Thursday, April 30, 2009

How to stop the swine flu

Don't do this:


UPDATE: ...or maybe do it. Exposing ourselves to non-dangerous strains may be the best way to build immunity to the dangerous strains.

Sunday, April 26, 2009

Cyberspies, #2


As I blogged, that WSJ story on cybespies was crap. However, that story had "legs". When a story gets attention, other news organizations jump on it and create their own version of the story. You can see similar stories, like these from the BBC, Reuters, and CNN.

Every journalist knew the story was crap. It was ethically questionable (relied upon anonymous sources that couldn't be challenged). The original journalist who wrote the story knew it was crap. Her editor knew it was crap (indeed, probably asked the journalist who wrote it to sex it up). Other journalists who wrote their own version of the story knew it was crap.

So, each journalist had to make their own ethical decision. It's obvious that the public wants to read about the story, so do you feed the public's appetite, or do you stand up for ethics and quality news? Most organizations made the wrong decisions. CNN's version of the story is probably the most reasonable: they tracked down the original anonymous guys making the claim, and then did their research debunking the claims. CNN also used the correct word "hackers" whereas everyone else used the misleading word "spies". (hackers hint independent people, spies implies people who work directly for their governments).

However, it is The Economist that made the best choice in their version of the story, where they point out what all the other journalists knew:
But the most likely explanation for the sudden spate of scare stories is rather more mundane: a turf war between American government agencies over who should oversee the nation's cyber-security.

I highly recommend The Economist weekly news magazine. It is the most intelligent source of mainstream news available. Other sources like the New York Times or Newsweek or cable news channels target a dumber audience and consequently have dumber news, The Economist targets a more educated audience.

As a side note, I'm disappointed that the news organizations didn't contact any pentesters who had broken into power grids (such as myself).

Friday, April 24, 2009

Tales of hacker tools Vol 1: View Source

5am and I can't sleep. I am obsessed with "Alternate Reality Games" or ARGs. I started with Majestic from EA and I was hooked from there. With the upcoming Terminator: Salvation, it seems WB thought that an ARG would be a good way to promote the upcoming movie.

There are two sites (that I have found so far): Skynet Research and Resist or be Terminated. Both are funny videos to watch and accept user created submissions. On the Resist site you can sign up and play a simulator that lets you collect resources, build military units, and attack other players. Since I love all three of those things, it seemed like a win-win. The problem is, for a detail-oriented person, the documentations on gameplay is...well there is none.

I decided to use the very dangerous but time honored hacking technique of "View Source". This technique is not for rookies and I am sure it must violate some international law, but I am a maverick and I really want to win this game. Here is what I found:


Medieval game? An empire? Galava? MUD?!?! What does this have to do with John Connor and his plucky band of resistance fighters and their battle with Oba^H^H^HSkynet? Using another hidden hacker tool, Google, will lead you to a new site. Although the names have been changed, the basic layout of this game is the same as the Terminator game. Even better, they have documentation and forums. What works in the Galava game also works in the Terminator game. Armed with this information my performance has spiked in the last 2 hours.

The moral of this story is beware of hacker tools like "View Source" and "Google". They could give unauthenticated, 3rd party attackers insight into your application design, and can cause unexpected results.

Thursday, April 23, 2009

RSA 2009

I was trying to figure out the mood at the RSA security conference. Due to the recession, attendance is down 30%.

First of all, it appears that the recession affects cybersecurity less than other parts of IT. I would personally describe cybersecurity as a luxury, but compliance (HIPAA, SOX, PCI, etc.) make it a non-luxury. Companies cannot cut back on security and stay within compliance.

Second of all, it seems there has been a shift from products to consulting/services. Companies are encouraged to shed full-time employees (which commit the companies to things like health insurance and severance packages), so they fill the gaps by hiring part time employees (aka. consultants). Likewise, companies may find that if they can’t hire more people to manage more firewalls, they will stop buying firewalls, so hiring freezes can indirectly freeze product spending.

Thirdly, it appears that federal government sales are up. It appears that government departments are flush with cash. Any company that does a substantial amount of business with the government is going to post good earnings this quarter.

Fourth, it seems that when analysts go up to a booth, they are looking for work ("can I advise your on your marketing strategy") rather than information ("tell me about your product"). I've heard about a lot of layoffs in the analyst community. This is part of the larger trend that companies are trying to figure out how to do more with the products they already have, rather than buy new products. I know from experience that companies only use 20% of the functionality of their security products. I'd suggest to analysts looking for work that they write reports on how companies can use that 80% of other functionality of the products they already own.

Wednesday, April 22, 2009

Why "cyber commands" fail

Defense Secretary Gates has announced that he wants offensive cyber warfare capability.

It's not going to work. Hacking is "asymmetric" warfare. The military is trying to shoehorn it into traditional "symmetric" warfare.

Hacking doesn't work the way it's portrayed in the movies. In the movie Swordfish, the villain puts the hero in front of a computer open to a website, puts a gun to the hero's head, and tells the hero to hack into the website in 60 seconds "or else". That's not the way hacking works, the best hackers in the world could not do that.

However, you could tell a good hacker to break into any website in 60 seconds. In hacking, it's difficult accomplishing a specific, narrowly defined goal. The broader the range of goals, the more likely the hacker will succeed at one of them.

What the military wants is a hacker squad that they can give a specific objective, and have the hackers carry out that objective within a specific timeframe. For example, they might tell hackers to take out Iran's radar at midnight so that fighter jets can enter their airspace a few minutes later to bomb their nuclear plants. That's not going to work.

What you could do is tell hackers to go after Iran and do whatever they can to disrupt their nuclear developments. One hacker might find a way to shut down safety controls and cause a nuclear meltdown, another might jam the centrifuges, another might change the firmware on measuring equipment to incorrect measure the concentration of U238.

Or, you could give the hackers six months to infiltrate Iran's computers, then come back with a list of options. Maybe disabling the radar system will be one of them, maybe not. But that's not the sort of thing the military is tasked to do - that's more an intelligence operation the CIA would be doing.

I use this scenario as an example because something similar happened in the first Iraq war in 1990, where our "hackers" were able to disable their radar by hacking into their phone network. This happened because of circumstance and luck, not because it was a carefully laid out plan to disable their radar that way.

China and Russia understand this. They don't directly employ hackers or tell the hackers to accomplish certain goals. They let the hackers have free range to do whatever they want. If the hackers come across something interesting, such as plans for the Joint Strike Fighter, the government buys it, but no government official ever told the hackers specifically to steal those plans.

The reason China and Russia can do this is because that's already the way totalitarian regimes work. A good example is the Russian "Nashi" organization. This is a militant, nationalistic youth group encouraged by the government. Among the things these thugs do is beat up journalists critical of the central government. They also show up at anti-government demonstrations to rough up the demonstrators. In this way, the government gets what it wants (suppressing dissent) without having to do the dirty work itself.

I mention the Nashi because it appears that youths affiliated with that group were also responsible for some of the cyber attacks against Estonia in that dispute in 2007. It is probable that no Russian government official directed the attacks - that's the entire point. By encouraging nationalistic groups, things like this happen without the government having to direct anything.

There are problems with this technique. Sometimes the youth groups don't do enough, sometimes they get out of hand. China props up Japan as their primary adversary, and last year, riots demonstrating against Japan got out of hand, and the Chinese government had to back down on their anti-Japan rhetoric. Whatever the costs, though, it allows the government to keep their hands clean.

So how can the United States get in on this sort of asymmetric warfare action?

The first thing is that you have to stoke some sort of nationalism in the way that Russia and China do. I'm not sure this is in our character (especially under the current president), however, so we'd probably have to find some alternative. Instead of pro-USA nationalism we could instead focus on human rights activism. The government could spend a lot of time talking to the press about the sorts of human rights abuses that go on in Russia and China. Get our own USA hackers thinking about human rights as their own causus belli.

The second thing they need to do is create a climate where our own hackers can operate. I would gladly hack into Iranian computers, but I'm not sure how this fits into US law. (I don't mind breaking Iranian law, but I'm a stickler as far as US law is concerned).

This would be similar to the "letters of mark and reprisal" used by governments during the 1700s. In those days, national navies were too small to patrol the entire ocean. Therefore, governments licensed privateers to prey upon a hostile nation's shipping. The privateers kept half the booty, and gave the other half to their respective government. This is essentially what China and Russia have done.

A third thing our military would need to do is train our hackers in the target language. Foreign hackers usually learn English, but American hackers rarely learn foreign languages, especially Russian, Chinese, or Farsi (Iranian). If we want to encourage our hackers to go after those countries in the same way they come after us, we need to encourage them to learn those languages. The military runs an excellent school in Monterey. They should recruit people at conferences like Defcon to take their language aptitude tests (right there at the conference), and for hackers who score well, pay them to attend their 6-month high-intensity language courses.

The fourth thing our military would need to do is fix their horrid purchasing processes. I experienced this when selling BlackICE to the military: it almost cost us more going through the byzantine purchase process than we got in money from the purchase. Let's say that you found a robustly exploitable Windows server vulnerability. It's worth $100,000 to our military. There is no way they could buy it. If you tried selling it to them, it would cost you more than $100,000 to go through their obstacles.

Note that I think the individuals who run our military are very, very smart. I've met several generals and colonels who understand this. The problem is that while individuals are smart, the organization is dumb as a rock. The organization crushes precisely the sort of creative thinking need to have a successful "cyber" offensive capability.

Thursday, April 16, 2009

Ode to 50cent

I was recently on a plane for a LONG, LONG time. For me this is roughly equivalent to putting a cat in a box and dangling it over water. I get bored easy and after watching all the television shows I had brought with me I decided to play with IDA and any unsuspecting binaries from my laptop that I randomly selected. While doing this I noticed iTunes kept crashing, predictably and reliably in the same place. I decided to use gdb to see what the hubbub was all about. However I got dissed and iTunes would not allow itself to be debugged.



This would not do. Not knowing anything about the anti-debugging capabilities of iTunes I decided the best way (and the laziest way) for a programmer to try and keep me from debugging is ptrace. I set a breakpoint on ptrace and tried it again. I got a nibble. I typed return, and then let iTunes continue on its way. It worked somewhat: it would continue but I was prompted over and over again to complete the same task and if I deleted the breakpoint iTunes would exit. I decided to modify ptrace to return immediately. I did so with the following command:

set *(int)ptrace = 0xc3


0xc3 translated to ret. After I did this I deleted the breakpoint and let iTunes go about its normal activity, or as 50cent would say, “sit back and let the money pile up.”


B00m, we have a crash.

Now I can examine the information from the crash and work on how exploitable the problem is. The exploitability is a post for another day; I just thought some folks could use a nifty trick if they found themselves in a jam.


(This post was written to 50cents “How to rob.” Also I typed some commands in gdb that produced errors becasue my regular alias file was not loaded.)

Wednesday, April 15, 2009

SSL acceleration

This Slashdot article discusses building an SSL accelerator for $5k worth of hardware rather than $50k for a "hardware" accelerator like F5, that has similar performance.

Probably not necessary. You can probably do SSL just on the servers themselves without too much of a performance hit. If you need more performance, an SSL accelerator probably wouldn't help that much, you'd probably need a load balancer instead -- like F5.

Thursday, April 09, 2009

THIS IS SO AWESOME!!!


This story from Slashdot and Telegraph.co.uk:

During his captivity, U.S. Marines forced Saddam Hussein to watch "South Park: Bigger, Longer And Uncut". That movie portrayed Saddam Hussein as Satan's gay lover. (This character also appeared in several of the South Park TV shows).

I'm not too happy with the invasion of Iraq, and I didn't want Saddam to face the death penalty, but I always wanted him to face exactly what we thought of him. Ever since I saw the movie, I have thought to myself "I hope that if we ever catch the bastard that we force him to watch this". And, apparently, we did. I would pay money to shake the hands of the Marines who did this.

By the way, it should be remembered that the South Park movie was a musical as heartwarming and endearing as "The Sound of Music". One of the songs, "Blame Canada" was nominated for an Oscar.

On the other hand, I forbid my parents from watching the movie, because it is not "age appropriate". Senior citizens are not at the developmental stage where they can handle it (although children are, of course). Sadly, I suspect my dad has been sneaking behind my back watching South Park episodes.

Wednesday, April 08, 2009

Has the power grid been penetrated by enemies?


This Wall Street Journal article "Electricity Grid in U.S. Penetrated By Spies" is an example of "yellow journalism". It makes eye catching claims whose only source is anonymous government officials, backed up by pseudo-experts that nobody has heard of before.

The source of this story probably has to do with this:
Last week, Senate Democrats introduced a proposal that would require all critical infrastructure companies to meet new cybersecurity standards and grant the president emergency powers over control of the grid systems and other infrastructure.
There's no coordinated conspiracy here, but there are a lot of government officials who stand to gain by this attempt at drastically increasing government control over the Internet. They will certain call up reporters they know and attempt to get them to write scare stories precisely like this.

Another quote from the story is:
Last year, a senior Central Intelligence Agency official, Tom Donohue, told a meeting of utility company representatives in New Orleans that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands, he said.
I know of a similar story, told to me by the people who investigated the incident. It appeared that hackers had broken into the power control systems (in a country outside the US), caused a small blackout, and had made ransom demands. As it turns out, it was an inside job, not an attack from the outside. Both the outside "hacker" and the inside guy (who flipped the appropriate switch to cause a blackout) were arrested and put in jail. (The timing and details are similar enough that it's my guess the stories refer to the same incident).

Notice how my story has an ending, whereas Tom Donohue's story doesn't. Seriously, how could the CIA not know how the story turned out. The hackers made ransom demands, but then what?

My conclusion is that the CIA and/or Tom Donohue is lying. They are claiming something to be solid research which is only vague innuendo and rumors.

Tuesday, April 07, 2009

Dallas FBI raid, part 2

Wired Thread Level has a writeup of that recent Dallas FBI raid that seized all the computers at a couple of colos. In particular, they have a copy of the warrant authorizing the raid. It confirms what I said in my previous blog on the subject.

Being technical means I'm more interested in reading the search warrant itself than I am reading the Wired story. Being technical, I wish more news articles were like that Wired article publishing the raw, technical sources of their data rather than digested summary of the content. I hope one day that it will be journalistic ethics that interview notes and other material be posted online next to the stories.

In any case, if you read the warrant, you see it's about this guy Mike Faulkner. It certainly appears this guy is up to no good. The warrant lists a number of places to search, such as his home, business, mail post office box, and so forth. However, is also lists the "Core IP" location that made the news. I've read the affidavit twice and found nothing that implicates "Core IP" other than the fact that one of Faulkner's business was once a customer of Core IP. There is certainly nothing that justifies the grabbing of all the customer equipment at the Core IP location.

As I said in my previous post, the FBI is good at crime, and it appears probable that Faulkner is a criminal. On the other hand, they are bad with computers, and there is nothing that justifies the way they raped Core IP and its customers.

Saturday, April 04, 2009

Why SSL sucks, #458738


I accessed "mail.yahoo.com" and got this error message saying the certificate is bad. Normally, this would be cause to panic. While lesser sites might get SSL wrong, the big sites should get it right. Therefore, if you see a certificate error at a big site like Yahoo!, you should assume somebody is trying to man-in-the-middle your connection.

However, on closer inspection, it appears that Yahoo! fouled up. It's the result of "mail.yahoo.com" incorrectly using a certificate for "login.yahoo.com".

The fact that even a large site like Yahoo! cannot get SSL is pretty damning for SSL.

FBI takes down Dallas ISP


The FBI raided a Dallas ISP and took all the servers belonging to roughly 50 people.

This seems excessive. I want to see the search warrant. In America, a search warrant is supposed to be limited to a specific item being searched for. What makes our country free is that the national police can't come in and grab everything like this.

Unfortunately, in my personal experience, the FBI is a bit corrupt. Few FBI agents that deal with "cybercrime" know anything about computers. As a consequence, they can be easily manipulated to do terrible things like this. It is quite plausible that the MPAA manipulated them to do this massive server grab in order to track down who released the recent Wolverine flick to the Internet.

On the other hand, the FBI is very good at crime in general. There could be legitimate reasons for the massive grab. We'll just have to wait until data is published (i.e. the search warrant authorizing this).

Thursday, April 02, 2009

GPU cracking for $250


ATI and nVidia have just shipped their spring refresh cards. Both now sell an essentially top-of-the-line card for $250 (either the ATI HD 4590 or the nVidia GTX 275). If you do password cracking for pentests, you might want to pick up a few of these cards.

Both would be an excellent card to buy for password cracking. Either would increase password cracking speed by around 10x. I prefer the nVidia card because the CUDA programming support is easier to work with, but I suspect the ATI card may be slightly faster for crunching numbers.

Note the way I say "top-of-the-line". For graphics, the more expensive GTX 285 is better than the GTX 275. However, both cards have the same number of "stream processors" at roughly the same clock speed. Therefore, both should crack passwords at the same speed. What makes the GTX 275 cheaper is the fact that it less backend graphics resources (fewer raster units, slower memory speed, narrower memory bandwidth, smaller frame buffer). We don't care about these other graphics resources -- all we care about is the number of "stream processors" and how fast they run.