Thursday, April 24, 2014

Cry Me A River - But Don't Make My Heartbleed

   I am the organizer for a local Ethereum Meetup at this time. There was a recent comment of the hhos (ha ha only serious) variety posted about the potential for Ethereum code to have a backdoor included in it that would lead to World Domination. I chuckled, as was no doubt intended, and then countered with a serious reply about the need for such projects to be Open Source. Ethical Hacker, Mark Scrano, a colleague and friend replied in the meet up conversation saying:

"If critical mature open source software (openssl) can't audit it's code properly. I fail to see open source saving Ethereum or any open source project from including a bug or two of potentially critical nature ;-)"


To which I replied, 


"Clearly new processes need to be employed by companies who have decided to base their business on "free" software. Open Source "IS" the solution. The failure, imho, was not that the source code was obfuscated or unavailable. It was a failure to review the code. The notion that only the teams building the software should be reviewing it for bugs is a false one. The underlying problem here, as can be said for many of our societal woes in the US today, is GREED. (I think I smell a blog post brewing. ;) )"
 
   And so, now you are caught up. Here we are.

   Greed is nothing new to the human condition. There are those who suggest that all errors of character are learned behavior attributable to our environment. As a father, now watching two little girls grow up, I have a different opinion.

   This post is perhaps less about greed as it is the Heartbleed bug and moreover the state of Information Technology in Corporate America in general. There are some things which are in fact self-evident to anyone who cares to look. Perhaps the first is that greed exists. Let's not sugar coat reality. While we all enjoy community, and we all need and want friends (regardless of the anti-social's admonitions to the contrary), we also have a deep desire to be satisfied. It takes a larger mind to get past that obstacle, and that is an entirely different blog post.

   As a young man leaving the United States Air force
 and learning "the ways of the world" in the late 80s, I was often shocked to see differences between how the Military and Corporate America did things. I was stationed at Yokota AB, Japan; and, was a proud member of the Tech Control Facility there. While, admittedly, my time there had its ups and downs, I learned more there in just over two years than I suspect some learn in four years of college. We handled military communications. It was a high stress, highly technical job. Trouble-shooting was our business. We kept countless communications circuits up and running to help maintain global communications for all branches of the armed forces. Aiding us in this task was something that at the time I took for granted. It was documentation. 


   In the military there is often upward mobility that happens at almost a predictable rate of time. For others, a four year hitch has them in, trained, working, and out in as many years. Documentation is clearly required as enlisted men and women move into and out of increasingly technical jobs. How could the military function without documentation? It couldn't. I suggest, especially with a high turn over rate, or increasing lay-offs, down-sizing, and firing that takes place in the American job market today, that neither can companies continue to do business as they have. Documentation cannot be an after-thought or something to do when your work is done. In deed, it is a vital part of any IT professional's work, and a requirement for management if they are to gain or maintain any level of situational awareness.

   Let's consider a company in America that relies on technology for conducting business in some way. This is really just about every company in America today which at least uses electronic mail. As a consultant, I have performed Information Security Assessments for many companies across the United States.  What I have found nearly everywhere, is a lack of current documentation detailing the creation, storage, and flow of information through their organization. This is because documentation is often viewed in Corporate America as a "nice to have" or an "extra" - rather than a requirement of doing business with computers and networks.

   The first time this became painfully apparent to me was when I assisted a well known Fortune 500 Company during the Code Red and Nimda Worms cyber-crises. The company, like many in the world, was hit hard. The infection spread quickly from host to host, with each new infection in turn reaching out to infect more systems. 

   One would think that it should be easy to simply turn off infected systems as they were discovered. However, I found that there were no current network maps to help us actually locate the infected systems. This was a big problem.  This company's intranet was global. Even the local area spanned multiple campuses and buildings. In short, we couldn't physically locate infected systems in many cases. Of course I designed a solution to that issue and worked with a team of programmers to code a preemptive strike option; but the point is that there was not adequate documentation to manage the environment during a crisis.  Why?
  
   Enter greed and corporate politics. The simple reality I have found across the country is that while the armed forces have "Winning" as an underlying goal, American businesses have "Profit" as an underlying goal.  The basic problem I see with this is that profit for profit's sake is greed by any other name. While I have no problem with profit, profits, and profitability, I believe that companies should first be focussed on winning. 

   Winning in this sense means doing everything needed to properly manage Information Infrastructures. Networks and Computer Systems that house and protect customer and company information should be treated like a battle-field that needs to be secured, not a place to 'manage risk', unless the risk being managed is the potential to lose. Too many companies lose everyday, and they don't even know it.

   If there was ever a time when it was acceptable to say, "We have nothing attackers want", it has long since past. The reality is that in a hyper-connected world, and the plausible theory of six degrees of separation, you have a customer who has some access to something or someone an attacker wants. And this is even beyond the reality that an attacker may merely want your processing power, storage and bandwidth.

   Taking complex ideas and boiling them down into simple phrases is always fraught with peril. So, I'll add this as an open comment to the businesses of these United States:  Until a true Artificial Intelligence is created, you cannot run computer systems without proper oversight. Many of you have continued to buy more computer systems and roll-out new "features", even while laying off IT staff. People can complain about a lack of educated IT Security professionals available in the work-force, but the reality is that businesses don't even have enough Systems Administrators and Network Engineers on staff to manage their Information Infrastructures properly. Further, it is irresponsible, if not grossly negligent, to continue to roll-out new systems and applications when existing infrastructure is not documented to a state that can be demonstrated to facilitate managing a crisis.

   Lastly, if your company is going to run Open Source software as a part of your business. Then it is your responsibility to either review the code you run, or pay someone to do it for you. While it might be understandable for a start-up with limited capital to leverage Open Source without such investments, clearly the largest of companies turning profits while taking advantage of otherwise "free" software should know better. 

   And, allow me to preempt any of my colleagues' comments to the effect that "this isn't how businesses run" or "it isn't reasonable to suggest this" or "Ken you are an optimist" with the simple fact that the way things are working is not sustainable, and terribly broken from a vulnerability standpoint. If improvement is to be made, and if companies are to win in cyberspace, they must invest in people. They must hire more people to manage and secure their systems. If we are to rely on technology, then our work-force must be technical. 

   If Heartbleed is a wakeup call, then it is only such because of the wide-spread consumer awareness that it is generating. The reality is that the intellectual property of our nation has been hemorrhaging for many years. Things must change. As consumers begin to wake up to the realities of negligence, there will be law-suits. I hope companies re-think how they manage IT before that happens. Perhaps it is already to late for that. Perhaps those few people who actually have a clue inside companies that continue to place profits above people will jump ship to start better companies. That would be very American, in my humble opinion. 

   In closing let me quote a great football coach: "Excuses only satisfy the people that make them."


Yours in Information Security,

       Ken Walling

Kenneth R. Walling Jr., CISSP
President
CyberCede Corporation

PS
In case you don't really have a clue about Heartbleed, I recommend this ...

Friday, June 28, 2013

Litecoin is perhaps more than just the silver to Bitcoin's gold

The cryptocurrency economy has blown wide open. There may be twenty or more different cryptocurrencies competing for dominance in this emerging technology.

While bitcoins are holding a more or less steady value of $100/BTC, one of the favorite alt-coins, Litecoin (LTC) is currently undervalued at around $3/LTC.  Based upon six month trend reports, the value deviated from the difficulty graph which it had been clinging close to. When the coin is able to correct, it should be worth approximately $5/LTC.  Currently hungry speculators are holding the value of the coin down.

Mt. GoX announced they have plans to have LTC trading on their site in July. When that happens, if the litecoin has not already corrected, we can expect a correction and a surge in value as new traders will have access to it on the largets bitcoin market in the world.

I am working on pulling together a screencast to help Mac OS X users get the recently updated Litecoin client software installed.

In the mean time, you can check out litecoin.org.

If you want to buy some LTC, you can check out btc-e.com.  You can sometimes find me on the trollbox there, as the user "kewal".  Happy trading!


Install GPG on Mac OS X

Hi.

We are working on getting a site up for cyberjutsu.com.

The plan is to have both free and premium screencasts to help folks learn how to survive in cyberspace. It will probably take us a while to get any premium content up. It may also take a while to get the site live.

In the mean time, as we start to create screencasts, we will publish them here.  They may not be as polished as we would like.  Sometimes information needs to be more current than polished.  For example, it is time to upgrade the Litecoin client, for those who use Litecoins (and we recommend that you do!)

The screencast linked below is a prerequisite to upgrading your Litecoin client. In this screencast, we go over installing GPG on Mac OS X.  Linux users will most likely already have gpg software installed, but this is not the case for Mac users.

I hope this video is helpful. It does include steps to verify the SHA1 digital fingerprint of the downloaded binary file to be used in the installation of GPGtools. It does not represent the lowest we will set the bar for learning. I intend to do some much more basic screencasts to help folks understand the basics of using Terminal and the BASH shell, for example.

In the mean time - please feel free to get your GPG on!


Wednesday, April 3, 2013

Bitcoin Price Check - 3 April, 2013

Here is a very short screencast that takes you on a tour of checking the latest price for bitcoins on Mt. Gox exchange.

This is my first embedded video, here on blogger - so this is a bit of a test.

You should be able to run this at full screen, to see the details better that you might in your current windowed rendering.

Wednesday, January 25, 2012

Password Management Software: KeePassX

For the progressing student of cyber-jutsu, it will be evident that the number of usernames and passwords one needs to manage can become extreme.  From a white-belt level we learn that human nature must be observed if we are to win in cyberspace.  Human nature, in this case, is the simple fact that most people will take the path of least resistance.  If something is difficult to do - then they will not do it.  If it is easier to do the wrong thing, then most people will do that thing - even to their own detriment.  So our goal in this is simple:  make it easy to do the right thing.

Social networking sites, Blogging sites e-Bay, PayPal, pandora (music site), other web sites and just about any system you need to log into, all require usernames and passwords to access.  The common, but unsophisticated and unacceptable solution many people who have not been initiated into the ways of cyber-jutsu adopt is, to re-use the same password for every site they log into.

The practicing cyber-jutsu student will quickly see the problem with this.  If the password for any one of these sites is compromised or somehow revealed to a malicious person - then all of the accounts with the same password are thus compromised.  The result can be described as a cyber-tsunami.

While the reality is that there is "no silver bullet"; and, we must be perpetual students and develop on-going processes to maintain our cyber-security, we can talk here about one part of the overall process.  Let us look at the pros and cons to employing a software tool category known as password managers.  In particular, I'll talk about a free tool called KeePassX.



KeePassX is a cross-platform password management program.  It is available for Windows, Mac OS X, and our favorite operating system, Linux.  OK.  So, what does it actually do?

The program creates an encrypted database (256 bit key based on either the AES or Twofish algorithms) to store your usernames, passwords, links, and additional related information.  What that means practically, is that even if someone were to get ahold of your database file, they would have a hard time cracking it to get your information.  Additionally, KeePassX gives you what we call a "two-factor" authentication option to access your stored information.

Two-factor authentication, in this case, can be thought of as factor 1. something you know, and optionally factor 2. something you have.  And, in this case, the "something you have" is any file you would like to use.  You identify a computer file that needs to be present to log into the password database.  If this sounds too technical for you - trust me - it takes more brain power to understand the philosophies behind its operation than it does to use the very intuitive user interface.


To use the "second factor", one need only click the "Key File" check-box, and then the "Browse..." button to select the file you want to use.  I recommend using a file on removable media, such as a usb drive.  In this way, whenever you want to log into this program, you have to supply the file that is on the removable media.  This makes your password management database very secure.

Once you are logged in, you can create groups to help classify the different sites or systems you need to log into.  Then you create the accounts within those groups.  When you want to log into a site, you select it in the main window, then click on the "user" button along the top (which looks like an icon of a person).  This copies the username into your clipboard, so you can paste it into the login box on the website (ctrl-v on Windows and cmd-v on Mac OS X).  Then you do the same thing to enter your password.  Click on the password button at the top of the screen (which looks like an icon of a key) and then paste it into the password field on the website.


On Linux systems, you can automate the whole process such that you can select the site you want to log into, double-click it, and your default web-browser will automatically launch and the username and password will automatically populate the fields and log you in.  This takes a bit of configuration, and may be considered a brown-belt level task.

Alas, we are trying to make this an easy process - and so far - it just seems to be more work.  So where do we get our win?

The major win is found in this applications ability to generate random and complex passwords for you.  These passwords that are generated will never need to be remembered, and never need to be typed out.  The only password you will ever need to remember is the password you need to get into KeePassX, when you first launch it (as described above).

You can adjust your settings within the Password Generator window to meet your desired complexity and the capabilities of the site you are using.  You may be surprised to find some of the sites you use will not allow special characters in the password.  Similarly, many sites have unsatisfactory length restrictions.  As a general rule, more complex and longer passwords are the way to go.

The program collects "entropy" based upon your random key-strokes and mouse movements, to ensure that the password that is generated is truly random.



The "New Password" field (see image below) will populate with a complex password after enough entropy has been gathered.  This is a fast process.


And there is your benefit.  That long and ugly password is not crackable in any reasonable amount of time, given current technology.  If you are securing your bank accounts - then a good policy will be to change that password on a regular basis.  As long as you change the password more frequently than the amount of time it would take to crack the password, your account will not be cracked.  The exact frequency will be an increasing quality as technology continues to increase computing power.  At this time, changing your password in this manner once per month should be more than sufficient.

Changing a password that you don't need to remember in your brain should be less of a chore than coming up with new passwords you have to recall from memory every month.

You should also recognize that so many people use a word or a name for their password (often simply appending or prepending a number) that the majority of attackers use "dictionaries" to attack accounts.  You might note that the password listed above, will NEVER be found in a dictionary.  This is important.  It means that an attacker has to "brute force" your password one character at a time.  This is a very time-intensive process, which requires many many computing cycles.

You may note that in the image above, I have NOT selected the option to ensure that the generator includes characters from every group.  Forcing the program to include characters from every group actually reduces the overall randomness of your password.  If an attacker doesn't know exactly what your password is composed of - nor exactly how many characters your password it - this makes the job of cracking the password even harder.

You should use this program, or one like it, for as long as you have to use passwords.  Ultimately, passwords may be replaced by other means such as biometric devices (e.g. fingerprint readers, iris readers, etc.)

Using a program like this means you have to keep your KeePassX database safe and secure.  You can actually keep the entire database on a usb key.  If someone gets your database, and guesses your password, and figures out what file you are using as the second authentication factor - then you still lose.  So, care must be taken.  But - like your house keys, or your car keys - having a small device to keep safe seems to be something we are capable of doing.  Long, complex passwords, on the other hand - are simply better off being managed by a computer program.

How do you come up with a good password for the database itself?  I always suggest that folks use the first letter of each word in a long phrase they can recall easily.  The typical example is the phrase, "four score and seven years ago..."  which would or could yield the password:  4#&7ya

In my humble opinion, that password is too short - but it is good as an example to teach how to come up with a complex password.  Another good thing to do is to come up with a positive affirmation as the phrase for your password.  In this way, you achieve true cyber-jutsu.

"Dissatisfaction with life arises from desiring to have what cannot be had, and desiring to avoid what cannot be avoided." - The Buddha

"dwLafd2hwcbh,&d2awcba."-TB

If you are a brainiac  - perhaps you could take a phrase like that and use the second letter in each word - or the last letter of each word.  I think you get the idea now.  Your goal should be to come up with a password for your KeePassX login that is more than 8 characters in length, and uses upper and lower case letters, numbers, and at least one special character.

Anonymous DDoS Attack: OpIreland

Last night, into early this morning, Anonymous hacktivists launched a successful DDoS (Distributed Denial of Service) attack against http://justice.ie, the Department of Justice and Equality in Ireland website as a "warning shot across the bow", in response to an announcement that "the Irish government plans, before the end of January, to bring in a law which would allow Irish courts to block access to websites accused of infringing copyright...".  (See:  http://www.tjmcintyre.com/2012/01/irelands-sopa-faq.html and search for the twitter tag #OpIreland)

These activities raise many questions about citizenship, the law, liberty on the Internet, intellectual property rights, civil disobedience, and more.

When you think about and research these operations, there are some things that you should keep in mind. Not the least of which is that, according to information published by Anonymous, OpIreland was intentionally conducted "after business hours" when the need for the website would be less critical for anyone seeking to use it.  The goal was to raise awareness, and it seems they have succeeded in that.

Some will denounce these activities out of hand as illegal and wrong.  They will attempt to say that support for these Anonymous Operations is taking a side against intellectual property rights.  I'm not sure that is a fair assessment.  There are already laws on the books which can be used to prosecute those who steal other's work.  What is being attacked here, is the notion that wide-sweeping new laws are required to combat online piracy.  The danger is that these laws are so wide sweeping, that they will end up being used to censor law-abiding netizens and their online content.

In a perfect world, there would be no need to temporarily, forcibly, shut down a government website to direct attention at questionable legislation that, much like our own Patriot Act, is being pushed through the Irish legislature in a timeframe that will not allow proper analysis and debate.  But it is clear that we live in a world that is far less than perfect.



As I write this, http://justice.ie is back online.  The site was not damaged, and it was down for probably less than two hours as a result of the DDoS.  The Anonymous threats are far more dangerous.  

A message dropped onto Pastebin advised, "
  1. If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate internet, destroying dozens upon
  2. dozens of government and company websites. As you are reading this we are amassing our allied armies of
  3. darkness, preparing boatloads of stolen booty for our next raid. We are sitting on hundreds of rooted servers
  4. getting ready to drop all your mysql dumps and mail spools. Your passwords? Your precious bank accounts? Even
  5. your online dating details?! You ain't even trying to step to this."


This may seem like techno-babble to many of you - if that is the case, take my word, it is threatening.

If the Anonymous Hacktivists move into the above noted phase of operations, I fear they will have gone too far.  There is a difference between raising awareness through a more or less peaceful DDoS demonstration and cracking into accounts and distributing private bank account information.  The DDoS operations can clearly be compared to a physical-world protest on a city street that would impede movement through the area for a time because so many people have flooded the street that there is no clear path for traffic to flow.   Cracking into accounts and distributing bank account information is theft.  One could argue, depending upon the owners of the bank accounts, that such operations would be akin to the illegal activities of Robin Hood - but they are clearly illegal, nevertheless.

I have one last thing for you to consider about this most recent, and in fact all hacktivist DDoS activities.  I have heard folks say that because it takes a very large number of computer systems to pull off a DDoS, that there is wide-spread and popular support for Anonymous.  This simply isn't the case.  If it were, the DDoS wouldn't be necessary to raise awareness.  The reality is that the hacktivists who are actually "pulling the trigger" to execute the DDoS are what we refer to as "bot herders".  These are people who have control of hundreds, thousands, and in some cases tens or hundreds of thousands of compromised home and business computers.  When these computers are compromised, software is installed "enlisting" these systems into a "bot army".  The systems continue to function as normal; but, they also wait and listen for the command to attack.  When that attack command is received, it is often a simple command telling the system to repeatedly "ping" the target system.  The target system is quickly overwhelmed by "ping" requests, and can no longer respond to legitimate traffic.  The site, in effect, is taken offline in this manner.

Perhaps a more democratic way to implement a popularly supported DDoS protest campaign, would be to invite folks to join the cause, rather than draft them into unknown participation.  That would be better cyber-jutsu. ;)

Sensei Metajunkie


Monday, June 20, 2011

The Rich Seize Internet Name-space!

ICANN (the controlling authority for the Internet) will accept applications ($185,000) for new root domain names (i.e. website suffixes like .com and .net), for 90 days, beginning Jan 12, 2012.  Winners awarded their domain name (e.g.: .ipod, .apple, .cisco, .pepsi, .democrat, .republican, .healthcare, .books, .worldbank, etc.) must pay $25,000 annually.  These new root domain names can be in "nearly any word in any language, including in Arabic, Chinese and other scripts", this was decided at a meeting today in Singapore.  (Source:  Associated Press)

What does this mean?  It means that .com just became a "second class" root domain.  I'm not sure that this is good for small businesses in any way - but, that obviously isn't a concern for ICANN.  Anyone who can afford the process can apply for any root domain name they want.  If two people or entities want the same domain name, they can bid on it - so who ever has more money wins.  If, for example, Pepsi and Coke, in addition to applying for .pepsi and .coke, both wanted .drink or .beverage or .pop or .soda - they could fight it out in good ol' greenbacks via public auction.

That is all well and good for Pepsi and Coke; but, what about a small Information Security Company, like CyberCede Corporation?  What are the chances that web traffic going to cybercede.com will decrease in favor of being directed to whomever owns .infosec, or .security?

The face of the Internet is about to change - perhaps more drastically than it has changed since its inception.

This also means that there are sites you just won't be able to reach without knowing a foreign language, or without having a modification to your keyboard to allow you to type in non-Romanic characters.  I think this is significant.  Up until this point, the Internet has been a global unifying movement.  Sure, you can find pages that have foreign language content today - but you can at least read the address of that page in English.  I would go so far as to believe that Internet use could have been contributing to the adoption of English as a global standard language for international communication.

While some might scream "mono-culture" - that simply isn't what I'm talking about here.  It is a well documented fact that a national language goes far in unifying a people.  In the same way, English has unified many people around the world via the Internet.  In some very small way, we were, in my humble opinion, rolling back the damage done by the Biblical tale of the Tower of Babylon.  The world has been "getting smaller", and in large part that has been because of the Internet.  I think this move will reverse that perception.

To sum it up - we can expect big money to create great domain space names, and attempt to market .com into obscurity; and, using a US English keyboard, where previously it was a gateway to information in every corner of the world, will now become a limiting factor - barring entrance to foreign sites for the average American.  But hey - who cares, right?  Most Americans don't actually get world-wide information from the Internet.  Their computers are the little brother to their massive television sets, that broadcast 'truth' directly into their subconscious minds.  After all - TV is only meant for mindless relaxation and reassurance; and, the Internet is just for Facebook games and Porn, right?  As long as I can order my pizza online - I don't care what they do.  Mmmm pizza and sitcoms - the American Dream.  Go back to sleep .... go back to sleep.  OH?! incoming facebook message on my phone!  Oh it's just a someone using facebook to promote their blog... go back to sleep.... go back to sleep.  zzzzz