All The News That’s Pfffffft To Print

Are you tired of news outlets, official, mainstream, counterculture, blogosphere, or militant (did I miss any?) spouting nonsense about hackers and security in general?  While they’ll likely never get the moniker “hacker” used precisely right, we can at least hold them accountable for the crap they peddle as “news” about “hackers”.

Let’s start with foreign government “hackers”.  If a government sponsored agent is attempting to break into  a foreign government computer system, they are “hacking”, but they are not “hackers”.  They are espionage agents.  Criminals in one country, patriot in another.  Some portion of foreign activity is state sponsored, and hence, is not hackers.  Could we argue that these official or unofficial subcontractors in hostile security are in fact “hackers”?  Sure, but then how to differentiate the regular hackers, the non-government sponsored bunch?  We’d need to start clarifying them all as State Sponsored Hackers or Non-State Sponsored Hackers, with further breakdowns for official and unofficial.  It’s easier just to call them agents, criminals, or spies who are using hacking techniques.  But don’t call them hackers, because they’re not.  While hackers have a variety of reasons for hacking, state activities is not one of them.  It crosses a line.  It’s like saying a police agent using Metasploit is a hacker.  They’re not.  They’re cops.  Or police.  The FBI does not employ “hackers”, it employs agents and uses subcontractors who use hacking techniques, but who are not hackers.  Except maybe on the weekends, but that’s like having a secret identity, and if they get caught, they lose their official jobs.

Now lets look at the idiocy that is numerical misuse.  To state that Company X is attacked 600,000 times a day is like saying that my internal combustion driven automobile explodes 20,000 times on my way to work.  You reporters and bloggers peddling this plotz are IDIOTS.  We mostly knew that already, but this is low hanging evidence that you’ll spew just about anything to fill space or drive revenue, regardless of sensibility.  You’re terrible at the job of reporting and wouldn’t know a fact check if it ran up and bit you on the nose.  Using the logic that produced “600,000 times a day” we can look at almost ANY WEBSITE ON THE ‘NET and find similar figures.  So why didn’t you report that?  Because Company X will drive more traffic, or is more impressive, or is what one person was truly interested in, and the rest of the blogosphere just gobbled it up and reprinted it to fill their pockets.

And by the way, 600,000 times a day for illicit access attempts is lightweight given the size of that particular company and its profile.  A better story would have started with “Why does Company X only get 600,000 attempts at password breaking each day” when comparable sites can be hit millions of times in one day.  That’s news, them not getting attacked more often.  Finding out they get attacked is not news.  Thinking that it is a high amount is not news, it’s just an indicator of the condition (IDIOCY in case you forgot).  Checking on norms and numbers and arriving at a startling realization that is backed up with facts, now that is news worth printing.  And plagiarizing.

So instead of just spewing drivel, make a decision.  Either get out of the IDIOCY business you’re in or start doing some meaningful reporting.  And this is copyrighted 2011 Digital Trust, LLC, in case you forgot.


Personal Phones Subject to Unconstitutional Search

As with all new technologies, cell phones continue to create ripples in the legal landscape.  Here’s a smattering of information on the subject:

  • A California law is in force by default.  More on the spineless veto by Governor Jerry Brown, with more here.
  • One in Michigan, completely in the realm of Big Brother.
  • And one in Oregon, of all places, usually a bastion of civil liberties.

It is this company’s patriotic opinion (not legal opinion, we are not lawyers) that searching a cell phone without a warrant or probable cause or immanent threat is decidedly unconstitutional.  What next, invasion of our computer via police-state root kits?  Cell phone content is clearly not “in plain sight” given the need for special equipment to turn it into evidence.  Write your legislators and fight for your right to privacy.

Thanks to JohnC for tracking this down.

Layered Stupidity

We talk a lot about layered security, but what about it’s nemesis, layered stupidity? That’s when you see badness at so many levels in a business structure, that there really is no point in testing or evaluating security, because until change happens, they’re like a bank with no locks, guards, or cameras.

So there’s this company, who shall remain nameless…

First layer, basic security. People have got to do the simple stuff, and at least make an attempt at the SANS Top 20.  If your security neglects even the simplest checks, you well deserve your fate.  Why was nobody in the company howling about this when hacking is in the news every single day?

The second layer in the cake is outsourced infrastructure and security.  The hosting / security provider responsible, somehow managed to run a regulated security business with no log file retention.  How can a security company not keep log files?  It’s so fundamental that the absence is absurd.

Layer three is the auditors.  Both of these companies, the provider and the client, are subject to regulatory security requirements.  Both of these companies are required to utilize outside security auditing, so what went wrong?  Did they hire incompetent auditors creating the perfect hat-trick of stupidity?  Perhaps the auditors noted the deficiencies, and thanks to lax governmental oversight, nobody bothered to fix anything because they knew unless something went wrong, nothing would be done.

Four goes to the board members of both companies, at least one of which reads a newspaper or watches the news.  Did they really think hacking is a golf affliction?  Board members are supposed to be wise advisors providing oversight and advice about things like security and regulatory compliance, otherwise, why are they paid to be the board?  If you’re a board members anyplace, ask about security and know enough to be able to spot fruit-loopery when you see it.

Lastly, the customers of both companies should have noticed something was amiss.  Both have been in business for a fair amount of time, have large client lists, most of whom are also regulated, yet none of them noticed the glaring lack of security to either company.

This, then, is a perfect storm of stupidity.  Every single link in the chain of responsibility is weak or broken.  Every layer of the cake is rotten.

Solutions are so easy.  Hire good people.  Ask questions.  Put some effort into it.  Demand your vendors adhere to security standards at least as rigorously as you do.  Make sure it’s right.  Security isn’t difficult if it’s done right.  It’s a money saver.

Pentester Reporting on Cracked Passwords

Anytime in a security review that a password is obtained, whether it is simply a default setting or cracked after 8 days of crunching (or anything in between) there are some important things as the tester that need to happen.  First, notify the client and recommend they force change the password. Don’t just have them set it to force change at next login, specify that they change it and then, if necessary, notify the user.  This is because the account may already be compromised.  Just forcing a change may permit a bad guy to continue to access the account.  Second, if you must disclose the passwords to anyone, do so using partial masks.  Show only the first two characters or something similar, to disclose as little as possible, but still prove you have the password.  This is because the password in question might be used for other things, like personal banking.  Disclosing the full password could permit 3rd parties to obtain access to accounts other than the one being examined.  Judgement is important, since even two characters can be enough to identify a full password.  Above all, never release the passwords and accounts in any transferable format, such as a pdf or as part of the report.  Make sure your contracts indicate the client must change the passwords within a time frame and be able to show that your practices do not put the account credentials at risk, such as by sharing them with co-workers on a file sharing site.  Should anything go wrong, you want to be able to demonstrate that your people are not at fault.  Never retain credentials, and don’t add any of them to your dictionary unless you’ve filtered them closely for any which might indicate origin.  Something like “ih8COMPANYX” can indicate origin and may be used by another user at some future date, and if your dictionary ever gets questioned, you might be liable.  As always, check with a lawyer for real legal advice on the contracts and other legal subjects; Digital Trust is not a legal authority.

This post was largely inspired by a conversation from the SANS pentesting forum.

Oh, You Noticed, Did You?

Recently we received a notice from our one ISP that one of our machines might be infected, and please clean it up or we’d be shut down. Well, we explained the situation to them, and it’s good to know someone’s watching our traffic (It’s 1984?), but we’ve been doing this for nearly six years from this location. And they only just now noticed? We’ve run huge attacks against large customers, it’s our business after all, for six years, and they only just now noticed we “might” have an infected computer? Sort of makes you wonder. What about all the other domains we traverse, like Sprint and AT&T? Are they going to start sending us hate mail? What happens if they start dumping the packets? We’ll have to find another ISP, I suppose, but eventually, if things went that way, the core would be filtering as well, and nothing would work. We’d practically be out of business. Ironically, the bad guys wouldn’t. Because the bad guys would just invent new ways to circumvent the security. Which would let us stay in business as well; we’d just need a new toolset. So if nothing’s going to really change, can we establish right now that filtering anything is a really bad idea, except during attacks? Because all it’s going to do is raise the price tags on security. You have to pay for the filters, you have to pay for the new security to counter the new threats. While standing still doesn’t prevent new threats from becoming a reality, it does allow us lots of ways of tracking people. They may have a new attack, but they probed on high ports first, which might let us locate them. Or at least shut them off from here. But don’t restrict traffic in the middle. It’s like putting a stop sign in the middle of the Atlantic. All you do is make shipping more expensive and annoy some little fish. So keep it open. Please.

Nobody Would Go To That Much Trouble…

Or would they?  Here’s a fantastic example of the lengths one can go to, to obtain system access.  Many clients don’t believe things like this happen; that their competitors would ever attempt such a thing.  It really depends on how much value is in it.  If the payoff for a data thief is greater than the cost+risk, your data is greatly at risk.   If a group of security specialists (no affiliation) can do this for a set fee (in all likelihood low five figures), then criminals will jump at the chance.  Sure, they have to find someone to program and do technical stuff, and those are rare and expensive commodities.  Wait, no they aren’t.  Since the US exported a bunch of technical stuff overseas, you can obtain high quality technical assistance for a song.  From people that have zero reluctance to engage in activities that might be illegal someplace else on the globe.

You think your company isn’t at risk?  Are you sure?  What’s in your corporate bank account?  Your password protected file servers?   Your laptops?  If you aren’t 100% positive of any outcome from a computer compromise, you need to get professional help to evaluate your situation and put a focus on what’s really at risk.

If security folks will do this stuff for normal working wages, criminals will jump at the chance for a big payday.  So, yes, somebody will go to that much trouble.

PS: kudos to Netragard for an awesome job.

Google Increases Filtering of Results

In the seemingly endless battle between search engine results and the public, we noticed this morning that queries like “eff company” were returning no results via Google, but lots of nice results via Bing.  Of course, that search string is paraphrased to keep it clean, but you can try your own out and see.  Others have noted Google’s anti-results stance since the days when Mr Long first publicized using search engines to locate cracks in the corporate facade.  Looks like it’s only getting worse.  Who’d have thought that Google, the mighty purveyor of “be good” would decide we can’t handle the results.  Sounds an awful lot like censorship.  Of course, immediately after we ran the Bing, Google started spitting out results.  Odd, that.  No results, competitor, then full results.  Hmm.  That looks like a research opportunity for someone with the time.

Amazon Oops Causes Resend of Orders

We’re not sure how extensive the problem is, in fact, we’re not sure if its extensive at all, since nobody else seems to have seen evidence of it.  We’re not even a news site, so it feels sort of odd to be breaking news, if that’s what this is.  Last week, we had a member report seeing an odd Amazon transaction in their email.  It seemed that Amazon was attempting to bill an order so they could ship it, but were having problems processing it, because the card being billed against has been cancelled.  They wanted a  new card so they could bill the order.  The problem is, this order was sent in back in January, and filled.  The account owner has the products, and all the emails about the order, both times.  So it appears to us that when the cloud busted last week, apparently the restore include some financial transactions.

People might want to check any recent orders with Amazon to make sure they aren’t duplicates.  If this repeat order is a unique event to the affected account, it would be very unusual indeed.

Update 5/2/11 – it now appears, based on conversations with a few more Amazon users that noticed similar goings-on, that Amazon message traffic was replayed, and not the entire transaction.  They got notified their older order items were shipping.  We’ll know more after the shipping delay passes, and if items show up at these people’s houses, we’ll post another update.

Disk Imaging Job X and the Voom Hardcopy 3P

It’s rare for Digital Trust to endorse a product; exceptional products are scarce, and the normal information outlets cover them well enough.  But Job X was special and we like to give credit where credit is due.

This Job was a high volume, high speed imaging affair, with only two days warning.  We’d been contracted to image all the drives in a small business with, or course, minimal disruption.  About 40 drives, or so we thought.  Normally, we could parallel image either across the network or via multiple boot and intern combinations, but not in this case.  We had to get the physical disks.

The lack of prep time is normal, but not for a job this size.  We had on hand one Voom Hardcopy 3P and two Tableau’s, which would require laptops.  One of the nice things about the Voom units is they are standalone.  They are also considerably faster than a low end portable forensic imaging system.  PCMCIA SATA cards are okay, but not nearly as fast, and just one more device in the loop for Murphy to break.  Hardcopy’s transfer SATA to SATA, at drive interface speeds and are astonishingly easy to use.

Job time estimation isn’t rocket science for imaging.  It takes ~3 hours to copy a 1TB drive (at the time of this report).  A Hardcopy 3P runs at ~3GB per minute with MD5 hash (real world observations, not marketroid fluff) on an average older 80GB drive (what we had at this job).  The faster the source drive, the faster the Hardcopy; it’s limited by the drive speed.  We see 5+GB/m on a more current 7200rpm 1TB drive.  Time varies based on the quality of the source and target drives.  So given 40 average office drives, one Hardcopy would take 40drivesx80GB/3GB/m/60m=17 hours if the world was perfect.  Then there’s the overhead of locating the drives, removing them from their housings, hooking up the drives, labeling everything, recording in the logbook, putting them back, and trying to fend off questions while dealing with the inevitable, most notably, failing drives, which drastically alters the 3GB/m rule, as retries eat up exponential time.  Such is life.  Our best working estimate at this time is that 8 hours of imaging with no major issues takes two people at least 12 hours.  Which meant we needed two days with two people, and it would still take longer if things didn’t go as planned, which they never do.

Given the volume of drives, and the distressing estimation from above, we opted to try and find additional high speed equipment.  So we picked up the phone and called (651-998-1618) the nice people at Voomtech, who have been a pleasure to deal with in the past.  Unfortunately, the didn’t have any on hand, which put a crimp in our plans, but only for a moment.  They reached out to a reseller who had some in stock, and arranged for the dealer to overnight two to us, on reputation alone.  That’s awesome customer service.

Having 3 Hardcopy’s on hand would definitely make this a simple Job.  Which is when Murphy showed up.  Turns out there were a bit more than 40 drives.  There were 70.  If you follow the math, you realize that 3 Hardcopy’s are a bit of overkill for 40 drives in two days.  Even 70 would normally not be a stretch, until you factor in Murphy’s sister, who arranged for 30% of the drives to have errors, some fatally so, and to top off the adventure, the on site contact supplied imaging drives from a manufacturer we normally don’t use, because they are not as good as Seagate.  No drive maker is perfect, but some are better than others.  We like (at this point in time) to rely on Seagate.  The other drives cost us half a day dealing with their quality issues until we bit the bullet, trotted over to Staples, and picked up half a dozen big Seagate’s.

What happened to the Tableau’s?  They got used trying to figure out how to deal with the failing drives.  Once a Voom reported a problem with a drive, we moved it to the laptops and tried to finagle a viable image out of the drive.  Right tool for the job, and all that.  Hardcopy’s are faster than Tableau’s, but Tableau’s give you the ability to work with the drive using other tools.  We don’t think of it as Voom versus Tableau.  While Tableau’s can be used to acquire images, the Hardcopy’s are so much faster, they are the obvious choice for imaging.

Back at the Job, once we had the Seagate’s in place accepting data, we started thinking things might work out okay.  For two days we transferred md5 checked images from source to Seagate via the Hardcopy’s, and they were good.  Hardcopy 3P’s are wonderfully simple devices for quickly acquiring images.  One of the features we like is that they pull all the identification off the hard drive and store it in a txt file with the image file and md5 checksum file.  Saves more time.  Couple that with a vendor willing to talk to you, and you get a great option for data collection.

The assembly line of drive copying finally ended the second day at 6PM, having imaged or attempted 70 drives in 24 hours.  The Voom Hardcopy 3P’s were definitely cost effective.  There’s just something so nice about its simplicity, and even better about a vendor that treats you well.  Digital Trust highly recommends the Voom Hardcopy 3P.


Cost Effective Security Defense Against Brute Forcing Passwords

HTC Hydra is very cool, as is any brute forcing tool (Fast Track in BT4 is nice), but there is a very simple way to eliminate brute force attacks on your exposed authentication interfaces; add a Captcha or similar technology. Lots of companies are getting into strong authentication with codes and tokens, but you may not need to go that far. In lower risk cases, where the need is just to keep the system clean, a simple recognition code works to keep out all but the most dedicated brute force attempts. An attacker with enough patience or enough money may still be able to use a brute force attack, but the chance of recognizing it in the logs and alerting so you can take appropriate action is much higher with that level of attention. So if you’re not protecting credit cards for PCI-DSS and you’re not guarding medical information for HIPAA, think about adding a Captcha or other simple recognition code that will make your application a much harder target. And don’t forget to have it professionally tested/evaluated once you’ve modified it. Digital Trust – helping companies keep security costs down.