Tuesday, January 26, 2010

Where to Find Me - Spring 2010

In case you really want to come out and hang out with me, and listen to me talk in the next several weeks/months - here is a preliminary calendar of events for the conferences I know I'll be at for 2010... (so far)
  • January 29th --> OWASP Louisville, KY @ Louisville, KY! | Speaking on "Web 2.0" topics and a short workshop-based walk-thru of disassembling Flash applications in the real world.  Register/RSVP here
  • February 3-5th --> SANS "What Works in AppSec" @ San Francisco | Presenting a totally re-vamped talk titled "When Web 2.0 Attacks!" and speaking on a panel about practical web app security.  Check it out here...
  • March 3rd --> ISSA New Jersey @ New Jersey ISSA | My favorite state is hosting me as the guest speaker at their ISSA local chapter meeting!  Topic is still TBD ... register with your local ISSA chapter leader!
  • April 21-23rd --> Source Boston @ Boston, MA | Speaking on a totally brand new topic titled "Into the Rabbithole - Execution Flow-based Web Application Testing"...  I have a some goodies related to this conference if you'd like to join me!  Let me know early... Register here...
  • April 23rd --> THOTCon @ Chicago, IL | Stay tuned ... this talk at "Three One Two (312)" Con is going to be a lot of fun, hands-on digging into real life apps... This is their first-ever Chicago-based hacker con so come hang out!
  • April 26-30th --> StarEast Testing Conference @ Orlando | That's right ... as part of my ongoing effort to improve security in a practical sense, and in an attempt to reach a very relevant audience - I'm speaking on the topic of "Tour-based Security Testing"... this is the 3rd time speaking at an SQE event and I encourage you to GO! Register at the SQE main site.

That's it for now ... My dance card is already filling up and I can't wait to come out and meet with all of you guys!  If we're missing your event or group - please let me know so I can add it to our schedule!

See you out there!

Monday, January 25, 2010

I am officially a liability

In case the rock you've been living under doesn't get the Internet (or Twitter) ... I dialed into the Exotic Liability Podcast this past Saturday ... yea...

I only mention this because I've gotten about 30 emails (and literally dozens and dozens of tweets) in the past 12 hours telling me that you listened to it.  All of you... let me just say that I didn't realize that many of you knew who I was, much less would know how to find me!

It's almost strange opening up my work email to find that no less than 10 people I've never met from within my own company "couldn't stop laughing" listening to me rant on and make in-poor-taste jokes with Nickerson and Jones.

Oh... right - thanks for having me on the show guys.

Now that I am officially a liability (and when was I not!?) ... I encourage you to give the podcast a listen (just not the one I was on, #46 ... avoid that one at all cost) because these guys are rude, funny, and occasionally accidentally informative.

In a world of Information Security podcasts that take themselves way too seriously, it's nice to know that there are still people insane enough and respected enough to make complete asses of themselves, and invite guests ... and have a copious amount of listeners!

To everyone I offended (which should number pretty high) ... screw it, I won't apologize ... I had a great time.

Tuesday, January 19, 2010

China vs. Google (et al) via MSIE...


Have we all lost our damn minds!?

Let's get a few things straight ...

  • Google and a bunch (somewhere in the 'hood of 30) other high-priority targets, appear to have been hacked by the Chinese
  • This issue is primarily based around China's commie-civil-rights issues
  • The attack (if you believe "sources") was likely an inside job (at Google, at least)
  • The attack was committed (again, believing "sources") using an 0-day exploit against IE6
  • Panic has spread with Germany and France now issuing "stay away from IE directives"
Now ... I can't tell you how many papers and e-publications from eWeek to Washington Post to international publications have gotten in on this madness but it's spreading like bird flu paranoia.  Now there's even some chatter about India being "hacked by China" too [in PCWorld, no less]... I guess everyone's getting in on this craziness.

Rik Ferguson (of TrendMicro fame) already wrote up a pretty good blog post on this titled "Google, China, Chicken Little and Cyber Armageddon" ... and I couldn't agree more with Rik.

I guess I just don't understand all the sudden panic.  We've known the Chinese were hostile to us for year now right?  When was the last time there was any civil discourse between China and western world that didn't involve hostility?  Yet... we continue to sleep with the enemy.

This issue baffles me for a number of reasons...

  1. We've known the Chinese were hostile to us for many, many, many years (does anyone remember the Cold War?)
  2. We continue to economically tie ourselves deeper and deeper in debt with the Chinese
  3. Chinese "hackers" (state-sponsored or otherwise) have been at our digital doorsteps and in our Interwebs for a very long time as well... read here, here, here, here ...
  4. China's record on Civil Rights is deplorable from Tienanmen Square to the Green Dam
  5. Who still uses IE6?  And before you say many SMBs and large businesses alike I will tell you that it is then their own damn fault ...
Yet - this is a big panic?  Maybe it's because Google finally came out and publicly said "Hey, we've been had"... maybe it's because sentiment seems to think it's an "inside job" ... or maybe it's because Google is threatening to pull out of China (I'm calling their bluff)... or maybe it's because we're all so caught up in the paranoia that we can't tell when Chicken Little has us running for our lives and donning our foil hats.

Can we take a pause for a moment?  Secure your networks.  Know and live with the fact that the Chinese (and likely many other world nations) dislike us enough to be building "cyber-armies" against us (I feel sick just writing that stupid phrase) just like we live with radical Muslim terrorists who want us dead.

As a final word on the fact that this was an inside job - so what?  No kidding!  That's the price of doing business inside a hostile nation, with their own citizens as employees.  This shocks us why?  Let's get angry at Google for failing to properly secure information on a need-to-know basis... and failing to apply a risk-based approach to security - clearly Chinese employees needed to be highly limited!

Now for the IE6 issue ... to avoid beating a dead and buried horse I will simply say that incident could be substituted for anything else non-technical in nature ... such as driving a Chevy Nova and and failing to take it in for the recall notices - then freaking out when the car fails... well duh?

Get over it.  Another day, another hack ...

Thursday, January 14, 2010

The Real "Cyber War"

For the love of all things good and pure - stop the madness!

It had to be said.  My inbox lately has been filled with vendors' emails, news articles, blog entries and papers on this concept of "cyber war"... but please, people - think this through before you start building the bomb shelter.

I want to take this in two parts.  The first half of this post will be looking and analyzing what the current definition of cyber war has come to mean in the mainstream media and even permeating the security luminaries.  The second half of this post focuses on what cyber warfare really could be and frank and sane analysis I feel like we're just not getting.  Before I get too deep into it I want to make sure I give RSnake credit for starting this seed of thought in my mind with the conversation we had back at SecTor in the fall of last year.  He's got some great ideas and I think he's one of those rare people looking at this sanely.

--- Part 1: Analysis

If one is to believe modern media (mainstream press, bloggers, etc) you'd get this image in your mind of a cyber war where two sides square off against each other in battle.  Each side, in this case, has an army of uber-geeks and super-hackers ready to devastate the other side's military might and cripple their country.  Essentially if you really blow through the smoke and hand-waving panic it boils down to a large-scale DDoS attack concentrated against military networks or some war-related entity.

Now, I read all these types of articles and ask myself ..."Really?"

Let's take the two countries which we know are at obvious public odds in modern day politics - the United States and China.  We know that the Chinese have been trying to infiltrate our military networks, our sacred Google, and other institutions which raises the eyebrow.  This is all good, and I'm sure much of it is very real - but this is not a cyber war... by any stretch of the imagination.  Dropping the search terms "cyber war" into good 'ol reliable Google yields some mind-blowing results that I just have to wonder what the authors were thinking... or even if they were!  This one from our kiwi friends down under makes me chuckle - and then slap my forehead because if the source is Reuters then someone needs to have their head examined...

"Chinese hackers have struck Iranian websites in a burgeoning nationalist cyberwar, media reports say.
Hackers calling themselves the "Iranian Cyber Army" hit the main webpage of Baidu, China's largest search engine, yesterday morning, covering the page with an Iranian flag and other symbols.
Chinese blogs quickly erupted in calls for retaliation, and Chinese flags and patriotic slogans soon began to appear on websites registered in Iran, Britain's Financial Times reported.
In December the "Iranian Cyber Army" hacked popular microblogging website Twitter, replacing Twitter's home page with the same headline and an anti-American message."

Wow, just wow.  You know, before the term cyber war became inflamatory and drove clicks we used to call this hack-tivism, and before that cyber-graffiti.  Big deal, a bunch of Iranian computer nerds defaced (maybe even hijacked the domain of) Baidu.com, China's search engine.  How is this a declaration of, or an act of, war?!  Someone please explain it to me, I'm at a loss.

Even our good friends at El Reg (the Register) got in on the loonacy... They make comments like this one to make people angry, or afraid ... or...

"The South's cyberwar centre can also be seen as a response to a rumored cyberwarfare unit already operating out of North Korea. Rumours have it the unit is staffed by around 100 including graduates from a military academy in Pyongyang. Whatever the truth of thesereports it's probably fair to say that cyber-paranoia is rife on both sides of the 51st parallel."
Again, wow.  You mean there is now state-sponsored hacking?  Wait, didn't we used to call this espionage?  Hasn't this been going on since, well, the dawn of nations?  I guess it's cyber war now because the term is cool and makes people take notice... and we do it over computer, right?

If you believe what you're currently reading in the mainstream, you're likely to believe that there are little teams of super-nerds on both sides of the cyber trenches, looking across the cyber battle-field at each other, trying to figure out how to defeat the other in cyberspace.  Honestly... really?

Forget this involves computers just for a moment.  Is theft of military information by a hostile nation-state an act of war?  If it is then we have a much bigger problem on our hands because we've been at war with just about every hostile nation-state/government for ...forever.  Yes, it's a clear act of defiant espionage, maybe even an attack - but it's nothing new.

--- Part 2: My Take

First, let me say that I think the idea of a cyber war is very real, but it's not what the media is selling us on.  Cyber warfare is just queuing up... and despite what you're hearing in the press it's not going to be one army vs another in a fight for nerd supremacy.  It's going to be all-out digital destruction.  Let's take this topic sanely.  First take a breath and visualize packets streaming across the wires of the Internet ... how do these little packets cause physical, real, and serious damage?  Does a DDosS against a military network really cause irreparable and serious damage?  Only if that attack causes a loss of life, or other catastrophic event.  Has the light bulb gone off yet?

I mention loss of life or catastrophic event because rarely do hacks cause either of those.  You'd have to be able to do something like wipe out the nation's power grid, or poison the water supply, or kill millions - in the scenarios we're being fed today in the media none of that is going to happen.  To cripple or destroy a nation you have to go after resource that are vital for survival.  What are these resources?

If you think about it, there are three things which, if catastrophically affected, can bring down a government or nation. Food, energy, and financial resources are the only things, in my humble analysis, that will cause the collapse of a government or nation today.  How does a hostile nation wishing to wage cyber war affect those three things by sending out packets across the wire?  That's an altogether different question.  Allow me to work through these in order of importance.  Keep in mind the aim of war - to force the other side to surrender - in the physical world.

  • Financial Resources |  A nation can be crippled and reduced to nothing in a matter of weeks without financial resources.  The ability to conduct commerce, trade currency, work in the global stock markets, and bank are paramount to the health of a nation.  If you take this vital ability away you can implode an economy thus inflicting untold pain on the inhabitants.  It's fairly easy to see what kinds of things happen when an entire country's economy collapses ... crime goes up, chaos ensues, and order is quickly brought to chaos.  Waging a cyber war in which an attack against a nation's financial resources is successful isn't simple.  This type of attack requires tremendous effort, tremendous amounts of coordinated effort.  Modern networks are resilient to failure, DDoS, and other attack mechanisms... but what if you could just cause enough chaos to throw the US stock market into a tail spin.  What would that take, you ask?  Silently, and I stress silently, dropping minor glitches into the whole network of inter-connected ordering systems, banks, clearing-houses, and traders will cause chaos in short order.  I stress this has to be done silently because once people know it's happening you lose the element of panic and chaos it causes.  If you know someone's attacking the NYSE and your responses are down you don't panic as much as if you're trying to make trades and every one is off by just a millisecond, affecting your profit/loss margins by potentially billions.  Crippling a nation's financial means is a complex task and takes significant insider knowledge, lots of planning and incredible amounts of resources ... and I will go out on a limb and say having 100 Koreans locked into a basement somewhere exploiting 0-days isn't going to cut it.
  • Energy |  The energy problem is much more difficult to solve, although it can have a much more cataclysmic effect much faster.  If someone could trigger catastrophic conditions at nuclear facilities across the country simultaneously it would achieve the goal of killing millions and bringing the country to its knees ... but that's not going to get the US president to sign a surrender of the country.  Crippling oil pipelines, energy delivery mechanisms, research and power grids can be used as a mechanism to support an invasion of actual troops - but again... unless you're going to have infantry on our shores you're not going to achieve much beyond devastation and chaos.  Can it be done?  Can a cyber war achieve the goal of a nation's surrender by crippling its energy supplies and delivery?  Maybe, but it's not likely.  It is far more likely that this kind of attack would be leveraged in a troop-based military assault.  Funny thing though, even though much of the nation's energy grids are pushing to be inter-connected, at least today, you would still have to do a lot of manual work.  Most of these systems aren't Internet-accessible so infiltrating them requires much more than pasting your nation's flag on their search engine's homepage ... idiots.
  • Food |  The nation's food supply is a key ingredient to its health.  Ask anyone who's watching people starve to death in Africa or elsewhere... there is no order when your inhabitants are dying of starvation. It's hard to envision such a situation in the United States because we're such a huge exporter of food stuffs to the rest of the world - but elsewhere it could work.  The problem with this, of course, is how to you use packets streaming through the Internet to destroy food supplies?  Some possible ways are messing with food-transport and causing delays, mis-routes, etc which could lead to spoiled food.  Infiltrating food-production networks isn't fruitful because many of these networks operate on the old conveyor belt methods, and it's not like the cheese-plant in Wisconsin is going to be hacked into and all of the sudden produce deadly cheese ... at least I would hope not.  Thinking sanely the food avenue seems to fall out of the pictures for many reasons but the biggest is that food is such a physical endeavor from growing, to processing, to transport, to sale.
After all that, the most likely target is the nation's financial resources.  So this isn't really war then, as much as it is just plain hacking.  Or do we call it war because it's state-sponsored?  Think about it, before you throw around the term cyber war loosely next time.  Does the PDF 0-day hack being exploited by the Chinese hackers to steal your passwords really constitute an act of war?  What about GhostNet?  Was GhostNet an act of cyber war?

I would agree that some of the things going on lately, including the discovery of GhostNet (originating from that cesspool we call China) may be hostile nation-sanctioned attacks and state-sponsored espionage but this in itself is not cyber warfare folks.  If you look up the definition of war:

"War is a behavior pattern exhibited by many primate species including man, and also found in manyant species. The primary feature of this behavior pattern is a certain state of organized violent conflict that is engaged in between two or more separate social entities. Such a conflict is quite often an attempt to resolve a dispute over various commodities such as territory, resources, or other material advantages. Such disputed commodities are usually perceived by the parties engaged in the conflict as being available only in a limited or insufficient supply. In addition to the violent and obvious physical goals of securing various material advantages that war agendas often include, war agendas often also include certain more subtle, yet often more compelling, psychological goals of attempting to alter or reaffirm previous relationships of social domination/ submission/ or equality between two or more social entities"  (Wikipedia ref)
...you will realize that hacking... while destructive, is not war.  Cyber attacks are a component of, but not in themselves, war.  War is hell, hacking (in mainstream context) is a nuisance.

Wednesday, January 13, 2010

Orphaned Credentials on the Web

Hi everyone, just a quick post today ...As I sat and stared at my password manager this evening trying to make sense of the mountain of credentials I haven't used in forever - I had a thought.  How many sets of credentials do I have out there?  Worse yet - how many do I have that are all either (a) the same or (b) similar enough to cause me pain should one of those sites be compromised.

We all know that there are many poorly constructed web sites out there; and almost every site you visit wants you to register in one way or another - thus creating a login name/password credential pair.  If you're anything like me you probably have upwards of 150 credential pairs out there some of us have numbers doubling that.  That's a scary thought.

Ask yourself one question - and be honest with yourself - how many times have you reused the same login name/password pairs?  How many of those sites that you registered at have your primary email address ... or an email address that's tied to some other service that's important to you.  For example, if you've registered your company's domain name with your GMail address - that's probably a pretty important account for you to keep safe, right?  If you have your login as your GMail address, and your password maybe the same as your GMail password - it takes just one teenie compromise or slip and you're completely hosed.  Game over.

I'm writing about this briefly today not because password re-use is a new thing, because when that issue was new I was still riding my dinosaur - but because it's a forgotten topic amidst the other security "advisories" out there.  Especially now as tax season approaches ... watch your passwords folks!

What do I do to combat this silliness?  Here are some suggestions from a paranoid ...

  1. Create a classification system for sites you visit/register with (3 categories is probably the most you want - critical/sensitive, important, throw-away)
  2. Create a separate "persona" (login name, password mechanisms) for each of those categories
  3. For the throw-away category - use credentials that put distance between your real life persona and your site registration.  Hint: If you register as Donald Duck it won't matter much!
  4. Guard the sensitive & important categories and try your best not to re-use those
Stay safe!