Hack Back is Here

In February of this year I announced at RSA SF, in my presentation on breach data and trends, that this year will mark a new era of legitimate and legal hack-back services. There is no question that self-defence has been in practice for many years and companies have provided hack-back services, but they tended to be clandestine operations that tried to avoid scrutiny under the law. The FBI certainly frowns upon it. This difference now is that more entities are willing to step forward and confirm their information security self-defense includes an active component. It has become overt and is on its way to becoming legal.

I mentioned the other day that the IDF had publicly announced they reserve the right to attack, presumably under the principle of self-defense. Germany has recently moved to say they also reserve this right.

To put the German announcement in perspective, consider the conclusion to a story from 2009 in Der Spiegel called National Defense in Cyberspace

…the uniformed hackers at Rheinbach [Department of Information and Computer Network Operations] are battling a particularly treacherous adversary: German criminal law, which has banned the preparation of computer sabotage since 2007. If the German cyber warriors did in fact launch test attacks on outside networks they would, strictly speaking, be breaking the law. The penalty for serious computer sabotage is a prison sentence of up to ten years

That battle is apparently winding down as the German military today openly admits to offensive preparation/capability and now is debating logistics and ethics of implementation.

Although the German admission is not a huge surprise – most countries are assumed to have cyber-offensive capabilities – the clear declaration that the CNO has an attack role has reportedly caused controversy among the country’s legislators.

The ambiguities are legion. Does the military have the legal or constitutional authority to launch cyber-attacks against third parties without the approval of Parliament and if so under what circumstances?

There is a subtle difference between the investigative/surveillance and the hack back debates. The authorities now are looking for support and permission to move beyond collecting information and into active defense or attack position intended to cause damage (e.g. shutdown a server). The surveillance debate paved the way, in terms of the right to alter a system without owner consent, but it usually stopped short of allowing damage.

Reports, such as this 2007 one from Austria, said police were given the legal green light for surveillance.

The Austrian Police has become the latest European agency to express its intention to use specially-crafted Trojans to remotely monitor criminal suspects.

According to reports in Austrian media, the minister of justice Maria Berger, and Interior Minister Gunther Plater, have drafted a proposal that will be amended by legal experts and the cabinet with the intention of allowing police to carry out such surveillance legally with a judge’s warrant.

And I assure you the private-sector was already doing this years before the government because it was able to move ahead without the scrutiny of public approval. I certainly was working on similar engagements long before 2007.

The good news is that public requests for the capability means public review on appropriate/ethical use. The bad news is that at least some pushing for surveillance capability seem to be unaware that their new attack tools are not fail-safe and require careful management. Once you are into surveillance you have a very fine line separating you from hack back. Just like a weapon can backfire or cause unintentional harm when not properly handled, a German offcial carelessly handed over control of malware to an adversary.

Der Mann hatte seiner Tochter einen Trojaner auf den Rechner gespielt, um ihr Treiben im Internet zu überwachen. Die Tochter hatte allerdings einen Freund aus der Hackerszene, dem die Spionage auffiel.

Um es dem neugierigen Vater heimzuzahlen, drang der Hacker in dessen Computer ein. Dort sah er, dass der Polizist dienstliche Mails an seinen Privatrechner umgeleitet hatte. Das ebnete dem Hacker den Weg ins Innere der Bundespolizei. Als Folge des Angriffs musste der “Patras”-Server abgeschaltet werden, über den die Polizei Verdächtige observiert.

So hack back is here and clearly is being approved, surfacing some interesting issues of trust, ethics and liability. This German case is a perfect example. The german quote above points out that an authority was moving sensitive data from the government to his personal systems (fail) he was using government tools/technology (e.g. malware) for personal use (fail) and he was unable to control who had access to his personal systems (fail). These types of problems with state/group/self defense are old but the discussion is now in the open about who should be authorized to hack back, when it is allowed, and their liability for collateral damage. It brings to mind a slight modification of an old quote “if you criminalize malware possession, only criminals will possess malware”.

D-Day Message by General Eisenhower

I have seen little or no mention in the security community threads today to one of the most noteworthy events in military history. As we twitter about this password breach or that malware scare, I wonder if any benefit would come to take a moment and reflect on past events of June 6th, 1944.

Take a listen or read the carefully phrased words of General Eisenhower at the start of D-Day, when the weather cleared the way for a landing:

EisenhowerSoldiers, Sailors and Airmen of the Allied Expeditionary Force! You are about to embark upon a great crusade, toward which we have striven these many months. The eyes of the world are upon you. The hopes and prayers of liberty loving people everywhere march with you. In company with our brave Allies and brothers in arms on other fronts, you will bring about the destruction of the German war machine, the elimination of Nazi tyranny over the oppressed peoples of Europe, and security for ourselves in a free world.

Your task will not be an easy one. Your enemy is well trained, well equipped and battle hardened, he will fight savagely.

But this is the year 1944! Much has happened since the Nazi triumphs of 1940-41. The United Nations have inflicted upon the Germans great defeats, in open battle, man to man. Our air offensive has seriously reduced their strength in the air and their capacity to wage war on the ground. Our home fronts have given us an overwhelming superiority in weapons and munitions of war, and placed at our disposal great reserves of trained fighting men. The tide has turned! The free men of the world are marching together to victory!

I have full confidence in your courage, devotion to duty and skill in battle. We will accept nothing less than full victory!

Good Luck! And let us all beseech the blessings of Almighty God upon this great and noble undertaking.

In the General’s back pocket was another carefully written speech, which fortunately was never needed…

Our landings in the Cherbourg-Havre area have failed to gain a satisfactory foothold and I have withdrawn the troops. My decision to attack at this time and place was based on the best information available. The troops, the air and the Navy did all that bravery and devotion to duty could do. If any blame or fault attaches to the attempt, it is mine alone

VMware vSphere 5 hardening guidelines announced for vCM

VMware has announced support in their vCenter Configuration Manager (vCM) for the new vSphere 5.0 hardening guidelines

[VMware Center for Policy & Compliance (CP&C)] is pleased to announce the most anticipated content release to date in vCM, the VMware vSphere 5.0 hardening guidelines! As critical component of the vC Ops suite, vCM is the FIRST product in the market today to have the official GA version of the vSphere 5.0 Hardening Guidelines.

The five new rule groups are related to some exciting new possibilities in automation. It now is easier than ever to test vSphere configurations, monitor for changes, and compare them to policy. VMworld will be a great time to see how it works and where things are going next.

vShield Architecture for vCloud Director

A slide deck has been circulating called “Life before and after vCloud Director” that claims to “reveal” that a vCloud environment could be designed to reduce redundancy. Chris Colotti makes some excellent points in a short and clear rebuttal:

A vShield appliance is only needed if you choose to NAT route the Organization networks or the vApp networks. These are not required, but are used if the design considerations call for it. Yes it can fail, anything can fail, so that statement is pretty broad. However, it is a VM protected most likely by VMware HA as are so many other production Virtual Machines today. There is also multiple blog posts about how VMware Fault Tolerance can be used to protect the vShield Manager as well as the deployed vShield Appliances themselves.

The appliance is the firewall, router, DHCP, and Load balancer for Selected Networks and Organizations, but not for the “vCD System”. You can always use direct connected networks and external firewalls, as well as load balancers and VPN devices. Again, vShield is NOT a requirement it is simply a tool to assist in the design of a multi-tenant vCloud Director deployment. We have also had folks deploy other Virtual Machines in the cloud itself to handle some of these functions including virtual load balancers.

The slide deck probably is based on an article from last year called “VMware vShield Manager design raises availability concerns“.

It is worth noting that VMware’s publicly stated best practice, per KB: 2011480, is to use fault tolerance with vShield.

IDF Defines Cyber Warfare

The Israel Defense Forces website has just posted the following vague announcement:

IDF Operations Department recently defined the essence of IDF cyber warfare, putting together instructions that define the military’s operational methods in cyber space and clarify its goals in facing potential enemies. IDF Website exclusively reveals these instructions for the first time.

According to the document, cyber space is to be handled similarly to other battlefields on ground, at sea, in the air and in space. The IDF has been engaged in cyber activity consistently and relentlessly, gathering intelligence and defending its own cyber space. Additionally if necessary the cyber space will be used to execute attacks and intelligence operations.

There are many, diverse, operational cyber warfare goals, including thwarting and disrupting enemy projects that attempt to limit operational freedom of both the IDF and the State of Israel, as well as incorporating cyber warfare activity in completing objectives at all fronts and in every kind of conflict.

I could go on with the quote but I’m sure you get the idea about this “definition”. It seems to say anything is possible, options are open, as necessary, for all fronts, with various goals…

Their point seems not to be very precise in their announcement of a definition but rather to acknowledge in general that they are monitoring and to formally announce that they reserve the right to attack. The Arabic and Hebrew versions of the page seem to say almost exactly the same thing.

2012 Delta Ditch Run – Nacra F20 Carbon Takes Line-Honors

Results have not yet been posted but the June 2, 2012 Delta Ditch Run was a wild ride. The weather forecast was for sun and a stiff downwind breeze with flood tide. Everyone knew they were in for a fast race of 65 miles if they could just keep their shiny side down. Here’s the first video I’ve found posted. It’s from Twisted, a Farr 40 (PHRF 0), during the early minutes of the Division A start.

Nearly half-way through the race even big, experienced boats in Division A showed signs of trouble. I watched Tiburon, a Santa Cruz 37 (PHRF 27) spin out-of-control. We were in a dual with them on gibes until they botched one and ran aground on a shoal during a twisted-kite broach (“broadie” as some like to say). Fortunately they managed to free themselves as they spun and flipped back with a spectacular second broach. Then, unable to get their kite down, they were dragged hard aground in 3-foot deep water as they fought a third and final broach.

Meanwhile, Double Trouble, a J-125 (PHRF -12), who should have been far ahead of us instead was now trying to catch up. They appeared to be making good time with the giant puffs yet under mainsail alone. Someone pointed out it looked like they had been reduced to just Single Trouble. Conditions were tough in the monohulls, to say the least.

Preliminary results indicate that Bruce Edwards and Eric Willis took first-to-finish honors on a Melvin & Morrelli 2009 design called the Nacra F20 Carbon. Here’s an “official” video of the boat:

I see at least two important points to be made about this boat and its result in the race.

  1. You should sail a catamaran, even in the Bay: Bruce and Eric are extremely talented racers with a lot of experience in local heavy-air conditions on skiffs and the A-Class Catamaran. Line honors couldn’t go to a nicer team. But it is important to note they are not professional sailors. They both hold full-time jobs and this is a new boat to them. Given that conditions in the race were close to survival-level in terms of difficulty — gusts over 30 knts, confused and often steep waves, shallow and narrow channels with hidden shoals and several hours of gibes — they proved that catamaran sailing is a reasonable platform even for amateurs in the Bay Area. Compare their performance, for example, to the sad sight of a fleet of dismasted Melges 20 (five reported). The monohull fleet not only faced damage and disaster but the amateur Melges 20 (PHRF 111) sailors must be seriously concerned about all their upcoming events on the Bay. I wonder if any of them are saying “I could have had a Nacra F20 Carbon! (and for half the cost)”
  2. The forefront of sailing innovation and performance is with catamarans: The America’s Cup 2013 technology and research investment in sailing is clearly trickling down to designs of all sizes. With that in mind more catamarans have been appearing in the Bay Area than ever before and more up-and-coming sailors are showing interest in cats. Just a few years ago I used to get odd looks from professional sailors and campaign owners when I would bring up the Tornado or A-Class, yet today they are the ones who seem to be bringing the latest two-hull designs to the water first. Can you believe there are a pair of matching catamarans, one red and one blue, in the Pegasus compound? And how about finding a new Nacra F20 Carbon for sale by the Oracle team after just a few trials in San Francisco? The attention of the high-performance sailing community and sponsors is shifting quickly to two hulls and, given successes like the Delta Ditch Run, is likely to have an effect on the Bay Area for years ahead. Of course the Delta Ditch Run has been won by a small fleet of catamarans since forever but the big difference is now we have inexpensive boats designed for amateur fleets (F18 and F20), which offer owners the chance to enjoy some of the best ideas and equipment in sailing, and that provide experience directly relevant to moving up to an Olympic campaign or professional career in sailing.

Update: Results have been posted. The Nacra F20c (originally listed as PHRF -81, now TCF Texel 1.124) was officially first to finish at 15:18:11 (Elapsed 04:18:11, Corrected 06:37:57).

Big congratulations to Melvin & Morrelli on the design and to Bruce Edwards and Eric Willis for their win! As much as I truly love sailing a Tornado (a timeless design) and the A-Cat (a development class), I have to admit I can’t wait to be out on a Nacra F20 Carbon…

Vernon Fraud in Audit Report

Vernon, California is a town just five miles South of the center of Los Angeles and near another town that has been infamous for government fraud investigations and arrests.

On a map Vernon may be hard to find because it seems to be just a few empty industrial-looking streets in a giant maze. Despite being near the center of LA, however, it is recorded with a population of about 100 people who host about 1,800 companies with 50,000 workers generating a quarter-billion in annual revenue on a property tax base of four billion. It officially is the smallest incorporated city in the state, while being at the center of one of the largest cities.

Vernon map

That introduction should give you some clue to where I am going with this story. Vernon appears to be on its way to be known as another unfortunate example of corruption and misrepresentation. An audit of the California Public Employees’ Retirement System (CalPERS) has uncovered that many of the Vernon officials found and exploited loopholes in how retirement was calculated.

CalPERS is taking steps to cut the retirement benefit of former City Administrator Bruce Malkenhorst Sr. from $45,073 per month to $9,654 per month, following an audit CalPERS completed in April 2012.

The press release from CalPERS is a bit vague in describing the exploits. Take this sentence for example, which emphasizes that documentation is required to prove a retirement calculation is justified.

Of the numerous positions Malkenhorst Sr. performed simultaneously at the City of Vernon, the City Clerk position was the only position that had a publicly available pay rate for a single position, and which did not constitute pay for duties in addition to normal duties, or overtime.

The problem is not just that documentation was missing. That obviously will trip up any audit. A really interesting problem is related to the phrase “performed simultaneously”. Guess how many jobs/hours the accused Vernon official was trying to cash in.

The audit said Vernon failed to substantiate the number of hours worked by Malkenhorst, who at one point held 10 different positions in city government and earned as much as $911,000 in 2006.

You can read the audit itself to really get details but from what I’ve read the Vernon officials figured out that in a small town you could stack together an unlikely, or even impossible, record of work and still submit it for retirement calculation. It obviously doesn’t help if controlling funds and dispursing them is within that set of ten jobs held by one person. Any government income reported above a certain threshold will surely raise an automatic pension flag now, not to mention a flag for lack of independence.

Other loopholes cited in the audit include paying people who were inelligible, declaring the legal profession a high-risk job, and massively increasing pay just before the cut-off for calculating retirement (e.g. spiking the rate to inflate the average). While messing with the numbers used to calculate retirement benefits, officials also are accused of underreporting.

[The audit] also criticized the city for not reporting Fresch’s full compensation, which reached as high as $1.65 million in 2008. Fresch, who succeeded Malkenhorst as Vernon’s top administrator, has remained a special [legal] consultant to Vernon over the last year at a rate of $525 an hour…

Basically the town’s records had no data integrity, which was noticed by investigative journalists after the Bell scandal. It seems that neither state funds, nor other government funds, would be caught up in the CalPERS pension scandal for Vernon employees. Nontheless, it will be interesting to see now how the city will reform itself and form a relationship with external and independent audits.

Like a false republic, which Americans often make fun of as a problem overseas, the lack of an independent electorate makes the options seem limited. By agreeing to change led by the state, it so far has been able to avoid un-incorporation measures. But it obviously has a long way to go, based on the details in an opinion piece in the LA Times:

Vernon has never made any pretense of normal governance. Founded as a family fiefdom, it has remained so for a century. John Leonis, Vernon’s co-founder, served 45 years on its City Council. His grandson, Leonis Mahlberg, served 53. If any real-life entity reflects the cynical manipulation of public institutions portrayed in the iconic movie “Chinatown,” it is Vernon. The hereditary dons of the Vernon council serve for decades, jetting off on lavish “trade missions” to Asia, Europe and elsewhere at public expense. They ruthlessly suppress even the shadow of dissent, and rigorously control who is allowed to live in nearly every dwelling in the city. Bruce V. Malkenhorst at one time served simultaneously as Vernon’s city manager, finance director, city clerk, redevelopment director, treasurer and chief of light and power, drawing the highest salary of any public official in California. After 33 years as city administrator, he passed the job to his son, Bruce V. Malkenhorst Jr.

As part of the reform the state could perhaps turn it into an educational theme park. Imagine a sign that said “Welcome to Cleptocracy World”.

…generally associated with corrupt forms of authoritarian governments, particularly dictatorships, oligarchies, military juntas, or some other forms of autocratic and nepotist government in which no outside oversight is possible, due to the ability of the kleptocrat(s) to personally control both the supply of public funds and the means of determining their disbursal…most common in third world countries…

…or as found in America, particuarly around LA.

the poetry of information security