Bitcoins) and then go to a fixed place to sell it. The public knows this place and come there to buy some fish (or in our case Bitcoins). The reason I use the fish market analogy is that there is some haggling and negotiations involved, which is not unlike the Bitcoin marketplaces. In this places you can buy and/or sell Bitcoins for USD, GBP, EUR, or even SLL, the currency of Second Life. Not kidding on the last one.
Which sort of brings me to the second point. Even though Bitcoin is supposed to be decentralised, it seems to be doing it's best to achieve the exact opposite. The whole idea is to not trust this one monolithic central institution, but instead distribute the trust amongst all participants in the system, that is using P2P. There is always some sort of large trust placed in central entities, of varying size, but the point still remains. Transaction verification is still very much P2P, but not much else is. And therein lie the problems.
"With great power comes great responsibility" said Uncle Ben, rightly so. In the mining context, there are ways that servers and miners can cheat. The details of this are fairly technical and thus I will skip them. The essence is that if you control a large enough share of the mining pool, you can control the outcome of the pool, in that who receives how much money. Some people would argue that such attacks are infeasible, but I think they are possible. Further more, with all the multiple currency exchanges, it's not unlikely that somebody could be making, or trying to make, money speculating of price rises and drops. The problem here is that because it's so decentralised, there is the risk of somebody "making a run on the currency." I'm not entirely sure I know how that works, but I believe them.
The most recent problem that has surfaced is that of theft. All the "money" is stored locally on your hard drive in a single file called "wallet.dat". After reading a few of the forums, it became painfully obvious that everybody knows exactly what this file is and what it does. I thought to myself "That's quite a nice target for an attack". Hey presto, somebody did it. The thing with attacks of this kind is that they are pretty much untraceable. Remember, Bitcoin operates on anonymous identities, so even if you get the address that the money was sent to, you don't really learn anything.
So, there are some really cool things about Bitcoin and some not so cool things. I really have no strong opinions about it either way at this point in time. I am just going to let things develop and see what happens. There is a lot of talk about how these may be used to buy and sell drugs, which could lead to the whole thing being shut down, but we shall have to wait and see.
Monday, 13 June 2011
Something that has been bugging me for a while
Do you have a facebook account? Rhetorical question, of course you do. If you don't well then you can leave now because this post is all about *drumroll* FACEBOOK! Seeing as how it is on my blog, one can safely assume that it is about facebook security. So, what have facebook done now? They are protecting your from them.
Confused? So was I. Basically they have started up this new scheme to prevent Cross-Site Scripting(XSS) and Clickjacking and other scripting based vulnerabilities. Some of you may be unfamiliar with scripting and the vulnerabilities therein. Most modern webpages serve up dynamic content, making the experience different for each user. A good example of this is your facebook newsfeed, which is different from your friend's feed.
This is all achieved using scripting. A script is essentially some sort of program code that runs within your web-browser. The catch is, you never explicitly execute the scripts like you do programs. They are embedded in the webpage and are executed when you open the webpage, or at some other suitable trigger. The problem then is that people could embed malicious scripts into pages and you will not realise they have run, until it's too late.
I'm sure you've all had that one friend who has posted the same spam link to everybody and 10mins later warned you not to click it. That is basically what these malicious scripts do. So, facebook decided that they need to address the issue, which they did pathetically.
What they have done is now they "read" your URLs and check it for any script. Again, ANY script. That means that if any script is detected, you will be logged out of facebook instantly as a security precaution. You may wonder why this is a problem. Well, as eluded to earlier, almost all actions on facebook are scripts. See more items in your news feed, liking a post, commenting on a post, writing on somebody's wall, the chat feature. Everything is a script. So now, facebook sees you trying to do something legitimate and decides to kick you out. It doesn't always happen, but it's often enough to be mildly aggravating.
It's bad enough that you have to re-login, but what's even worse is that you go through the following twp screens: (full size images here and here)
and then a 3rd asking if you would like to share a link explaining how great facebook security is. Honestly, I would rather have a red-hot iron bar slapped onto my arm. This is because if you read the messages carefully, you will notice a couple of "< br >" tags popping up.
This is not a security issue, but it does mean that whom so ever wrote those pages is probably a moron! "< br >" was/is the tag used in HTML to induce a line break. However, newer standards such as XHTML and HTML5 insist on using "< br />" for technical reasons. Believe me, it's a good idea. So, this lead me to the conclusion that most facebook web developers have written sloppy HTML/PHP/JScript/Whatever else they use and that is causing the "safety filter" to go off at least twice a week on my account. Also, I'm not sure how good the code for the "filter" is. I have very low expectations.
The first time I was logged out by this "filter", I was impressed that facebook had implemented such a feature. I guess that they had some bugs in it, which was understandable. With each subsequent occurrence of me being "filtered out", I grew more sceptical. Then when I saw the horrendous HTML code in the warnings, I gave up hope and waited for it to happen again to make screen shots.
I didn't have to wait too long. Most people would say "Well at least they tried!" To which I reply, "Welcome to cyber-security, where a half-assed attempt doesn't count!" Really, facebook, get your act together and actually make an attempt and then maybe I'll be impressed and stop writing evil comments on the your security fan pages.
Confused? So was I. Basically they have started up this new scheme to prevent Cross-Site Scripting(XSS) and Clickjacking and other scripting based vulnerabilities. Some of you may be unfamiliar with scripting and the vulnerabilities therein. Most modern webpages serve up dynamic content, making the experience different for each user. A good example of this is your facebook newsfeed, which is different from your friend's feed.
This is all achieved using scripting. A script is essentially some sort of program code that runs within your web-browser. The catch is, you never explicitly execute the scripts like you do programs. They are embedded in the webpage and are executed when you open the webpage, or at some other suitable trigger. The problem then is that people could embed malicious scripts into pages and you will not realise they have run, until it's too late.
I'm sure you've all had that one friend who has posted the same spam link to everybody and 10mins later warned you not to click it. That is basically what these malicious scripts do. So, facebook decided that they need to address the issue, which they did pathetically.
What they have done is now they "read" your URLs and check it for any script. Again, ANY script. That means that if any script is detected, you will be logged out of facebook instantly as a security precaution. You may wonder why this is a problem. Well, as eluded to earlier, almost all actions on facebook are scripts. See more items in your news feed, liking a post, commenting on a post, writing on somebody's wall, the chat feature. Everything is a script. So now, facebook sees you trying to do something legitimate and decides to kick you out. It doesn't always happen, but it's often enough to be mildly aggravating.
It's bad enough that you have to re-login, but what's even worse is that you go through the following twp screens: (full size images here and here)
and then a 3rd asking if you would like to share a link explaining how great facebook security is. Honestly, I would rather have a red-hot iron bar slapped onto my arm. This is because if you read the messages carefully, you will notice a couple of "< br >" tags popping up.This is not a security issue, but it does mean that whom so ever wrote those pages is probably a moron! "< br >" was/is the tag used in HTML to induce a line break. However, newer standards such as XHTML and HTML5 insist on using "< br />" for technical reasons. Believe me, it's a good idea. So, this lead me to the conclusion that most facebook web developers have written sloppy HTML/PHP/JScript/Whatever else they use and that is causing the "safety filter" to go off at least twice a week on my account. Also, I'm not sure how good the code for the "filter" is. I have very low expectations.
The first time I was logged out by this "filter", I was impressed that facebook had implemented such a feature. I guess that they had some bugs in it, which was understandable. With each subsequent occurrence of me being "filtered out", I grew more sceptical. Then when I saw the horrendous HTML code in the warnings, I gave up hope and waited for it to happen again to make screen shots.
I didn't have to wait too long. Most people would say "Well at least they tried!" To which I reply, "Welcome to cyber-security, where a half-assed attempt doesn't count!" Really, facebook, get your act together and actually make an attempt and then maybe I'll be impressed and stop writing evil comments on the your security fan pages.
Sunday, 12 June 2011
Quick post on how I may be kind of wrong.
If you know me at all, you will know that I have strong opinions on some things. If you don't know me, you now know that I have strong opinions on certain things. Now that everybody is caught up, let's all sit back and enjoy me being wrong-ish. I had a post earlier, which really is based on the fact that access to the Internet is a privilege, that some people abuse. Well now the United Nations has declared it a human right. My argument falls flat on it's face. I'm a big boy and I am willing to admit that in light of this, those arguments no longer hold water. Things change, people's ideas are made to be wrong, that's life.
Also, just a minor side-note: read this article!
Also, just a minor side-note: read this article!
Monday, 6 June 2011
Cyberwarfare Part 2 (No more lazy me, for now)
Alrighty then, we had a basic intro to cyberwar in my previous post. In between then and now, the clever chaps at the SIS, commonly incorrectly referred to as MI6, told us about this little gem. This has to be one of the funniest things in existence... EVER!!! But minor state-sponsered hacktivism aside, back to the crux of the matter: the issues arising from cyberwar.
One of the main problems is that you may not even know that you were attacked. If somebody blows up a building the sound, and the lack of building, would alert you pretty quickly to the fact that there was an attack. The attacker may have installed some malicious software on your system or copied some data and you would be none the wiser. Yes, there are ways to detect this, but it is very possible that you wouldn't even notice.
Not only is it the lack of physical evidence, but also the time scale. Normal wars tend to take a long time. If you don't notice you are at war, well then you have bigger problems than the army barrelling down you front driveway. A cyberwar or cyber attack can be executed and completed within a matter of hours, if not minutes. It is really that fast. Yes there is a lot of prep time required but this is analogous to training your army, building your tanks etc.
Then there is the last (I promise, well for now) issue arising in cyberwar: non-interactivity. To take a touch of a cryptographic twist onto the whole matter war is an interactive protocol. Sure if you surprise the enemy they won't know they are at war right away, but they will pick up pretty quickly and then return in kind. The thing with cyberwar is that not only is the decision to go to war unilateral, but in some sense so is the war. One party decides to attack another party and does so. The other may or may not discover this and may or may not respond in kind. But again the whole thing is done very non-interactively (despite what pop culture (couldn't find anything for that, sorry) and video games may tell you).
So, to sum up: cyberwar is confusing, unclear, hard to track, pinpoint and blame the perpetrators and is inherently non-interactive. And if that wasn't bad enough, the actual definition of cycberwar is pretty fuzzy and very much up in the air right now. Most likely I may revert back to lazy me. Unless something cool happens.
One of the main problems is that you may not even know that you were attacked. If somebody blows up a building the sound, and the lack of building, would alert you pretty quickly to the fact that there was an attack. The attacker may have installed some malicious software on your system or copied some data and you would be none the wiser. Yes, there are ways to detect this, but it is very possible that you wouldn't even notice.
Not only is it the lack of physical evidence, but also the time scale. Normal wars tend to take a long time. If you don't notice you are at war, well then you have bigger problems than the army barrelling down you front driveway. A cyberwar or cyber attack can be executed and completed within a matter of hours, if not minutes. It is really that fast. Yes there is a lot of prep time required but this is analogous to training your army, building your tanks etc.
Then there is the last (I promise, well for now) issue arising in cyberwar: non-interactivity. To take a touch of a cryptographic twist onto the whole matter war is an interactive protocol. Sure if you surprise the enemy they won't know they are at war right away, but they will pick up pretty quickly and then return in kind. The thing with cyberwar is that not only is the decision to go to war unilateral, but in some sense so is the war. One party decides to attack another party and does so. The other may or may not discover this and may or may not respond in kind. But again the whole thing is done very non-interactively (despite what pop culture (couldn't find anything for that, sorry) and video games may tell you).
So, to sum up: cyberwar is confusing, unclear, hard to track, pinpoint and blame the perpetrators and is inherently non-interactive. And if that wasn't bad enough, the actual definition of cycberwar is pretty fuzzy and very much up in the air right now. Most likely I may revert back to lazy me. Unless something cool happens.
Friday, 3 June 2011
Cyberwarfare Part 1 (A post I have been procrastinating on)
Well this post has been in the works for a couple of week now. I have been procrastinating on a epic level about finishing this off. However the universe decide to give me a kick in the backside in the form of these related recent articles (all links to separate slashdot stories)
So, in recent times, there has been a lot of talk of digital warfare, internet wars, cyberwar and so forth. The most recent being the aforementioned. The general idea behind them is all the same, we have a strategy/army/assets/whatever for cyberwarfare. What happens when warfare goes from being about things in the real world to things in the digital world?
So let's start from the start shall we? What is modern warfare? (apart from a terrible pun on a pretty good video game) War as a concept is fairly simple. Two nation states (in general) disagree on something and wish to resolve the issue. So basically they start blowing each other up until they get bored or one party is very very dead. Yes, that is a gross oversimplification, but the concept holds. Now, onto the crux of the matter: What is Cyberwafare?
Cyberwar (which is the term I shall be using from now on, because I think it's the coolest) is essentially a war fought in the digital realm. This is generally in tandem with conventional warfare with the aim of disabling digital assets. There could also be political goals, achieved by defacing websites and so on, but IMHO the main goal is the destruction of digital assets.
Well, this is all pretty fine and dandy when the war is being carried out by nation states, because there is some inherent chain of command and somebody who would be responsible for ordering these attacks. However, this is not always the case with cyberwar. Now you may ask "why this is possible?"
Good question. The thing with conventional war (ignoring any peace negotiations) is that the winner is the side with the most and/or better equipment and/or training. There is the main point where cyberwar becomes so much easier. To build a real army you need to train people to drive tanks and fly planes and shoot guns and blah blah blah. To build a cyber army, you need to teach people how download a program and run it.
Here the "army" is recruited by word of mouth and because there is no physical danger caused by participating in this attack the number of people who join in are much more numerous. However, we do fall into an interesting problem: who is responsible for this attack, which is essentially tantamount to an act of war?
The answer to the question is ill-defined at best. An prime example would be the recent attack on the Playstation Network (another blog post I will finish soon). First Sony said it was Anonymous, who then claimed it wasn't them, but then it later turned out the be a "faction" (for lack of a better word) of anonymous. So here we see no chain of command and the leaders of the group had no idea what the other members were upto.
And there in lie the first complications of cyberwar. First off, we have the ability to engage in cyberwar. ConvenConventional warfare requires a substantial amount of resources, which are pretty much never available to the average individual. In the cyber realm, all you need is an Internet connection and possibly some more people to help out, or just their computers (whole other problem there, which I will cover later). And then there is the problem of accountability. At best you get an IP address(es) for the attacking platform(s) which may just be under the control of the attacker (again, to be covered in more detail in another post) and thus may not yield anything useful.
Now, this post is getting pretty long and falling into TL;DR territory. That and I really don't want to write anything more at this point in time. So, I will end here and will pick this up later (note the "Part 1" in the title of the post).
So, in recent times, there has been a lot of talk of digital warfare, internet wars, cyberwar and so forth. The most recent being the aforementioned. The general idea behind them is all the same, we have a strategy/army/assets/whatever for cyberwarfare. What happens when warfare goes from being about things in the real world to things in the digital world?
So let's start from the start shall we? What is modern warfare? (apart from a terrible pun on a pretty good video game) War as a concept is fairly simple. Two nation states (in general) disagree on something and wish to resolve the issue. So basically they start blowing each other up until they get bored or one party is very very dead. Yes, that is a gross oversimplification, but the concept holds. Now, onto the crux of the matter: What is Cyberwafare?
Cyberwar (which is the term I shall be using from now on, because I think it's the coolest) is essentially a war fought in the digital realm. This is generally in tandem with conventional warfare with the aim of disabling digital assets. There could also be political goals, achieved by defacing websites and so on, but IMHO the main goal is the destruction of digital assets.
Well, this is all pretty fine and dandy when the war is being carried out by nation states, because there is some inherent chain of command and somebody who would be responsible for ordering these attacks. However, this is not always the case with cyberwar. Now you may ask "why this is possible?"
Good question. The thing with conventional war (ignoring any peace negotiations) is that the winner is the side with the most and/or better equipment and/or training. There is the main point where cyberwar becomes so much easier. To build a real army you need to train people to drive tanks and fly planes and shoot guns and blah blah blah. To build a cyber army, you need to teach people how download a program and run it.
Here the "army" is recruited by word of mouth and because there is no physical danger caused by participating in this attack the number of people who join in are much more numerous. However, we do fall into an interesting problem: who is responsible for this attack, which is essentially tantamount to an act of war?
The answer to the question is ill-defined at best. An prime example would be the recent attack on the Playstation Network (another blog post I will finish soon). First Sony said it was Anonymous, who then claimed it wasn't them, but then it later turned out the be a "faction" (for lack of a better word) of anonymous. So here we see no chain of command and the leaders of the group had no idea what the other members were upto.
And there in lie the first complications of cyberwar. First off, we have the ability to engage in cyberwar. ConvenConventional warfare requires a substantial amount of resources, which are pretty much never available to the average individual. In the cyber realm, all you need is an Internet connection and possibly some more people to help out, or just their computers (whole other problem there, which I will cover later). And then there is the problem of accountability. At best you get an IP address(es) for the attacking platform(s) which may just be under the control of the attacker (again, to be covered in more detail in another post) and thus may not yield anything useful.
Now, this post is getting pretty long and falling into TL;DR territory. That and I really don't want to write anything more at this point in time. So, I will end here and will pick this up later (note the "Part 1" in the title of the post).
Sunday, 8 May 2011
Password Lockers Part 2
So, this is becoming a trend, well two trends: follow-up posts and data breaches. As you may or may not know, there was a MASSIVE breach involving Sony Entertainment, specifically the Playstation, but more on that later. More the the point you may recall my previous post on password lockers etc. Well, this post is about what can go wrong with a password locker.
LastPass is a company that provides a password locker service. What you do is register and download their software. Your master password, which unlocks the locker is then stored there. Now it recently came to light that some of these passwords were compromised (or not). Well, LastPast, if you are reading this, have a gander over here for a sec, k? We assume, hypothetically, that the master passwords were compromised (mainly because I have already written out most of this post and I'm kinda lazy). LastPass issues a warning to all its users to change their master passwords and they all do. Their servers could not handle the load and so they had to restrict the number of users allowed to change their passwords. This actually happened before they announced they were not hacked.
Well, I would like to say that I am somewhat impressed by the expediency with which the users tried to change their passwords. I am also impressed by LastPass's inability to deal with the situation. Agreed, that they had issues dealing with the load but according to their blog they have put affected accounts in "lock-down" mode. Kudos to you.
After all of this, LastPass then claimed they were not hacked. It seems that they just broken their system. After users changed the master passwords, they were met with garbage characters, random images and occasionally the deep dark void of nothing. Somewhere somebody thought that implied a hack. And that brings us to today's lesson.
When you think you have been breached, DO NOT PANIC! Check, re-check, double-check and confirm that there has been a breach. Immediately put in place counter-measures and check for other possible backdoors opened by this breach. Take a deep breath. Notify the affected users as required by law and/or company policy. If you follow these steps properly, then there should be no need to ever retract a security warning. Issuing a security warning scares people, retracting it causes doubt. We are trying to bring digital security out of the realm of FUD (Fear, Uncertainty, Doubt)!
LastPass is a company that provides a password locker service. What you do is register and download their software. Your master password, which unlocks the locker is then stored there. Now it recently came to light that some of these passwords were compromised (or not). Well, LastPast, if you are reading this, have a gander over here for a sec, k? We assume, hypothetically, that the master passwords were compromised (mainly because I have already written out most of this post and I'm kinda lazy). LastPass issues a warning to all its users to change their master passwords and they all do. Their servers could not handle the load and so they had to restrict the number of users allowed to change their passwords. This actually happened before they announced they were not hacked.
Well, I would like to say that I am somewhat impressed by the expediency with which the users tried to change their passwords. I am also impressed by LastPass's inability to deal with the situation. Agreed, that they had issues dealing with the load but according to their blog they have put affected accounts in "lock-down" mode. Kudos to you.
After all of this, LastPass then claimed they were not hacked. It seems that they just broken their system. After users changed the master passwords, they were met with garbage characters, random images and occasionally the deep dark void of nothing. Somewhere somebody thought that implied a hack. And that brings us to today's lesson.
When you think you have been breached, DO NOT PANIC! Check, re-check, double-check and confirm that there has been a breach. Immediately put in place counter-measures and check for other possible backdoors opened by this breach. Take a deep breath. Notify the affected users as required by law and/or company policy. If you follow these steps properly, then there should be no need to ever retract a security warning. Issuing a security warning scares people, retracting it causes doubt. We are trying to bring digital security out of the realm of FUD (Fear, Uncertainty, Doubt)!
Wednesday, 27 April 2011
Why the movies are wrong (Surprise, Surprise)
On the lighter side of life, my friend @zarino tweeted this link, which got me thinking about hackers in popular culture. Think about your favorite movie and/or TV hacker. My vote goes to Alec Hardison, but that's irrelevant. In any "hacking sequence" you see the hacker typing away furiously on a keyboard and all sorts of random green text on a black background. The green on black dates way back to the old days and I have no clue as to why they used those colours, but everybody loves it.
Anyway, you see them typing away furiously at a console screen and all sorts of text just popping up.
Sadly, hacking is really not that glamorous. It's mainly typing one or two commands or even just a button click. That is preceded by actually coding the tool you are using but nobody types that fast, especially not when programming. Just by the by, the text that appears in the link is a program of some sort. Haven't read all the code, so not sure what it does. All I can say is that it looks something from the C-family.
*****EDIT******
Turns out they last change the site a touch since I visited it. It appears the code is part of the Linux kernel.
Anyway, you see them typing away furiously at a console screen and all sorts of text just popping up.
IT'S ALL WRONG!
Sadly, hacking is really not that glamorous. It's mainly typing one or two commands or even just a button click. That is preceded by actually coding the tool you are using but nobody types that fast, especially not when programming. Just by the by, the text that appears in the link is a program of some sort. Haven't read all the code, so not sure what it does. All I can say is that it looks something from the C-family.
*****EDIT******
Turns out they last change the site a touch since I visited it. It appears the code is part of the Linux kernel.
Monday, 28 March 2011
Irony thou name is SQL injection
As I clicked on my slashdot bookmark, I for some reason said to my browser "Please give me something juicy" and it did not disappoint. It gave me this article. The sheer irony alone made me chuckle for 2-3 minutes. So, meine Damen und Herren, (I just had to throw a little German in there) let's talk about SQL injections. I promise this won't hurt (much)!
So, to understand a SQL injection, we need to understand SQL. To understand SQL, we need to know what a database is. And that's where we will start. This may be a bit round about, because to frank I find databases to be a dull and boring topic. We start at the bottom, with data elements. Now a data element is a single piece of data about an entity e.g. Name, Gender, Age, Favourite Star Wars Character and so on. A record is all the specific data elements about a specific entity e.g. {Saqib A Kakvi, Male, 23, Yoda} would be a record about me. If we have several such records stored as rows, we get a table. If we have more tables (generally related) we now have a database. In summary: A database is a collection of tables, which in turn is a collection of records, which in turn are a set of data elements.
Agreed, it's all fine and dandy having all this data nicely stored, but how do we access specific parts of it? The answer is Structured Query Language or SQL (sometimes pronounced 'sequel') for short. SQL is basically a language that allows us to get a section of a database based on some criteria e.g. all the records of people who are over the age of 30. Although SQL gives you quite a lot of lean room, it is strongly typed, which means that all SQL statements must have a very specific form, syntax and all the right symbols in all the right places.
And this brings us to SQL injection. A SQL injection exploits the srong-typing of SQL and issues malformed statements which cause the SQL interpreter to go a little bit bonkers and produce some crazy result. By taking very, for lack of a better phrase, well-formed malformed queries, an attacker can recover parts of (and even all of) the database. When implementing a database, one must ensure that any and all malformed queries are rejected, thus making SQL injections irrelevant.
MySQL is a software that helps you implement, run and maintain a database (known as a Relation DataBase Management System {RDBMS}). The MySQL company seems to have forgotten about this vulnerability in a primary part of their system. As we have seen, MySQL (and apparently sun.com) have been so ironically compromised due to a SQL vulnerability. Well who would have thought it?
ME! ME! ME! Well, actually the thought had crossed my mind a few times and I thought it was funny, but sincerely hoped that it would never happen. Well done world, you continue to surprise me.
So, to understand a SQL injection, we need to understand SQL. To understand SQL, we need to know what a database is. And that's where we will start. This may be a bit round about, because to frank I find databases to be a dull and boring topic. We start at the bottom, with data elements. Now a data element is a single piece of data about an entity e.g. Name, Gender, Age, Favourite Star Wars Character and so on. A record is all the specific data elements about a specific entity e.g. {Saqib A Kakvi, Male, 23, Yoda} would be a record about me. If we have several such records stored as rows, we get a table. If we have more tables (generally related) we now have a database. In summary: A database is a collection of tables, which in turn is a collection of records, which in turn are a set of data elements.
Agreed, it's all fine and dandy having all this data nicely stored, but how do we access specific parts of it? The answer is Structured Query Language or SQL (sometimes pronounced 'sequel') for short. SQL is basically a language that allows us to get a section of a database based on some criteria e.g. all the records of people who are over the age of 30. Although SQL gives you quite a lot of lean room, it is strongly typed, which means that all SQL statements must have a very specific form, syntax and all the right symbols in all the right places.
And this brings us to SQL injection. A SQL injection exploits the srong-typing of SQL and issues malformed statements which cause the SQL interpreter to go a little bit bonkers and produce some crazy result. By taking very, for lack of a better phrase, well-formed malformed queries, an attacker can recover parts of (and even all of) the database. When implementing a database, one must ensure that any and all malformed queries are rejected, thus making SQL injections irrelevant.
MySQL is a software that helps you implement, run and maintain a database (known as a Relation DataBase Management System {RDBMS}). The MySQL company seems to have forgotten about this vulnerability in a primary part of their system. As we have seen, MySQL (and apparently sun.com) have been so ironically compromised due to a SQL vulnerability. Well who would have thought it?
ME! ME! ME! Well, actually the thought had crossed my mind a few times and I thought it was funny, but sincerely hoped that it would never happen. Well done world, you continue to surprise me.
Subscribe to:
Posts (Atom)
Subscribe To
Posts
All Comments