Monthly Archives: March 2012

Security

Collusion Add-on for Firefox

Leave a comment

Mozilla has released an interesting link-analysis tool (like those used for police investigations but without events) called Collusion

Collusion is an experimental add-on for Firefox and allows you to see all the third parties that are tracking your movements across the Web. It will show, in real time, how that data creates a spider-web of interaction between companies and other trackers.

I fired it up to do a simple test with a blog site. A plugin called Sexybookmarks, infamously found in “over 200,000 websites,” seemed like a good place to start. It supposedly makes it easier for readers to share posts to Twitter, Facebook, and so forth but it also gives blog administrators a vague “track performance” option.

Notice how they put a “recommended” note next to the yes option to persuade a blog owner to leave it on. Other options do not say whether they are recommended or not. Suspicious, no?

It turns out there is reason to be concerned about the “recommended” option. I clicked on yes, reloaded and Collusion immediately picked up traffic being sent to media6degrees.com.

Very easy now for any Firefox user to visualise their traffic to other hidden sites when they visit familiar ones. More importantly it shows a single central repository of user actions formed from multiple sites that present themselves to a user as separate and distinct.

You may think you are going to site Alice and site Bob, which have nothing in common, but they could actually share an innocent-looking tool that (even unbeknownst to them) sends your information off to a third-party managed by authors of Sexybookmarks who then use your “performance” data to post stories and graphs to illustrate your online behavior and interests.

Our statistics, based on aggregate search data from more than 270 million unique monthly readers reached by more than 200,000 Shareaholic publishers, reveal that Hugo is favored for Best Picture with 33% of searches…

Now the tool just needs the ability to right-click and select “block” or “deny”.

Security

Big Data Security, Big Challenges: Start Here

Leave a comment

Thursday, March 22 at the GigaOm Structure:Data conference I will discuss with Dave Asprey, VP of Cloud Security at Trend Micro, the present and future state of security of big data.

We have a session called “Big Data Security, Big Challenges: Start Here

Security at scale is harder than you’d think, especially when your big data platform is based on Infrastructure as a Service cloud computing. Join us for this introductory fireside chat as we discuss encryption for big data, how virtualization affects the security of big data, and emerging practices that will provide a big boost for big data security.

Hope to see you there.

GigaOM

History, Security

The Trackback and Arrest of Sabu

Leave a comment

A pastebin entry on June 25, 2011 accused Sabu of hacking into HBGary, among other things. It started with an anti-“anti-sec” argument.

From what we’ve seen these lulzsec/gn0sis kids aren’t really that good at hacking. They troll the internet and search for sqlinjection vulnerabilities as well as Remote File Include/Local File Include bugs. Once found they try to download databases or pull down usernames and passwords. Their releases have nothing to do with their goals or their lulz. It’s purely based on whatever they find with their “google hacking” queries and then release it.

What’s funny to us is that these kids are all “Anti-Sec” yet by releasing their hacks they are forcing these companies to have to hire security professionals which keeps the Security Industry that they are trying to expose and shut down, in business.

This argument is one I agree with and have been presenting at numerous conferences (including last week’s RSA) but with a slight difference. I try not to fall into judging those who attack as good/bad but rather speak to a measure of the strength of defence. Here is why: the problem with an argument over who is “really that good at hacking” is that there are as many different definitions of what constitutes good hacking as there are people who claim to be good at it.

Let me try to explain by way of popular cartoons. Many seem to rate hacking skills as though they are channelling a classic Wile E. Coyote and Road Runner dichotomy (winners win and losers are always losing — easy to pick a side).

However I see competition in the arena of trust (the real root of hacking) more accurately reflected by the series of satirical cartoons by Antonio Prohías (Spy vs. Spy).

I am not just asserting Spy vs. Spy is a closer reflection of reality. I also am drawing on history (pun not intended) behind the cartoons. The origin of the balance depicted in Spy vs. Spy by Prohías comes from a harsh critique of Communism in Cuba. He depicted Soviets as deceptive and therefore untrustworthy allies of Castro, as you can see in this 1960 example from the Newspaper El Avance Criollo that says “I’ll stay just for dinner and leave”.

Imagine now that the hackers who compete for status are highly political. It does not have to be Castro and Khrushchev. Who should we say is “good at hacking” when two sides test levels of trust? The source of ambiguity in Spy vs. Spy is reality.

The point is that we should not settle into the comfort of the Road Runner fantasy but rather try to understand the Spy vs. Spy battle. The larger political and social arena makes the question of who to call “really that good at hacking” far more complex than just technical ability.

Back to the story, someone other than Sabu in early June posted Sabu’s real name, email, IP and location online. By the end of June it was public on Pastebin.

Dox:
Name: Hector Xavier Montsegur
Location: New York, New York
Race: Puerto Rican ?
E-Mail: sabu@prvt.org

Computer:
Handles: 548U, hectic_les, leon
IP: 199.68.198.129 (ssh-only.recklesstheory.com)

Profiles:
http://www.facebook.com/lesmujahideen ?

Sites:
prvt.org

Notes:
dox confirmed by archived whois entries for prvt.org (his personal site according to #hq logs which he anonymized DNS after release)

As the information started to spread the authorities faced losing a lead and the element of surprise to seize evidence. They moved in only a few weeks later and made an arrest of a man living on government assistance.

FoxNews.com has identified as Hector Xavier Monsegur. Working under the Internet alias “Sabu,” the unemployed, 28-year-old father of two allegedly commanded a loosely organized, international team of perhaps thousands of hackers from his nerve center in a public housing project on New York’s Lower East Side. After the FBI unmasked Monsegur last June, he became a cooperating witness, sources told FoxNews.com. “They caught him and he was secretly arrested and now works for the FBI,” a source close to Sabu told FoxNews.com.

This was not the arrest of Road Runner, or even vice versa (Road Runner as law enforcer). Whether or not we say the accused was the most brilliant hacker, or a “computer genius”, he showed an inability to defend himself from those who counter-attacked. In other words a competition of pride and status with technology easily can be set aside when we look at the overall strength of defence.

There were trivial technical weaknesses (a failure to block direct communication — he could have just setup a simple fail-safe proxy — and a failure to move communication paths to defeat traffic profiling) but it was all coupled with other weakness in defence (he had numerous exposed assets). Technical weakness means lessons will be learned but the latter, a fundamental business logic flaw, is what truly forced Sabu to adjust his trust relationships.

The agents worked their prey, using the time-honored good cop/bad cop routine. Bad cop stormed out of Monsegur’s apartment yelling, “That’s it, no deal, it’s over, we’re locking you up.”

The computer genius finally gave in, surrendering to the most clichéd tool in the law enforcement arsenal. But the agents had more than just skills – they had leverage.

“It was because of his kids,” one of the two agents recalled. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”

It is not clear yet whether all the facts are in (see PDF of “United States Attorney Charges”) but if I were to take a wild guess I would say Sabu’s critical flaw in his operation was not from technical failures, although those didn’t help, but rather from his bold sense of entitlement.

Some reports have suggested he was lazy but I think it more accurate to say he was motivated for easy gains without intention of a fair exchange or ability to generate sufficiency. He was taking hand-outs from the government while attacking it, for example. That is a very difficult strategy and platform to maintain, especially as an activist trying to build trust among peers. Sabu apparently did not factor how much his defence depended on weakened relationships; like a Spy caught out by another Spy, he probably only realised too late how much he stood to lose.