Hacking Back Part II

In my last blog on “Hacking Back” I asked is it legal, ethical, and do I have a right to defend my network against yours? Well, I believe it is legal and ethical, and absolutely, I have the right under “self-defense” to defend my network from being attacked by yours, even if you do not know that your network is attaching mine!

Obviously if I know who you are and can contact you I would be obligated to do so. This scenario assumes I have no idea where the attack is coming from.

When considering hacking, hack back, self-defense in cyber space, etc., you must consider the fact that everything happens literally at the speed of light. So, saying I must contact law enforcement, collect evidence, and go to court is the same as saying “just accept it, and hope to recover all of your losses from a court, even if your company has since been put out of business.”

Here is my next question for comments:

Does anyone wish to argue that if their network has been compromised by hackers and is attacking others without their knowledge, the party or parties they are attacking have NO right to take action to stop those attacks?

My hacking back article can be found on Titan Info Security Group under white papers.

VMware vShield Automation with PowerShell

Alan Renouf has posted a PowerShell Module and a video with instructions on how to install and use it for VMware vShield. He shows clearly how to easily assess and report on current settings (i.e. “Get-vShieldSecurityGroup | Select -ExpandProperty Member”) as well as modify them.

Now I had the Rest API details I knew I could easily write some PowerShell code in the form of an advanced function to work with the API, the first piece of code I wrote was a generic function which allowed me to GET, PUT, DELETE and POST to a Restful API. I know PowerShell v3 will include cmdlets for this but I didn’t want to wait or add a dependency on something which wasn’t available as yet.

With this completed the rest of the advanced functions were easily created, it was just a case of sending the correct parameter to my function and the correct URL and my results would be returned.

vShield PowerShell Module from Alan Renouf on Vimeo.

Visa Security Report: List of Common Vulnerabilities

Visa released to the public just a couple weeks ago a report on common vulnerabilities found in U.S. Small Merchants. Not exactly a short list. The could have at least put it in order of the PCI DSS Requirements:

  • SQL injection
  • Misconfigured web applications
  • Lack of segmentation between cardholder data environment
  • No firewall configuration
  • Insecure remote management access
  • Use of RDP/Terminal services on internal network
  • Packet sniffers
  • Keyloggers
  • Backdoors
  • Excessive permissions
  • Use of shared, default credentials or common passwords
  • Administrative accounts not protected
  • Databases not hardened
  • Unauthorized user ability to modify applications (troubleshoot, capture full track data, use risky protocols)
  • Reliance on 3rd party service providers for POS installation and management

The report also details the U.S. Contact/Contactless Acceleration Plan and the 2012 “PCI validation relief for merchants that adopt dual-interface terminals”.

China IE6 Usage Still Over 25%

The end of December 2011 marked a significant milestone for IE6 measurement. The U.S. finally has dropped below 1% usage.

Things even are looking good for bright red China, which still sits over 25% (4% of the world) but has dropped a whopping 10% in under a year.

It is possible that measurement methods may be skewed by proxies and bogus tokens but the more likely story is that China is on a browser support time-line that can’t seem to get past an OS introduction date.

This reminds me of a time years ago when I was called in by a huge software-as-a-service provider and asked how to get SSLv2 through a PCI DSS assessment. “Why would you want to do that” I asked. “We have a lot of IE6 users” was their reply.

My response was twofold. First, I questioned whether IE6 data and SSLv2 data was trusted. Browsers can negotiate down to SSLv2 but that does not mean they were incapable of running SSLv3 or better. Perhaps if they dug into the data they would find a different picture and see far less IE6. Second, I recommend to post a warning banner to any IE6 user to upgrade their browser within a set time-frame or with a count-down clock. Even something like an orange warning banner would be nice.

Their counterpoint was that IE6 came out in 2001, which still was within Microsoft’s threshold of customer support. A little research revealed that Microsoft, despite being forced by government decree to un-bundle the browser, never changed their story on IE6 support as inseparable from the Operating System life-cycle. Since the OS was still supported, and the browser was bundled “as part of”…

Versions of Internet Explorer 6 that shipped as a part of the operating system or its associated service packs will continue to follow the support lifecycle of the operating system.

That certainly complicated the situation. Windows 2000 (Service Pack 4), for example, was still under extended support until 2010.

Support for Windows 2000 ended on July 13, 2010

Windows XP also shipped with IE6. Rather than get pulled into that complex and political issue of the Microsoft antitrust lawsuit, I scaled back and presented a more focused response.

SSL v2.0 was released in early 1995 but was so horribly flawed and subject to MITM that v3.0 was released by 1996. So they were told to remove v2 not just because it is older then 1996, and not just because the PCI SSC DSS says so, but because it was a long-time known risk to their users.

Fortunately, that trisect seemed to convince them and it was then just a matter of creating a redirect and warning for anyone who tried to negotiate only at SSLv2. It would have been far more interesting to tackle the problem of IE6 but that was seen as an issue between Microsoft and their users instead of something content providers could drive.

The map above with a steep drop the year after support officially ended seems to support that theory.

Lesson learned? Depends on how you look at it. As Microsoft says they are in celebration of a decline in IE6 they also are exiting the antitrust agreement with the U.S. Government and going right back to bundling the browser into their OS.

The final remnants of that decree lapsed earlier this year, and now Microsoft is wasting little time in returning to its past strategy: A pre-release version of Windows 8 shows an OS that is deeply intertwined with Internet Explorer 10, with it impossible to uninstall the browser from the OS at this point in Microsoft’s development process.

Perhaps Microsoft is going to push hard to get the Chinese to migrate to Windows 8 so they will record IE 10 usage statistics well into 2022, by which time they can terminate support and campaign for help with a sudden and rapid decline…

7 Bad Habits of CISOs

Forbes has published an article called “The Seven Habits of Spectacularly Unsuccessful Executives“. These are great conversation starters and topics of investigation, especially when auditing/interviewing executives in charge of enterprise security and/or risk management.

  1. See themselves and their companies as dominating their environment
  2. Identify so completely with the company that there is no clear boundary between their personal interests and their corporation’s interests
  3. Think they have all the answers
  4. Eliminate anyone who isn’t completely behind them
  5. Consummate spokespersons, obsessed with the company image
  6. Underestimate obstacles
  7. Stubbornly rely on what worked for them in the past

Protecting VMs, In the user’s brain

Ross Anderson and Frank Stajano, in a paper called “It’s the Anthropology Stupid!“, suggest that the study of human culture is necessary to understand insecure behavior and protect virtualization from risk.

And what about mistakes? They matter much more than targeted attacks. […] Mistakes are often caused by getting the context wrong, so if we’re going to make them less likely, our designs should be better at synchronising the user’s mental model better with that of the machine. […] …secure virtualisation isn’t just about ensuring that the right VM in the laptop talks to the right VM in the cloud. It’s about ensuring that the right VM in the laptop (or the cloud) talks to the right VM in the user’s brain. It’s not primarily about the outside attacker, but the insider: and the critical question is which insider.

The point they’re making is that each group and subgroup is defined by its controls. Have you ever shown up to a party wearing the wrong costume?

Something you have, something you know, or something you are will matter when assessing whether you are in the right place at the right time. A gap (mistakes) can easily form between the implementation of segmentation in virtualization technology and its translation to a view or knowledge of the segmentation by a user.

I get asked all the time now “can you give us a reference architecture for segmentation”? This is like asking an anthropologist for a guide to what costume you should wear to the party. Does the outside observer really get to set the insider behavior? Automation without accounting for variables in behavior may only push these gaps wider.

The line of reasoning in this paper reminds me of a movie released in 1968 by Stanley Kubrick as echoed in my 2011 BSidesLV Presentation: A Cloud Odyssey.

Vuoi Vuoi Me (Henrik Schwarz Remix)

A Sámi song by Mari Boine, remixed by Henrik Schwarz.

From the album “It Ain’t Necessarily Evil – Mari Boine Remixed Vol II”

And below is my remix of the translation from a language once banned:

Sami languages, and Sami song-chants, called yoiks, were illegal in Norway from 1773 until 1958…in Russia, Sami children were taken away when aged 1–2 and returned when aged 15–17 with no knowledge of their language and traditional communities.

Vuoi mu gollelottas
Vuoi mu beaiveidjalottas
giehka ja goaskin
Vuoi mu spalfu
Vuoi mu spalfu
miellevuol besiinis
Vuoi mu idjaloddi
ravddahis geahcastagainis
Vuoivuoi mu
Vuoivuoi mu

Vuoivuoi daid iluid
Vuoivuoi daid iluid
skeaikkigavnnasmeriidisguin
Vuoi daid morrasiid
Vuoi daid morrasiid
salteganjalmearaidisguin
Vuoivuoi daid buollasiid
Vuoivuoi daid buollasiid
vuoi gesiid mearehis bahkaid
Vuoivuoi mu
Vuoivuoi mu

   Vuoi my little yellow bird
Vuoi my summer night bird
cuckoo and eagle
Vuoi my swallow
Vuoi my swallow
with nest under riverbanks
Vuoi night owl
with limitless vision
Vuoivuoi me
Vuoivuoi me

Vuoivuoi joy
Vuoivuoi joy
with hearty laughter
Vuoi sorrow
Vuoi sorrow
with oceans of salty tears
Vuoivuoi winter frost and cold
Vuoivuoi winter frost and cold
vuoi summer with burning hot days
Vuoivuoi me
Vuoivuoi me

A site called Samitour provides an interesting theory why Sami language and song were considered such a risk that they were banned for centuries.

The Sami chant, the yoik, traditionally had a dual function. On the one hand, it was, and still remains, the distinctive musical expression of the Sami. The yoik is used “to remember people”, to characterize individuals, animals and landscapes. It can be described as a melodic-rhythmic lecture, in which rhythm is paramount and less emphasis is put on the verbal description of the lyrics. The yoiker’s task is to use music and images to create an emotion or atmosphere that then evokes the person, animal or place yoiked. In the pre-Christian religion, the yoik formed an important part of religious ceremonies. In such ceremonies, the shaman added a rhythmic accompaniment to the yoik by beating his drum. This dual function is the reason why some people even today see the yoik as sinful and therefore incompatible with Christian religious life.

As early as the 17th century the yoik was banned by law. Anyone breaking the law was to be punished severely. The reason the yoik was banned and condemned at this time was that the period saw the beginning of Christian missions among the Sami, and the yoik was seen exclusively as an expression of pre-Christian religion.

Finnmark protests 1981Mari Boine explains in the video below how and why she started to recognize and reclaim her own heritage and sing the yoik.

She mentions the protests and violence in the news at the beginning of the 1980s, as seen in the photo to the right, had a strong effect on her sense of identity; the controversial construction of a hydroelectric power plant on the Alta river in Finnmark, Northern Norway created feelings of anger and rage for her as a Sámi.

Ethiopia Anti-Terror Law: Journalists jailed for 11 years

Two journalists from Sweden illegally entered the eastern region of Ethiopia by crossing the border from Somalia. This has not been disputed.

What happened next is now the center of a brewing controversy over whether a journalist should be considered a terrorist if he is reporting on one.

The two journalists, Martin Schibbye and Johan Persson, apparently met with the ONLF (Ogaden National Liberation Front), a group of Oromo classified by the Ethiopian government as a terrorist organization, to enter Ethiopia and investigate claims that civilians are being forcibly removed from PetroTrans Exploration Areas. Here is a video from them as they prepare for the trip.

The journalists, as they traveled with the ONLF this past July, were caught in battle with the Ethiopian military. They were then captured (as you can see at the end of the video above). Now they have just been sentenced to 11 years in jail under recently passed anti-terrorism laws.

Amnesty International says Ethiopian authorities have been using anti-terror laws as a pretext to arrest and silence politicians and journalists who criticize government policies.

In a report released Friday, the human rights group said at least 114 opposition politicians and six journalists have been arrested since March.

Amnesty said, in many cases, calls for peaceful protests or attempts to conduct investigative journalism have been interpreted as acts of terrorism or other criminal wrongdoing.

While journalists and politicians in Ethiopia have been subject to arrests in the past, the report said the recent increase in terror charges represents “a new level of repression” in the government’s efforts to stifle political dissent.

Amnesty also criticized several senior Ethiopian government officials, including Prime Minister Meles Zenawi, for making public comments that imply that all terror suspects are guilty.

The Oromo liberation movements in Ethiopia are as old as the Eritrean and Tigrean ones. However, they have not achieved the same results and so they stand out as the ethnic group most at risk of government anti-terror campaigns.

While the Eritreans were able to create an independent state and the Trigreans have taken power in Ethiopia under Meles Zenawi, the Oromo movement has been less effective. Perhaps because of the Oromo population being the largest in Ethiopia it lacks the unified effort like the Eritreans and Tigreans; it is fractured by internal social/language, political and religious differences. The ONLF thus is just one of several Oromo groups still active and considered terrorists.

The arrest by the Ethiopian government of independent journalists who claim to be working on human rights issues (documenting ethnic-based mistreatment) could thus be based on fear that their work could bring the Oromo factions closer together; the larger population of Oromo might react to reports and turn against any minority group in power. But this is merely speculation. On the flip side the Oromo factions also could be closer together when they see journalists being arrested.

In any case the bottom line is that no real proof or explanation of a link to terrorism so far has been demonstrated for these two journalists yet they face 11 years in prison. The closest seems to be a video of them with guns while in presence of the ONLF, which does not seem like a normal standard of proof.

During the 6 September hearing, the prosecutor screened a propaganda video in support of the charges. The video, which showed the two journalists holding guns, had been posted on the pro-government Caakara News website a few days after their arrest. The defence strongly objected to the fact that sounds of shooting had been added to the soundtrack.

After the trial opened on 18 October, the charge of “participating in terrorism” was dropped on 3 November but the other two charges, supporting a terrorist group and entering the country illegally, were maintained.

It appears that conviction through any association is what Ethiopia intends to do with their new anti-terrorism laws. Digital Journal points out the judge used reverse logic in his harsh ruling and demanded journalists have to prove they are not helping terrorists.

…Judge Shemsu Sirgaga said the two “have not been able to prove that they did not support terrorism.” International media groups called attention to Judge Sirgaga’s remarks as a symptom of a deeper problem in the region. “Instead of proving their guilt, the judge accuses them of failing to prove their innocence. This is back-to-front,” wrote the secretary general of Reporters without Borders, Jean-Francois Julliard.

Digital Journal goes on to point out that the prime minister of Ethiopia has publicly stated a similar line of reasoning, that a distinction between journalists and their subjects has not been proven.

“Why would a journalist be involved with a terrorist organization and enter the country with a terrorist organization, escorted by armed terrorists, participating in fighting in which a terrorist organization was involved? If that is journalism, I don’t know what terrorism is,” [Meles Zenawi] said.

Note that he is quoted saying “participating in fighting” although the charges were merely “supporting” a group. In related news Ethiopia could again require (i.e. like the days of the Red Terror) all citizens to prove they are not going to overthrow the government.

AWS Object Expiration

Amazon has announced that you can schedule the deletion of objects in Simple Storage Service (S3); it also warns that there can be a delay between a scheduled expiration and an actual deletion, and that if you leave an empty prefix in an expiration rule then it will expire all your objects.

Some objects that you store in an S3 bucket might have a well-defined lifetime. For example, you might be uploading periodic logs to your bucket. After a period of time, you might not need to retain those log objects. In the past, you were responsible for deleting such objects when you no longer needed them. Now you can use Object Expiration to specify a lifetime for objects in your bucket.

With Object Expiration, when an object reaches the end of its lifetime, Amazon S3 queues it for removal and removes it asynchronously. There may be a small lag between the expiration date and the date at which Amazon S3 removes an object. You are not charged for storage time associated with an object that has expired.

It begs the question whether an expiration action is reversible, since the object technically has not been deleted. This is not just important from a forensics point of view but also for sneakily avoiding charges.

the poetry of information security