Ever wonder how you can track someone on the Internet or prove that someone did something. How do the bad guys do it? How do the good guys do it? This is an excellent example! Good investigative work and a little social engineering thrown in for good measure.
Archive - July, 2008
Canadian Copyright and Michael Geist
There is plenty of information available on Bill C-61 (the proposed Canadian Copyright legislation) on the Internet. Michael Geist, who for all intensive purposes is leading the charge in educating the public and helping everyone become aware and understand the issue recently presented at a strategy session. If you want a 30 minute summary of the history and where we are at today I’d recommend taking some time to listen to it. Michael is a great speaker and he’s doing an excellent job getting the message out in clear and simple terms that just about anyone can understand, even if you have no background in copyright issues. I’d strongly suggest his blog for information and links to other good sources of information on this issue.
In listening to his talk, it confirmed that I personally am up to date on the issue. At one point Michael mentioned being characterized by a government individual as a “Pro User Zelot.” This made me smerk. I don’t know Michael personally, but the last word I would pick is a “Zelot”. I find him to be extremely reasonable and understanding of all sides of this issue.
Another interesting comment was made during the question and answer section at the end of the talk by a government individual. I couldn’t catch his name in the audio, but he spoke about “practical politics” and what people have to do to make the conservative government ‘care’. I am sure what he said is very true, and it really saddened me that what he said was correct. Of course deep down I know this to be true, but one can always hope it is not. To paraphrase the statement … ‘unless the issue is going to have enough momentum to change votes to the point of affecting the party they will just ride it out’. Another comment made by this person that caught my attention was
“If you accept the process then you are already done because the process is designed to go through.”
Skype has a backdoor
An article expressing concern that Skype has a backdoor. There may or may not be a backdoor. Regardless it is important that everyone that uses Skype assume there is a backdoor. Why? The client they produce is closed source so the code is not reviewed independently of the company. The protocol they used is encrypted and closed source as well. This protocol is not reviewed by anyone outside the company. The authentication servers are completely under their control. The entire functionality of the Skype system, the clients, servers, data routing, data encryption is all under their control, not yours.
Assuming the above is true, let’s pretend that Skype has inserted a backdoor. Why would they do this? There are several reasons. Testing is the first one that comes to mind. A new version of the client is being developed and the ability to test and analyze for any issues is necessary. A backdoor permits developers and testers to capture calls to check for problems, call quality and anything else that would be necessary to diagnose. Maybe the country where head office is located requires all VoIP providers to have the ability to intercept VoIP calls. If they wish to do business in this county they have no choice but to comply. I have consulted for companies where the government requires that Skype be blocked because it can not be intercepted. If Skype wishes to get presence in these countries it makes sense for it to comply.
If Skype adds interception and monitoring capabilities, and they have competition with other VoIP vendors for market share, it may not make good business sense for them to announce this publically. Especially if they have no legal reason to do so.
This problem is not Skype specific. As more and more online services such as Gmail, Google Docs, CRM vendors, backup vendors and others (this list is not conclusive and it will grow) stop offering systems to purchase and offer a ‘service’ where your data is in their possession this is a risk. Companies need to assess this risk. If you choose to put confidential client information on GoogleDocs, or use Gmail for confidential email you should always assume that someone at Google has the ability or can create the ability to extract the data if necessary. The company may state that they will not do this, but if they are ordered to by Government, Law Enforcement or the have a ‘bad’ employee that is willing to do it then you are out of luck.
A perfect example of this happening in the past is with Hushmail. The news article is here. Hushmail was considered a free email service that was ‘secure’. They originally sold themselves as using encryption where only you had the password to unlock the data. They stated that even Hushmail and its employees could not unlock the data without your passphrase. Then one day ‘surprise’ they provided a bunch of CDs containing unencrypted emails of a Hushmail account to officials when requested. If you think about it, the ability to do this makes complete sense. They offered a Java program where an individual would type in their passphrase which would unlock the encryption key stored on the Hushmail server and permit the java program to decrypt the stored e-mail to display in clear text. It would be trivial to write the code to include a ‘switch’ on an account that would send a copy of the passphrase to Hushmail when the user keyed it in. Now on the Hushmail servers is the encrypted secret key and the passphrase to decrypt it. Using this key, they can now decrypt all your email which is stored on the servers and do with it as required.
At any point if a company chooses to store its data off site, use programs or services from third parties that have control of the source code and/or the associated services there is a risk of data being lost or ending up in unintended hands. This is a buisness risk that needs to be evaluated in each case. These type of issues will only increase as more and more services are offered over the Internet.
DNS Poisoning attack discovered by Dan Kaminsky
Most technical people in the internet community are well aware of the latest DNS poisoning attack discovered by researcher Dan kaminsky. There have been many comments and posts on it. I have seen Dan Kaminsky speak a few times. He is a smart guy and an excellent researcher. Unfortunately, I believe this attack was not handled properly.
Yes, Dan used responsible disclosure. He contacted and worked with the major DNS vendors to understand and fix the problem. They produced a ‘patch’ and released it to the public. This was all great. It is at this point that I start to have a problem.
The patch was released without telling the community the details of the issue. It was a ‘trust us’ you need to patch. Does that sound familiar? Governments, and vendors do it all the time. You don’t need to know the details, just trust us to protect you and do the right thing. A good article on the chronology of events is here. The reason for not telling the public was that it was going to be presented at Blackhat in a couple of weeks. The for me is where I start to have issues with the handling of this vulnerability. A well respected security researcher discovers a vulnerability in the DNS system that is very serious. Once a patch is available, rather then get all the information out he decides to hold the details to build hype for a presentation at Blackhat. Not very responsible at all. I’d suggest it was self-serving.
Between the patch release and BlackHat, people speculate as to what the DNS vulnerability is and eventually someone figures it out. I suppose one could argue that the primary goal of the DNS vulnerability discovery and lack of full release was not publicity at Blackhat. Yet as soon as the attack is figured out and released by someone other than Dan, I receive this e-mail:
Black Hat’s Second LIVE WEBCAST
Dan Kaminsky’s DNS Discovery:
The Global DNS Issue and the Massive, Multi-Vendor Fix Thursday, July 24
1:00 pm PST/4:00 pm ET . FREE
Speakers: Jeff Moss, Dan Kaminsky, Jerry Dixon, Rich Mogul, Joao Damas
Register Now at
http://w.on24.com………
Overview:
Early in 2008, security researcher Dan Kaminsky located a gaping hole the
basic underpinnings of the internet. This fundamental flaw in DNS security
renders almost all DNS serves open to cache poisoning (US CERT VU#800113).
As the vulnerability arises from flaws in the design of the DNS protocol,
the issue affects nearly all vendors and nearly all products designed to
work with DNS.
In the intervening time, Dan has worked with a coalition of vendors to
create a fix for this very serious and ubiquitous vulnerability. On July
8th, technology vendors from across the industry simultaneously released
patches for their products in a combined effort of historic proportion.
Join Dan Kaminsky, director of penetration testing for IOactive; Jerry
Dixon, former director of the National Cyber Security Division at DHS; and
other experts to discuss the largest synchronized security update in the
history of the Internet. Dan will tell the story behind the discovery, and
the process of creating and deploying the fix.
Presenters
Dan Kaminsky, Director of Penetration Testing, IOactive Jerry Dixon, Former
Director of the National Cyber Security Division, DHS Rich Mogul, Securosis
Joao Damas, Sr. Programme Manager, ISC
Obviously they are still trying to capitalize on the ‘publicity’ around this event. This makes me sad. Maybe Dan is being forced to do this because the company he works for wants the publicity and is forcing him or maybe he just secretly wants to be famous (he already is) and get public attention. Personally, I don’t know and I don’t really care. From what I have heard he is still not going to publish the ‘technical’ details till Blackhat, although this is kind of silly at this point.
What I do care about and am disappointed is that a security researcher of Dan’s Caliber is willing to deploy a ‘trust us’ mentality for his own or his companies public self gain. This has caused speculation and naturally causes both good and bad guys to try and figure it out. Basically, the media attention was more important than full disclosure at the right time. The right answer was to come clean as soon as the patch was released. People like myself will still go to see his presentation. Of course the media might not as it will be old news — which appears to be the main concern. I appreciate the work Dan and others like him do. I am disappointed in the apparent need for ‘self’ media attention. I expect it with software and hardware vendors. I never expected it from the security research community and a prominent individual in the community such as Dan.
Software Liability
Bruce Schneier has spoken about software liability many times over the years. Many of my colleagues and myself agree with him. Of course I have other friends that completely disagree. This has made for some interesting discussions over the years. I have never blogged about it directly, but you can infer it from this post. According to Bruce Schneier’s blog entry, they are at least starting to look at it. This is good thing.
Analysis of software piracy numbers
Ever wonder how true those software piracy statistics regarding the amount of pirated software, amount of money and jobs lost, and other statistics are? Well like most things, you can ‘adjust’ them to your benefit.
An excellent analysis by Mike Masnick on some of the latest numbers. The part I like the best is that the group responsible for producing these numbers, the Business Software Alliance has been made aware of it, but chooses to ignore it.
Deniable File Systems and Truecrypt
An interesting research paper on the vulnerabilities of using Deniable File Systems (DFS). The popular open-source package TrueCrypt is used as the primary example, although it would apply to other DFS applications.
The authors (A.Czeskis, D. J. St. Hilaire, K. Koscher, S.D. Gribble, T.Kohno, B. Schneier) note that given the current political environment in many countries today, users of DFS may think that utilizing a DFS application permits the data stored in the DFS to not be discoverable. The authors highlight how this is a false belief.
Two of the key points I found interesting were:
- Most applications and operating systems are not designed to preserved plausible deniability and often ‘leak’ information that reveals the existence of a DFS.
- Many common applications such as Microsoft Word make a copy of a file that is located in a DFS, typically in a non DFS and non encrypted location while the user is working on a file. If the application is properly closed, the file is deleted, but not securely allowing a recovery agent to extract the contents of the secret file without need to access the hidden file system.
Wear Leveling with flash drives and USB sticks
A good two page article that describes how “wear leveling” works on flash and USB sticks. It covers static and dynamic wear leveling concepts. The article is high-level enough to grasp the concept even if you are not a file system guru.
What I find most interesting is that with this implemented in most flash drives and USB sticks, even if you are to wipe the flash drive using recommended ‘wipe’ methods, all or parts of the data could still be present and recovered.
