Free exploit automation: Pmcma released

Funny intro in the README

Is this tool for me ?
———————

[…]

As a script kiddie, you may have found a piece of code you don’t understand on the internet, but are nonetheless decided to go to jail.

In all those cases, and surely many others, Pmcma was probably made for you.

I think they mean that if you run Pmcma on code without authorization and get caught you will go to jail. The decision to go to jail? That sounds like a protest. I don’t think that fits with the motive of someone who wants to run scripts in the sense of a “kiddie”. Perhaps it could be translated into French like this:

En tant que pirate adolescent vous voulez tester le logiciel sur Internet et ne se soucient pas d’aller en prison.

Ok, that’s my attempt at Canadian French, but still…I put the emphasis on being unaware of consequences rather than making it a decision to go to jail.

Anyway, Pmcma offers to automatically write exploits for flaws it finds in software (given it has root privilege) without the need for sourcecode.

Restaurants That Stalk Online Commenters

Interesting quote from the owner of a San Francisco restaurant.

Weinberg says in her blog that: “With a bazillion places online to tell us how badly we sucked, we do take it very personally”. “We scour the sites, cyber-stalking our customers.” She isn’t joking about the cyber-stalking.

When they see a negative comment, Weinberg and her team will track the customer through cyber-space to see what other restaurants they frequent and how they have rated them, before determining whether the complaint should be taken seriously. If they get the feeling that something should change, they change it. “Both online comments and in-house feedback usually reflect if the menu needs tweaking,” she says.

It sounds like they take the comment seriously because they take the trouble to track the customer. Then they determine whether it is a false positive. What restaurants need like a behavioral index tool. In other words they could save a lot of time if they had a simple reputation engine that gave them a score for an identity based on a list of other restaurants with comments from the same identity. Then they wouldn’t have to take every negative comment seriously, only the ones from identities they “respect”.

Then again this indicates a serious logical fallacy as a filter. It begs the question of how they respond to comments from identities they can recognize even without tracking them. Do they think it’s wise to judge the person before they listen to the message?

What if they designed a filter instead to be based on details of an event? When a commenter gives specific feedback about a taste, a detail that only a real patron could know, then they would know to take the comment seriously. A generic comment would be ignored. The flip side of this is that the restaurant would have to accommodate change in their menu and/or service to allow comments to be unique.

If they serve up a hot dish of key management, so to speak, then they can easily track the day and time the customer ate, and they can focus on the facts of the comment rather than the person writing a comment. A win-win; valuable feedback for restaurants and freedom (from stalkers) for their customers.

And just for reference, here is the restaurant owner’s FAQ, which might give you some insight into what she really thinks when people comment…

Q. Wow, Anna did you notice how big this space is? That’s a ton of seats to fill…

A. Yes a#$%##e I noticed how big it is.

Q: It really doesn’t look like you will be done by September. Or even this year.

A. Yes a###%^^e I noticed we are a little behind.

Q: Isn’t it like, impossible to find this many good staff?

A. Yes a$%$&&hole. It’s very hard to find good staff these days.

Q: Is that where the bar is going?

A. Yes a$$%%@e, that’s where the obviously brand spanking new bar is going. It’s right there in front of you.

Cisco Sued for Aiding Chinese Authorities

The New York Times reports that a human rights advocacy group has filed a complaint in reference to Cisco network surveillance product marketing material.

The group’s evidence includes documents that the group says were part of Cisco’s marketing pitch to Chinese organizations and government agencies, including a page from a PowerPoint presentation boasting that Cisco’s technology can “recognize over 90% of Falun Gong pictures” in e-mail traffic. Another document, which the group says was used by Cisco’s sales teams, described a broad public security database that would contain information on Chinese citizens, including “key personnel of ‘Falun Gong’ evil cult organization.” That database would in turn be connected to a system of firewalls and monitoring systems that could be used to filter content that the Chinese government considers to be sensitive.

There are many odd details in this case. Why would Cisco make a direct reference to Falun Gong instead of an indirect reference, for example. Did they have to say Falun Gong pictures could be recognized? That seems unusually tailored for a customer pitch. And why would Cisco be headed into this market/sales pitch when they are at the end-of-life for their entire security product line (MARS, ASA, etc) everywhere else? But the much larger question this case raises, beyond any specific presentation or sales pitch, is whether any tech company could be sued on the same basis for selling to the Chinese.

Hallo (featuring Tout Puissant Mukalo and Nelly Liyemge)

An album of Congolese artists is being produced by DRC Music, led by UK musician Damon Albarn. It seems to be in the vein of similar efforts such as Paul Simon’s Running with the Saints or David Byrne’s O Samba.

The question is thus whether Tout Puissant Mukalo, Jupiter and the Okwess International, Bokatola System, Evala Litongo, Nelly Liyemge and others will achieve greater international recognition, or is this really about Albarn? He did not use remote collaboration or cloud for the work and instead traveled in person with a huge crew to sit face-to-face and record and produce local sound in the Congo.

Hallo (featuring Tout Puissant Mukalo and Nelly Liyemge) by DRC Music

One of the strangest things I find is that Albarn lays down his fairly simplistic beats before Congolese sounds are layered over them. This is like an American executive from McDonalds traveling to France and telling a chef that they are going to “collaborate” on a meal by using the chef’s sauce on two all beef patties with a sesame seed bun. Albarn’s production crew could work on producing sounds and poetry on top but why take away the most important elements of Congolese music?

So the boring Gorillaz style of beat is what turns me away from the example above. Nelly Liyemge sounds awesome but totally out of place with the low-energy slow beat. Here’s another sample:

Lingala (featuring Bokatola System and Evala Litongo) by DRC Music

Boom, chick, boom, chick? The timeline should fade into the beat, not be the beat. It gets better after 30 seconds but still sounds watered down from the beats straight out of the DRC.

The above songs will be released on an album called Kinshasa One Two by Warp Records next month (October 3rd). They are said to be a benefit for Oxfam. Too bad Oxfam could not just release Congolese music directly to the world as a benefit. I wonder if they have to cover the costs of “production” by a large group traveling in person to Kinshasa, DRC.

Here’s a wonderfully complex soukous beat that Albarn misses completely in the above examples:

…not to mention street beats. Just about every song in the following compilation video, recorded live, puts Albarn’s production to shame. 5:18 is perhaps the most comparable style but on a whole different level:

Maybe Albarn just didn’t know what to do when he heard Congolese rhythms like the following drum line or maybe the project is really just about him being only slightly influenced by them:

Limbe

by the Italian group S-Tone Inc. from their 2002 album Sobrenatural
(featuring Italian jazz vocalist Laura Fedele)

Translation by me.

Le ciel c’est comme un voile The sky it’s like a veil
c’est immobile le soir all quiet in the evening
on entend pas le bruit so there is no noise
de tes pas sur le sol as you pass over the ground
 
Pas de destination Without a destination
ni meme d’intention but no intent for
total absence de joie lack of joy
et de peine or suffering
 
Tu viens vers tu n’sais quoi You come to what you don’t know
unique la direction single direction
Tu n’as pas de reponses You have no answers
ni meme de demandes nor any requests
 
Tu viens You go…
 
Le but c’est inconnue Purpose unknown
il s’agit de l’instinct it is from instinct
tu ne t’interroge pas Do not ask
si c’est bien ou si c’est mal if it’s right or wrong
 
Comme un fantome qui glisse Like a ghost that glides
qui n’a plus de sexe who has more ecstasy
entre la realite between the realities
l’inconscience et le reve the unconsciousness and dreams
 
Tu viens vers tu n’sais quoi You come to what you don’t know
unique la direction single direction
Tu n’as pas de reponses You have no answers
ni meme de demandes nor any requests
 
Tu viens You go…
 
Comme ca tu simplement tu viens You enjoy how you simply
suspendu sous un ciel indefini hover below an undefined sky
 
pas de couleurs no color
pas de sons no sound
pas de souvenirs no memories
 
hier yesterday
demain tomorrow
rien nothing
 
seulement le present only the present
le moment qui passe, qui glisse the moment passing, gliding
qui revient, exactament egale a lui meme returning, exactly equal to itself
 
Tu viens You go…
 

I also noticed a Stone Roses style remix by Fred Ventura

Warning Labels for Coal Power Plants

Illustration by Tom Toles.

Warning Labels for Coal

He forgot serious illness such as cancer, birth defects

…huge rates of coal consumption were a factor behind an increase in cancer and birth defects as well as non-specific and chronic nervous, immune and respiratory illnesses.

Coal-fired power plants contribute three quarters of China’s total electricity needs, but also around 70 percent of energy sector air pollution.

The government has been studying how to reduce its toxic effects, but “clean coal” remains a misnomer, said the group’s China campaign manager, Yang Ailun.

“There are many coal power plants saying they are now ‘clean’ but there are a lot of misunderstandings — coal creates pollution and clean coal is impossible,” she said.

Studies of the effect of coal used in homes have a similar warning:

[Kirk Smith, a professor of global environmental health at the University of California, Berkeley] said the results of the study do provide further evidence that coal causes significant health problems and should be replaced by other fuel sources. “Coal can’t be burned cleanly…it should be banned from all household use,” he told Reuters Health.

How HIPAA is Enforced

This question comes up a lot lately: how is HIPAA enforced? The U.S. Department of Health and Human Services (HHS) has a page that gives a nice flow chart for the answer.

HIPAA enforcement

But that does not seem to answer what people are really asking. I think what entities really want to know is what will trip a HIPAA violation and generate a fine — what should they really worry about. An excellent source of insight for that answer comes from the Case Examples and Resolutions Agreements. The UCLA agreement just two months ago (July 6, 2011) to “settle potential violations of the HIPAA Privacy and Security Rules for $865,500”, for example, details their mistakes.

On June 5, 2009 and June 30, 2009, HHS began investigations of two separate complaints alleging that the Covered Entity was in violation of the Privacy and/or Security Rules. The investigations indicated that the following conduct occurred (“Covered Conduct”):

(i) During the period from August 31, 2005 to November 16, 2005, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of Covered Entity patients, and during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of a Covered Entity patient.

(ii) During the period 2005-2008, a workforce member of Covered Entity employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the electronic protected health information of many patients.

(iii) During the period 2005-2008, Covered Entity did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Resolution Agreement/Corrective Action Plan 08-82727 and 08-83510 (University of California Los Angeles Health System) Security Rule training for all members of its workforce to carry out their function within the Covered Entity.

(iv) During the period 2005-2008, Covered Entity failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined electronic protected health information.

(v) During the period from 2005-2009, Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.

The words “reasonable and appropriate level” are the key to this enforcement agreement. It might seem vague at first glance but clearly a Covered Entity has to manage authentication and authorization. An appropriate level of access would be based on a need-to-know basis. In other words, no need means no authorization for a user.

And while the $865,500 fine could be called large, it reflects four years of authorization management deficiencies and information exposures to numerous “workforce members”. Compare it to the $1,000,000 fine handed to Massachusetts General Hospital earlier this year after a single authorized workforce member accidentally left billing papers on a subway on the way to work.

The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered. These documents contained the PHI of 192 individuals.

I suspect these fine amounts prompt risk managers to wonder how a long-term and repeated exposure of information, which cites weak privacy management and hints at neglect and negligence, could get a lower fine than a one-time accidental disclosure by a single person.

“Willful neglect without correction” is specified under Section 13410(d) of the HITECH Act Enforcement Interim Final Rule as a “Tier D” penalty of $50K per violation up to $1.5 million per year per violator.

Perhaps documents left on the subway are considered by HHS a Tier D act, but it doesn’t sound like it from their agreement. Maybe I’m underestimating the importance regulators place on an envelope and rubber band, or on special circumstances of the case. The HITECH enforcement exception was the first thing that jumped to my mind after I read the agreement, but there must have been some other compelling evidence of privacy neglect:

…prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect

The Interrupters

I spend almost every day now reviewing breach data and analyzing threats to deconstruct vulnerabilities. Some of my more popular work recently has been to convince IT management that they need to improve their analysis of threats to understand them better.

Although there are many frustrating examples of negligence and ignorance when it comes to security, no one should feel satisfied to always blame the victim after an attack. That is why the security industry can help with more balanced risk analysis instead of pounding only on customer vulnerabilities and writing-off every threat as “sophisticated”.

After a presentation on cloud penetration testing at VMworld this week I was asked by a customer of a provider why their instance was constantly being broken into. First, I went over how they should pinpoint the threat and not just the vulnerability in their particular instance. That was because, second, I explained that if you have a nice house with big windows and live in a dangerous neighborhood when you can afford to move to a better neighborhood…the choices become more obvious when translated to a more familiar risk context.

A medical professional who injects a virus in a patient in order to test and build up antibodies, for another example, makes an excellent simile for penetration testing a cloud environment.

The viruses in the flu shot are killed (inactivated), so you cannot get the flu from a flu shot.

They say you can’t get the flu from a simulation of the flu, but we all know that the flu shot still carries risks.

There are some people who should not get a flu vaccine without first consulting a physician. These include:
[…]

  • People who have had a severe reaction to an influenza vaccination.

In the same vein (pun not intended) I strongly recommend to anyone interested in the study of information security and the interruption of threats (to protect the vulnerable) that they watch this movie:

Note that one of the movie protagonists, one of the Interrupters, is the daughter of Jeff Fort. He was a notorious Chicago gangster convicted of domestic terrorism in the 1980s.

For years Chicago’s El Rukns seemed like the average urban street gang, dabbling in racketeering, narcotics sales and the occasional murder. But El Rukns (Arabic for “the cornerstone”) was far more ambitious than that. Last week a federal jury convicted five members of conspiring to commit terrorist acts against the U.S. The plotters, prosecutors said, expected to receive $2.5 million from Libya’s Colonel Muammar Gaddafi for bombing buildings and airplanes and assassinating American politicians.

[…]

In the late ’70s, the 100-member organization turned to political militancy and religion. The leader, Jeff Fort, 40, regularly presided over meetings from an immense, high-backed throne atop a pedestal, surrounded by outsize posters of himself and Gaddafi.

The daughter of this guy is now trying to stop the violence. I would point you to a Wikipedia reference so you could read all about this amazing and inspirational woman — Ameena Mathews — who has dedicated her life to saving so many others, but a Wikipedia administrator — Fastily — has just decided to delete her page.

This page has been deleted. The deletion and move log for the page are provided below for reference.

00:03, 29 August 2011 Fastily (talk | contribs) deleted “Ameena Mathews” ‎ (Expired PROD, concern was: Does not meet notability guidelines. Lacks citations to significant coverage in reliable sources.)

Uh, she has been written up in the NYT, The Guardian, NPR, PBS…just type her name into a search engine to see the citations. Take her interview in indieWire as an example of the “coverage” she gets:

…you’ve been meeting up with similar groups across America. How has that been?

We met up with a lot of groups that replicated the model. There’s a lot of people out there doing a lot of great things, helping the war on poverty, getting kids in school so they can put the guns down.

[…]

There’s purple hearts for those that are wounded in Afghanistan, but not much for those who do our work.

Hey Wikipedia, get a f-ing clue. The Interrupters and their work to stop threats should be the very definition of notability. Let this be yet another giant blinking warning sign of why you should not automatically trust the supposedly well-intentioned administrators of cloud services to do some basic checks before they act, let alone care about risk and the security of information.

BP Shoots and Kills Polar Bear

Polar BearA guard at a BP facility in Alaska is said to have shot an endangered Polar Bear with an explosive shotgun charge. The bear died from internal injuries a few days later.

Late in the evening of Aug. 3, a security guard, employed by Purcell Security, saw what turned out to be a female polar bear walking down the Endicott causeway and headed for an employee housing area. The guard flashed his vehicle lights at the bear, honked his horn and sounded his siren but the bear would not leave the area and instead approached the vehicle and began to act aggressively.

The guard pulled out his 12-guage shotgun and fired what he thought was a bean bag round at the bear. The less-lethal ammunition is designed to hit the bear in the hind quarters and drive it away.

The bear did run off at that point and BP reported the incident to the Fish and Wildlife Service, as required.

But a few days later, the bear returned, swimming off to the west and ending up on a shallow island area near the four-mile long causeway and 30-acre gravel drilling pad.

BP workers could see the bear through binoculars and continued to monitor it. But sometime between the night of Sunday, Aug. 14 and Monday morning, Aug. 15, they realized the bear was dead.

Such a lethal and high-profile mistake has led BP to say it will now consider ways to avoid making another one.

[BP Alaska spokesman Steve] Rinehart said all ammunition will now be clearly marked by its type, with specific packaging colors and labels.

A “back-up bear hazer” also will be required to be on hand and verify that the correct ammunition for the level of hazing is about to be used, he said.

“We want to make completely sure that whatever guard is involved in a hazing incident knows exactly what type of hazing round is being used if it comes to that,” Rinehart said.

The solutions indicate confusion over ammunition type (lethal/nonlethal) and doubt from a single-source. In other words, they did not anticipate any harm from grabbing a lethal charge by accident; and they did not have any method setup for independent verification after a lethal accident. Both seem highly irresponsible management of risk when handling lethal force.

Here’s a good question for the investigators. At what point after shooting an endangered animal should a shooter inventory their ammunition and confirm that they did not harm the animal? Should they wait until it is dead? Was the facility manager looking through the binoculars and saying “Yup, she’s dead. I guess that means it was one of the lethal rounds…”?

It’s unfortunate that BP management demonstrates they will allow a lethal accident to happen before they take even simple measures to reduce the risk of that accident, let alone maintain controls (e.g. responsibility) for high-risk decisions.

You might think BP, a company full of environmental and mechanical engineers, could design and build a camp-site that is passively resistant to bears and therefore not threatened by them so easily. Perhaps instead they did a quick calculation and found it far less expensive to kill endangered animals in their way and just claim a lack of awareness?

iRank App

The National University of Singapore has announced the winner of a 24-hour coding competition. Here’s the goal:

…a 24-hour programming competition, encourages students and faculty to develop customized applications that advance the search and discovery process of scientific information.

So you might be thinking there would be some cool new scientific tools being developed. Maybe students have added perspective and a new way of thinking about problems, based on data discovery? No, instead the winner is a Google modification — a search engine that ranks scientific papers based on reputation.

First place: Zhao Shanheng and Zhong Zhi, of NUS, developed the iRank Apps, an application which ranks institutes by the number of papers returned in the top search results. This tool can help students decide where to apply for their PhD or pursue postdoctoral research in their chosen field.

Google’s reputation-based system has advantages, but it also has risks. It requires you to trust external sources of verification — the peer-review system depends on the quality of the peers. That seems highly unscientific. It’s a second-person or even third-person view of data.

So the first place award goes to an app that tells you what the search engines tell you about what the peers tell you about papers from institutes. It is a popularity contest app that is at least three steps removed from an actual review of source material.

The huge irony, of course, is that the contest appears to have had a controlled/trusted system to determine the winner. How quaint. Perhaps they should have instead thrown the apps into public search engines and let the one that hits the top search results win. Otherwise, I would say their decision to review and vote for iRank App in a closed system contradicts the mission of the iRank App…

the poetry of information security