Friday, December 21, 2007

Who do you blame?





First - take a peek at this, get over the fact that I used IE7 to take the screen shot, and then think about this: If you're a random person browing the web, hit this site and are welcomed by this error - who do you blame?




When it's time to lay blame, there are few choices on who to blame, namely:
  1. A lazy administrator
  2. Poorly written software
  3. Anonymous "bad guys"

Without a doubt, incidents like this only further throw kerosene on the flames of the old religious argument - Linux/Unix vs Windows... Sadly - I would argue that administrators of modern websites have a trio of problems - workload, software quality, and bad guys. If you're an administrator you know what I'm talking about. You've got a hundred projects or tasks and only 20hrs in a day to get it done (you have to sleep some time). Of course, the quality of modern software isn't helping anyone do their jobs better... every time you turn around you hear of another bug that has to be patched, or some default mis-configuration that has to be changed to avoid exploits. Why can't we just get quality software that's stable, bug-free, and configured securely by defaults? The last factor, and perhaps one of the only predictable ones is the bad guys. I say predictable because as an administrator you can count on being attacked, guaranteed.

I guess it's easy enough to pick on this specific goof and say "See, that's what you get for running Microsoft's software". I'm not sure I agree - the problem is, I can just as easily mis-configure a LAMP (Linux, Apache, MySQL, PHP) application component to expose my server to attack. The lesson learned here is this - anything can be misconfigured in haste or laziness. Linux is more complex, so the administrators (typically) know more because they have to be more knowledgeable to run the stuff. Windows is more point-click so the generalization that MS-admins are relatively low-skilled can hold at times. But are either of these generalizations "law"? Can you find an administrator of Microsoft systems that's just as good at security their infrastructure as a skilled Linux/Unix admin? Of course. Conversely - can you find a Linux/Unix admin that's just as inept as a bad Windows admin? Definitely.

So I come back to - who do you blame? Well - first the site is owned by a security company so a gaff like this is inexcusable. Second - if you're going to host a site on the Internet at least check your defaults, and hire a competent administrator...

Who do I blame? The admin - sorry - no matter how bad the software is you're making a conscious effort to use it, and should therefore have a strategy to keep it secure and running. As an analogy - if you buy a car that has a bad reputation of breaking down, and an overly simplistic setup without the proper tools to keep it going - it's your own fault when you break down in the middle of the motorway...

Thursday, December 20, 2007

MioNet - Western Digital take it online.

Western Digital has a new product out, called MioNet (you can read about MioNet here), which allows people who buy these massive external disk drives to "share" them out to the Internet, using Western Digital's secure MioNet application. There are complications, of course, as you would imagine... but are we inviting in problems? Let's take a look.

A new article appearing on PC World's site addresses this product lightly, but in my humble opinion, completely misses the point. The article criticizes the MioNet software for restricting "user rights" by employing some internal DRM mechanism to limit the sharing (between different users) of identified music/video file-types (list available here). Sure, the MioNet blocks users from sharing media files (audio/video) between users simply because it's next to impossible to verify digital rights. So in that light, if I buy an MP3 somewhere, and try and share it with a friend whom I've given access to my MioNet shares, it will be blocked by the system. On the same side of the coin, if i create some custom music or audio files which just happen to be in one of these blocked formats - I can't share them with another users since MioNet has no way to verify that they have rights to this file. Now - it's easy to complain and point the finger at Western Digital and say how they're restricting people's rights to share files - but after all, they are providing a service, and don't wish to end up as the next hot-bed for illeglal file-swapping so they're taking precautions. You can still share your pictures, it's just multimedia files you can't share... I say get over it - or find another way to do this? It is a service after all... no one's forcing you to use it. Someone commented on this article that they would be refraining from purchasing WD products in the future and urged others to do the same... why? Because they're trying to error on the side of caution and digital rights? Anyway - as I said before... I think this article misses the point. Forget illegal MP3/Movie/etc swapping that everyone's in a tizzy about... I wish someone would address the security and privacy part of this. After all, you're allowing your private files which could contain financial information, personal legal records, or other personal information to be shared to the Internet, bypass your firewall (which by now I'll assume you have...) and be held at the mercy of a 3rd party you're supposed to trust. Even if Western Digital has a perfect application, with unbreakable (read: hackable) internals such that I can't bypass their access (AuthZ) controls... it's still all hinging on a username/password combination for access to these files. Hackers and malware authors everywhere must be thrilled to read this. I can just imagine a whole new wave of malware looking to steal people's MioNet access credentials. I don't have the product installed so I can't tell if it requires "strong passwords" but I'm going to guess no.

A quick pro/con analysis of this new way of avoiding uploading files to the general Internet looks like this...

Pro
  • Ability to access your files remotely (in case you forget something at home?)
  • Secure access to the system using only a login and password
  • No firewall configurations needed at home (the MioNet software does it auto-magically)
  • Share non-DRM files like pictures, documents, etc with friends, family or co-workers
  • Remote computer control and screen sharing
  • Remote monitoring of a web-cam you can set up with access credentials (monitor your computer's webcam from the office!)

Con

  • Remote access to your internal network files over the Internet (this doesn't even sound like a good idea)
  • Untested, unverified (or at least unpublished) system (MioNet) being trusted to guard your potentially private files
  • Notice that one of the "features" that WD touts is that this application can bypass your firewall, and you don't have to do anything to get it working (network back-door anyone?)
  • Potentially limiting DRM technology (although crude) limits your ability to share home-made movies of the kids or dog with your in-laws

So there it is, and I think the success of MioNet will be quite simply put. The positives (for most users) far outweigh the negatives as they your typical end-user will see it. Most users aren't as concerned with the cons as security professionals and paranoids - they see all these great features coupled with the fact that the system is "password protected", and they're sold. But there are clearly problems - or at least issues that need to be addressed to make this system more viable.

First - I would like to see a 3rd party certification that this product is "hacker tested" or at least source-code-reviewed to ensure any major and simple security defects are found and eradicated. Second, I would like to see some sort of "strong authentication" option for those users who want to share more than just photos (such as highly sensitive material like financial and personal documents). Aside from that, I think this product has some potential - and no - I don't think that the DRM'ish attempt to curb illegal file-sharing (albeit crude, I'll admit) should be removed.

Wednesday, December 19, 2007

Hijacking Google's ads...

The battlefield is changing, even the goals are now changing. In fact - the good vs. evil of the Internet world is changing so fast it's hard to keep up with what us good guys are supposed to protect.
A quick analysis of a recent article (here: Google advertisements hijacked by trojan) shows that the we're now facing something entirely different. The hacks aren't targeting what you'd expect, this trojan hijacks keyword results to send the user to different sites that the attackers control. The goals of this is anyone's guess but there are a few main possibilities:
  • Deliver malware based on search keyword hijacks
  • Deliver traffic (and thereby make money from) unsuspecting end-users
  • Cause financial damage against a company (Google here is the likely target)
In this type of attack, keywords are the battleground. With advertising and site traffic as the "easy way to make effortless money" as a source put it, there is no wonder that malware infestations have now been detected to hijack selective keywords and ad re-directions.
It's getting so that people can't even trust the ads they're being served up anymore... what's the world coming to?! Think about the bigger picture though - what happens when trust in some technology or technique starts to falter? Applying that to an advertising technique of a major Internet ad-placement vendor such as Google yields a very likely scenario if you subscribe to conspiracy theories... someone is trying to put Google out of business, or at least hurt their business by demonstrating that their system is vulnerable and ineffective for advertising.
Maybe I've stretched a little far, but the point is solid, I think. If you can't build a better mouse-trap, engineer mice that easily prove your competitor's product ineffective.

Genius. Or something far worse - either way you just never know what will be next. You can be sure of one thing though - it'll involve some way for the criminal element to scam money from legitimate business with as little effort and up-front cost as possible. Money is the root of all the evil out there folks, and if you still don't believe that... then you're simply not paying attention.

Read more about the Qhost.WU trojan here, at BitDefender's site.

SuckerWare: The cost of "Free Smileys" Paper Released

Hello readers - I'm writing this blog to announce that the final revision of "SuckerWare - The Cost of a Free Smiley" is finally released on my site. I've done some research into the EULAs of some of the "addon" software that's popular; and the results appalled even me.

You can read about it here: http://www.ishackingyou.com/ and go to the Reading Room -> IsHackingYou_Publications section. Please leave any comments you have or reactions, as I love to hear what you think!

Thanks for reading, I hope you enjoy the paper.

Friday, December 14, 2007

Privacy Debate - Who really cares and why

I've been thinking about this a lot lately, and with the recent rash of articles about Google.com's search features storing IP and search query string information, and ASK.com's ability now to erase your information from their servers upon request - I had to simply stop and ask myself... do I care?

I've come to the conclusion that there are 3 different types of people out there when it comes to privacy and awareness. I'll try and give my categories, and examples of each and you can agree or disagree as you will - but I'll make my case for my system of classification anyway

  1. The Concerned - This is the type of person who isn't necessarily doing anything wrong, or searching for anything like "Jihad", "chemical weapons manual" or anything of the like, they're using the Internet for personal or business uses, and other normal, everyday stuff but still cares that he or she is being tracked and monitored. This can be a healthy paranoia, meant to keep "big brother" from taking over our lives.
  2. The Clueless - Happily clicking and typing away this type of person hasn't a care in the world and often has that glazed-over look when someone starts talking about tracking and Internet monitoring. This type of user will generally not have a clue that they're being tracked, why they're being tracked, or how it can be used against them. This user can be a saint or sinner - but in the end doesn't know/care about privacy.
  3. The Paranoid - Whether they are doing anything wrong or not this class of user will generally rebel against any type of "Big Brother" activities. Often times this type of user will forgo special service offerings, or targeted information simply because it provides someone, somewhere with hint into their private life. The paranoid are a closed-minded group typically and see any form of monitoring or information gathering as evil.
I've grouped these three categories together because I think this makes it easier to discuss the merits (or demerits) of each and show where the line between unfounded paranoia and healthy skepticism lies. Most people fall into category 2, the Clueless. My parents, and even some of my co-workers fall into this category. I would venture a guess that a lot of the community of writers that blast this or that company for data aggregation, collection and monitoring are in category 3. These category 3 folks have crossed the line to loony-town and often have very little realistic basis for their positions but will defend them to the death if cornered. Between those two lies category 1 where a healthy mix of paranoia and acceptance makes for intelligent discourse and reaction - I would hope that most of my readers are in category 1 or are striving to get themselves there.

There are dangers with being in either category 2 or 3 and without diving into a rant I'll quickly tell you why. Being clueless allows for others to run your life, and take over your privacy. You should be concerned over your privacy and know who is doing what with your personal information, history, records, etc. This information can lead others to track your every move, and potentially lead to a very Orwellian society which you shouldn't want. Being overly paranoid forces you to question and see the negative side of every potential idea without being able to understand the positives. As a concrete example, speed cameras can clearly be a violation of personal liberties by tracking drivers, their speed, and where they come and go on the motorways. Looking at the other side of the coin; however, they were installed with the intention of being able to locate and catch speeders which is a danger to the million's of driver's on Britain's roads. The intelligent thing to do is analyze the risk vs. reward for this situation and simply look at the big picture. Are cameras so bad? Can they be limited in some way to only capture the information they absolutely need to snag speeders? Who controls the information, and how well is it guarded?

Look - I'm not saying that it's not OK to be paranoid - because I sure am some of the time - but let's be reasonable. The government shouldn't be tracking our reading habits because that can lead to something more sinister - but if I search for "radar detector" on Google's search engine - it should be OK for Google to send me targeted ads that could potentially save me money or help me track down the best product as long as that information is carefully guarded, policed, and disposed of.

Privacy, my friends, is a slippery slope so repel wisely, and draw a line you're unwilling to cross but be reasonable- then be paranoid when someone pushes you past it.

Friday, December 7, 2007

Those damn "smileys" are so EVIL

We all know there's no such thing as a free lunch - but check this out.

I've gotten annoyed by all the little "smiley" options there are out there, and how they all claim to be "AdWare/SpyWare free"... which is utter nonsense and we all know it. SO... with that in mind I did a little investigating and am writing a feature about it on my site (http://www.ishackingyou.com/), but for now, I'll leave you with this interesting tidbit from the "SweetIM EULA/TOS/etc"... you think this over. (source: http://www.sweetim.com/):


In order to receive the benefits provided by the SweetIM Software, you hereby grant permission for the SweetIM Software to (i) utilize the processor and bandwidth of your computer (ii) use certain personal information that you have submitted to your instant messenger provider. You understand that the SweetIM Software will protect the privacy and integrity of your computer resources and communication and ensure the unobtrusive utilization of your computer resources to the greatest extent possible. The Software is exposed to various security issues, and should be regarded as unsecure. By accepting this Agreement, you acknowledge and accept that the Software, and any information you download or offer to share by means of the Software, may be exposed to unauthorized access, interception, corruption, damage or misuse, and should be regarded as insecure. You accept all responsibility for such security risks and any damage resulting therefrom.

OK, so the software will use my personal information and use my CPU for some reasons yet not described... and it's known to be filled with security bugs - which I'm taking responsibility for?! Hold on, did I read that right?

If this was on the package of some software you were about to buy and use for business... would you in your right mind install it? Yet - I'm willing to be it's installed in dozens of places on your network, and in maybe in your home.

More on this soon.

Thursday, December 6, 2007

Regular shameless self-promotion

If you've not already done so, point over to my IsHackingYou.com site for more stuff to read and comment on.

I now return you to your regular reading, thanks!

ZDNet looks forward into the past... huh?

I was reading some email today, from our friends over at ZDNet, and if you haven't caught their stuff lately - it's pretty good reading. Their blogs and news articles tend to have good coverage on the Microsoft side of the house, with Mary Jo Foley's "An unbliking eye on Microsoft [RSS link]" column... but then my eyes wandered over to this link, and I couldn't help myself. I'm sorry to sort of, rag on the subject, but... what the hell?

This whitepaper titled "Where Online Hackers Are Headed in 2007: "Coming Soon" to a Website Near You (and Your Hard Drive)!" by Kevin Prince (Chief Security Officer for Perimeter eSecurity) from Feb 2007 is posted front-and-center on the Thursday, 12/6/07 ZDNet Must-Read News Alert email. It's in the section "White Papers from our partners". I looked at it, and thought for a second. Why am I getting this in December? And more importantly... did Kevin get it right?

Well, while I can't tell you what ZDNet's motivation was for sending me this "must read" WhitePaper from Feb '07 (maybe they're out of sponsors so they're re-hashing some of the old crap?) but I'll pull some points out of it for you to analyze and think over. [Sorry Kevin, I'm really not picking on you].

For the most part, the first few sections hit the nail on the head in reference to history, and what the past few years have brought us in terms of attacks. Yes, the past used to be people attacking us at the desktop/server level with an outside-in attack... things have changed, and that is rightly pointed out. I love the sentence "Stopping new attack types demands strong security posture" uhmm... yea?

Here are the main points I think Kevin makes (Kevin, please reply if you feel I've mis-interpreted your paper).
  • Attacks for 2007 will move from exploiting vulns to social-engineering people into exploiting themselves -- check!
  • Attacks for 2007 will be browser-based -- check!
  • Malicious websites will lure users using SPAM, messaging and hijack-redirection -- check!
  • A layered approach will be required to reduce malware threats -- duh!
Kevin goes on to talk about some of the methods that'll be needed to stop aggressive malware. I'll break these down, and do a mini-analysis. If you'd like to read more, I'll be releasing a larger analysis of what it takes to stop malware these days on my site (http://www.ishackingyou.com) - check there for the "whitepaper" in a few days.
  • Intrusion Detection/Prevention: Old news! 2007 saw IDS/IPS become yesterday's technology. Yes, everyone should have this on the desktop by now and I realize few do but that doesn't mean it's the next big thing - in fact... IDS is the last old thing in my humble opinion. The buzz words for 2007 were "extrusion detection"...
  • URL Filtering: Yes - I have to agree there... this is a big frontier that in 2007 we didn't address enough, but should have. I think that stretching into 2008-2009 we as security professionals should be utilizing web filtering technology a lot more to save our desktops from attacks
  • SPAM filtering: Obviously. The horse is dead, and we're still kicking it - SPAM rules the SMTP gateways, and I saw some statistic yesterday that the UK gets something like 50% of the world's SPAM? SPAM filtering should be done at every company, and if you're not going to do it yourself, hire someone to do it for you that's better at it... next!
  • Policies& PC Restrictions: I lumped these together even though Kevin kept them separate because they're essentially the same thing. You can't do one without the other... you should be restricting your users from hurting themselves... after all - there is still no patch for the ignorant end-user.
  • Gateway A/V: In 2007 I think we as security pros did more of it, but aren't utilizing the technology enough. I agree with Kevin, it should have been an initiative in 2007 - but we're still burning resources at the desktop doing this... why?
  • Vulnerability Scanning: Remember, if you're not scanning for vulnerabilities on your network and perimeter, someone else with bad intentions is. I'll leave that one alone.
So there you have it - for the most part, I think the paper (aside from stating way too much of the obvious) was on the mark. The sad fact is... it doesn't matter how many crystal ball papers like this our security managers and business leaders read... the messages will still likely go unheeded.

Good luck out there.

Monday, December 3, 2007

Psst! Hey buddy, wanna buy an 0-day vuln?

If you haven't lived in a cave for the last few months, you've undoubtedly heard about WabiSabiLabi, the self-proclaimed "eBay of vulnerabilities". Well, if you've been on the site since it's August inception, or read any of the press on it... you know first-hand that's pure farce.

I've seen some interesting articles on the site, most notably this great review of it at Darknet.org.uk; but I thought I'd think this through myself a little and see if I can gleam something meaningful from the roaring sound of crickets chirping as the site bustles through. (Obviously you've picked up on my sarcasm by now?)

First, let me do a quick break-down of the stuff that's available for purchase at the site right now.

  • 20 total vulnerabilities available
  • 45% Windows-based
  • 30% Linux-based
  • 25% web application-based
  • 2 vulnerabilities have been bid on
I'm not even going to get into the significance of the Windows versus Linux vulnerabilities, but I do want to point out that there are a significant amount of web application vulnerabilities here, by percentage (even if they are rather weak-looking)

Let's face it, if eBay ran like this they would have been out of business on week 2. I'm absolutely amused with these guys who run this site. I think that the Darknet writer breaks it down with smashing pin-point accuracy when referring to the vulnerability market...
Perhaps they didn’t think the whole concept out. Most of the people that need these kind of exploits - have access to them. Those that code trade, those that don’t code steal and trade - those that have no skills..pick up the left overs.
Nail hit on head. One has to ask themselves - what's the business model here? Are the folks at WabiSabiLabi marketing (or pandering) to the security companies? perhaps to the BlackHats (as unlikely as that seems)? maybe to some other crowd? What's your target market WabiSabiLabi?

It's no great revelation that a site which puts "0Day vulnerabilities" up for auction is a bit of a strange animal. If you have an 0day vulnerability, why would you risk exposing it to the world, when you can clearly make much more money selling it underground? Perhaps I've stumbled upon something here... is this a marketplace for second-rate hacks who've found some mediocre defect in some code somewhere, have no contacts to sell it to the underground, and are looking to connect with people who want to buy? Perhaps this is the target market... so let me build a quick profile of the typical seller:
  • mediocre code-monkey
  • no contacts to really "sell" an 0day vulnerability to the underground
  • no ethics to use responsible disclosure to get it fixed through the vendor or OpenSource owner
Really? I can't even imagine what idiot would bid on one of these auctions... I'm going to make a mental stretch here, and shout at me if you think I'm wrong, but I'm going to say that the majority of the real, legitimately dangerous 0day stuff is sold or traded (or horded?) in the dark corners of the Internet, or in pubs or uneventful money-exchanges where they laugh at the guys running WabiSabiLabi and go about their business.
Google+