Wednesday, July 29, 2009

Learning the Lesson... the "Hard Way"

"In the land of the blind, the one-eyed man is king."

-- I guess you just don't realize how difficult it is to actually secure something until some of the people the industry respects, go down in flames. Enter ZF05. (link is now broken)

"Zero for Owned" was released yesterday, detailing the brutal hacks on some of the people (and sites) the security industry, check that, the White-hat segment of the security industry, consider the best and brightest. If I may, for one brief moment, indulge the ZF0 crew(?) with a quote (I fixed some typos)...

"It's July 28th, 2009! Welcome one and all to the real Black Hat Briefings. Livefrom the underground, coming right at you free of charge. You don't have to pay to come, and you don't get paid to be featured. Presented by real blackhats, this is a must-see event!
This is a big one. We hacked notable whitehats Kevin Mitnick, Dan Kaminsky, and Julien Tinnes, among others. We continued the skiddie holocaust with darkmindz, elitehackers, hak5, binrev, and blackhat-forums. Along the way we created mass mayhem. There are more rm's in this zine than you can count on a hand. Just fromtargets shown here we collected about 75,000 passwords. Passes, not hashes. If you are reading this, then your browser probably did not crash, so you know we couldn't include all of our passwords, let alone hashes. The first version of this was ten times the size of ZF04."

That's pretty powerful stuff. Let me be clear - I don't think it was right of the ZF0 folks to publish personal emails, communications and nasty details... I don't care how much of a douchebag you think someone is... no one deserves that. It does show a serious lack of moral judgement and personality ugliness.

Moving on past all the interesting details ... a singular theme runs through this entire zine... no one is safe. If you've not heard someone say it before, memorize it -

"There is no such thing as secure."

If you don't believe me (the above quote)... look around. Matasano - the 31337 of 31137... pwn3d. Dan Kaminsky, Kevin Mittnick and many other people we have grown to respect... pwn3d. Are any alarms going off yet?

Forget the personal attacks, forget all the nasty things that this dug up... it's irrelevant. What we're learning here is that there is no such thing as a totally secure system - even by those who are researching, teaching, and living high-security. This makes sense, I hope.

At the risk of going off on a rant... this can't be news to anyone! If you've ever told someone you can completely secure their assets you're a moron. There is no secure, there is only minimized risk. Every system has some level of risk of being compromised... did you write every line of code on every piece of software you're running and using? Hell no! Do you have a reasonable expectation that the code you're running for your OS (whether you're in Windows, Linux, OSX, or what-not) your mail server, your CMS, your twitter client - any of that... is even remotely secure? Again, hell no!

So is the world coming to an end?
... has every system been compromised?
... ... is there no hope of any kind of reasonable security?

Get over it. Things are going to get hacked but you need to learn a few lessons from this, and for that I think we have to say thanks to the boys (and girls?) at ZF0...

  1. Don't re-use passwords (even it's just across different systems you have access to, different customers, high/low security, etc)
  2. Segment, separate and compartmentalize so that a single compromised point-of-entry doesn't turn into a complete pwn (didn't we learn this back in... 1997 or so?)
  3. Minimize your risks! If you don't have a damn good reason to put extremely sensitive stuff on an internet-facing system... uhmm... don't
  4. Don't assume that because you're smart - that you're intelligent
  5. Accept that at some point... you will be hacked. Get over it.

So... sucks for the people who got pwn3d but at the end of the day - know we (those that actually understand security) don't think any less of you [unless we didn't like you already]. Understand that we'd prefer that everyone worked together to make things better rather than this stupid in-fighting like you see on the playground in 3rd grade recess.

Writing good, secure code is always 10x more difficult than pointing out bugs... so if all you're doing is hacking and breaking without actually contributing to the greater security of things... you're a cockroach. It obviously doesn't require a rocket scientist to find a new way of thinking the engineer didn't envision to break something down... hell, even a blind squirrel finds a nut eventually -making sure that your code stands the test of time, peer reviews and inevitable malice is the true genius.

Play nice. Work towards the greater good.



Anonymous said...

zero for owned accomplishes nothing that some 12 year old with some scanning software couldnt do.

All this load of crap "teaches" is that many of the people in the security field dont practice what they preach. What else is new.

Anonymous said...

mitnick is nothing more than a showpiece, he's no guru these days, his time is long since past, these guys really do deserve the kick in the ass they got, anyone leaving passwords unhashed and non salted deserves this crap, end of story, whitehats often are about just getting shit done and putting really basic and obvious security in place around it, they dont think black enough about ways that it will be abused if someone break further into the system, as im the anonymous from previous posts you will realize how black i can be in what i do, any system i work with i use salted sha512 passwords with an sha384 salt of a random string, how hard is it really? then again, i also dont rely on premade packages unless iv audited them for the most part and cleaned up the mess that i find, i have been a full time programmer for about 10 years now, i know what exploits look like and how to clean code properly, welcome to the world of n00b coders *stares at wordpress*

opensource with lots of contributors does NOT make for a secure product unless they have proper security precautions in place and have someone checking all commits for security issues... guess what? nearly no projects do this, then the code bloats and noone knows the original purpose of the code in question and... see the downwards spiral here? go look at the openbsd development process if you want to see secure coding practices!

Anonymous said...

The guys in Z for owned must not have mortgages.

Xero said...

Do we have any information on who the heck Zero For Owned is? I find it surprising that they have concealed their identity so well.

Rafal Los said...

well, no but if he/she/they decided to answer a few questions for this humble blog I would be giddy as a schoolgirl... :)