Posted on

Thoughts on Infosec, 2014 – first day

I usually post a show report about Infosec somewhere, and for various painful reasons, this year it has to go here. And this year I’m at a bit of a loss.

Normally there’s a theme to the show; the latest buzzword and several companies doing the same thing. I wasn’t able to spend as long as normal there today, thanks to the RMT, but I think it’s probably “Cloud Security” this year. As with “cloud” anything, this is a pretty nebulous term.

Needless to say, the first day of the show lacked the buzz, with a smaller than usual number of visitors, haggared by disrupted journeys, mooched around the booths.

I was a bit surprised to see very little on the “heartbleed bug”, although there were a couple of instances. Either the marketing people didn’t understand it, or had uncharacteristically been put in their places.

One stand that’s always interesting is Bit9, a company after my own heart with alternatives to simple virus scanning. They went on a spending spree earlier in the year and have purchased and integrated Carbon Black. This is technology to allow their customers to monitor exactly what’s happening on all their (Windows) computers; which applications launch with others, what initiates a network connection and so on. It’s all very impressive; a GUI allows you to drill down and see exactly what’s happening in excruciating details. What worries me is the volume of data it’s likely to generate if its being used for IDS. There will be so much it’ll be hard to see the wood for the trees. When I questioned this I was told that software would analyse the “big data”, which is a good theory. It’s one to watch.

Plenty of stands were offering the usual firewalls. Or is that integrated solutions to unified threat management. Nothing has jumped out yet.

At the end of the day there was a very sensible keynote address by Google’s Dr Peter Dickman that was definitely worth a listen. All solid stuff, but from Google’s perspective as an operator of some serious data centre hardware. He pointed out that Google’s own company is run on its cloud services, so they’re going to take care of everyone’s data as they would their own. Apparently they also have an alligator on guard duty at one of their facilities.

I was a bit saddened to see a notice saying that next year’s show will now be in early June and Olympia. I’ve got fond memories of Earls Court going back more than thirty years to the Personal Computer World show. And Earls Court just has better media facilities!

 

Posted on

US judge tells Microsoft to hand over data on foreign servers

Yesterday, a judge in a New York court ordered Microsoft to hand over information stored on a server in Ireland following a US search warrant. Magistrate Judge James Francis reckons a search warrant for servers is different to a search warrant for anywhere else – more of a subpoena to hand over documents. Unsurprisingly, Microsoft plans to roll the dice again with a Federal judge this time.

Microsoft, of course, has recently been soothing its cloud customers by saying that if the data is held outside the US, Uncle Sam won’t be able to plunder it in violation of the users’ local rights. In particular, the EU legislation being drafted to prevent companies sharing EU citizens’ data with foreign powers unless explicitly allowed by international treaty or another EU law. The NSA, or US corporations, would not be allowed to just look at whatever they wanted.
This plays right in to Angela Merkel’s proposal for an EU communications network that can’t be legally snooped on by the yanks by avoiding the use of US-based servers.

In a statement to Reuters, Microsoft said:

“A U.S. prosecutor cannot obtain a U.S. warrant to search someone’s home located in another country, just as another country’s prosecutor cannot obtain a court order in her home country to conduct a search in the United States. (Microsoft) thinks the same rules should apply in the online world, but the government disagrees.”

Is Microsoft really so naive? Although the ruling followed its challenge of a search warrant concerning a Microsoft account, its implications apply to all US cloud service providers. Although they intend to appeal, in the mean time any US company holding your data off-shore might as well have its servers in America – they’ll be forced to hand over all your data either way.

This isn’t to say that data held in the UK, for example, is any more secure. There’s RIPA to worry about – the Act allows authorities can plunder what they like, although it does make it illegal for anyone other than the State to do this.

 

Posted on

Infosec 2014 set to be disrupted by tube strike

It could hardly come at a worse time for Infosec, the UK’s best Information Security show due to take place at Earls Court next week. The RMT is planning a tube strike through the middle of it. Infosec 2014 runs from 29th April to 1st May; the strike runs from the evening before and services aren’t expected to resume until the 1st May. As many exhibitors shut up early on that day and head for home, and the real networking happens in the evenings at the hostelries around Earl’s Court, this is something of a disaster.

On a personal note, the largest outlet for my scribblings on the show in recent years shut up shop at the end of 2013; I’ll be putting the trade stuff in the Extreme Computing newsletter and probably blogging a lot more of it here. If I can get there. I shall try my best, and blog live as the show continues.

Posted on

Freeloaders step in to fund Open Source thanks to OpenSSL fiasco

Some good has come out of the heartbleed bug – some of the larger organisations using it have decided to put some money in to its developemnt. Quite a lot in fact. it’s through an initiative of the Linux Foundation, and is supported by the likes of Microsoft, Cisco, Amazon, Intel, Facebook, Google and IBM. The idea is to fund some critical open source projects.

While this is welcome news for the open source community in general, and certainly vindicates the concept, I have to question its effectiveness. The vulnerability was actually reported by the community two years ago, and had already been fixed. However, it persisted in several releases until it had been. One could blame the volunteers who developed it for sloppy coding; not spotting it themselves and not fixing it when it was pointed out to them earlier. But I can’t blame volunteers.

It’s up to people using Open Source to check its fit for purpose. They should have carried out their own code reviews anyway. At the very least, they should have read the bug reports, which would have told them that these versions were dodgy. Yet none of them did, relying on the community to make sure everything was alright.

I dare say that the code in OpenSSL, and other community projects, is at last as good as much of the commercially written stuff. And on that basis alone, it’s good to see the freeloading users splashing a bit bit of cash.

I wonder, however, what will happen when Samba (for example) comes under the spotlight. Is Microsoft really going to fund an open-source competitor to its server platform? Or vmware pay to check the security of VirtualBox? Oracle isn’t on the current list of donors, incidentally, but they’re doing more than anyone to support the open source model already.

Posted on

Heartbleed bug not as widespread as thought

Having tested a few servers I’m involved with, many of which are using old or very old versions of OpenSSL, I can’t say I’ve found many with the problem. You can test a server here: http://filippo.io/Heartbleed/ on a site recommended by Bruce Schneier.

So what’s going on? Does this affect very specific nearly-new releases. This story could turn out to be a serious but solvable problem, and a media panic. I recall spending most of 1999 doing interviews on how the “year 2000 bug” was going to be a damp squib, but it’s early days yet.

Posted on

Heartbleed bug

Someone’s finally found a serious bug in OpenSSL. It allows a remote attacker to snoop around in the processes memory, and this is seriously bad news because this is where you will find the private keys its using. They’re called “private keys” because, unlike public keys, they need to remain private.

This is going to affect most web sites using https, and secure email (if you’re using it – most aren’t). But before user’s rush off to change their passwords (which are different for each site, aren’t they?) – there’s no point in doing this if an attacker is watching. The popular press reckons your passwords are compromised; I don’t. If I understand it correctly, this exploit theoretically allows an attacker to intercept encrypted traffic by pretending to be someone else, and in doing so can read everything you send – including your password. So don’t log in until the server is fixed. They can’t read your password until you use it.

To cure this bug you need a new version of OpenSSL, which is going to be a complete PITA for server operators who aren’t on-site. Hell, it’ll be a PITA even if you are on-site with the servers. Once this is done you’ll also need new certificates, and the certificate authorities aren’t geared up for everyone in the world changing at once.

But the big fun one is when you can’t update OpenSSL. It’s used everywhere, including in embedded systems for which there was never any upgrade route. I’m talking routers, smart TVs – everythign.

I believe that SSH isn’t affected by this, which is one good thing, but I’m waiting for confirmation. Watch this space.

But, if you’re using a secure web site to log in over SSL, consider the password compromised if you’ve used it in the last few days and be prepared to change it soon.

Posted on

Criminals using self-assessment tax filing deadline to drop Trojans

I’ve intercepted rather a lot of these:

From: <gateway.confirmation@gateway.gov.uk>
To: <**************>
Date: Mon, 3 Feb 2014 20:33:49 +0100
Subject: Your Online Submission for Reference 485/GB6977453 Could not process

The submission for reference 485/GB6977453 was successfully received and was not processed.

Check attached copy for more information.

This is an automatically generated email. Please do not reply as the email address is not monitored for received mail.

Someone (via France, and the sender certainly does not speak proper English) is taking advantage of people’s panic about getting self-assessment tax forms in before the 31st January deadline to avoid a fine The attached ZIP file contains an executable with a .scr extension. It doesn’t show as being anything recognisable as nasty, so someone’s planned this well. Be careful; this is slipping through ISP malware scanners (and all the Windoze desktop scanners I’ve checked it against).

 

Posted on

Direct Response monitored alarms fail to show

Not to an alarm call out, but they had an appointment at 9am today to talk about their monitoring service. At 9:30 they called to say they weren’t coming with the excuse that they’d tried to call to confirm the appointment but couldn’t get through. Except they confirmed it yesterday afternoon and there’s someone on the hot-line number they claim to have used since 6am today.

Okay, they double booked slots and got caught with their pants down and this is the best they could come up with, but a company trying to sell an ARC service, not showing for an appointment has to be the biggest no-no going. LOL!

They’re actually possibly worth talking to, because they use the rather interesting Risco panels. Risco is an Israeli company, and they’re upping the game by integrating CCTV and IDS in one system with PIR detectors that will take a snapshot of what triggered them and sending to the ARC. The lady on the phone said they just wanted to demonstrate this, and I couldn’t resist even though we’re happy with the British-made Texecom kit (although we use Risco beam sensors already).

However, this is the same Direct Response that got hauled before the OFT and clobbered in 2009 for telling porky pies about their monitored alarms getting a priority response from the police. The caller also claimed the alarms were made in Iran (“or somewhere like that”). And they’re still using the same old sales tactics (“We are calling as part of an awareness campaign, and four people in your area will be selected at random for a free alarm worth £999”, without mentioning the £400 installation fee up front and claiming a £5/week monitoring fee – I’ll be pleasantly surprised if this bit is true).

The appointment’s been re-made for 9am on Monday. Let’s see. In fairness, I did warn the first and second callers that they hadn’t called a normal householder. All they gotta do is Google me.

Posted on

Botnet shows itself with New Year spam :)

The crims have been at it again this Christmas season (more elsewhere). The latest interesting activity has been a flood of emails with :) as the subject and “Happy new year !” as the text-only payload. Don’t feel left out if you didn’t get one, as they’re only being sent to email addresses made of random numbers at various domains I monitor.

What are the crims up to? Probably testing out mail servers to see if they’ll accept things to random addresses. Every domain should, and deliver them to a human postmaster (not that many net newbies are even aware of this rule). However, there’s nothing to say they can’t also go to analysis tools.

What makes this latest caper interesting is that the botnet they’re coming from doesn’t show up on the usual lists of such things – it’s either new or extended rapidly from an old one. New botnets popping up after Christmas aren’t uncommon as the seasonal fake greeting cards and amazon purchase confirmation trojans are relentless in the days before, together with the lack of staff available over the holiday to deal with them. However, I find this one unusual as most of the IP addresses used to send out the probes are from Europe (Germany and Spain in particular).

 

Posted on

Google shoots own foot in war on child abuse images

If you believe the Daily Mail and the BBC, Google and Microsoft have buckled under pressure from the Government to block images of child abuse on the Internet. What they’ve actually done is block around 100,000 search terms that are used by peodphiles looking for material, whether such search terms could be used to locate other content or not. Great.

Actually, this is rubbish. Google (about which I know more) has not even been indexing such sites, so search terms won’t have found any that it knew about anyway. I’m sure the other search engines have similar programmes in place. This is a public relations exercise, with a piece by Eric Schmidt in the Mail today. It’s a desperate PR stunt that will back-fire on Google.

Eric Schmidt of Google, seeming desperate (from Wikipedia)
Eric Schmidt of Google, seeming desperate

The fact is that household names like Google don’t have a case to answer here. They’re not ISPs, they’re not providing hosting space for illegal material and they’re not actually responsible for it in any way. The only thing they can do is spend their money researching such sites, dropping them from there indices and alerting the relevant authorities to their research. This they already do. So when the likes of Mr Cameron criticize them, as an easy target, the correct response is “Don’t be silly, it’s not us, and it’s the job of your Police to catch the criminals whether they’re using the Internet or not”. What Google has done with this move is give legitimacy to the original false accusation.

As anyone concerned with cybercrime will tell you, the major criminal activity takes place in areas outside the World Wide Web – areas not indexed by Google or any legitimate company. It travels around the Internet, encrypted and anonymous; and the peodophiles seem to be able to find it anyway. All this move will achieve is pushing the final remnants underground, where they’ll be much harder to track.

Looking at the comments that have appeared on the Daily Mail site since it was published is depressing. They’re mostly from people who have been taken in by this line (originally spun by the Daily Mail, after all), and they clearly don’t understand the technical issues behind any of this. I can’t say I blame them, however, as the majority of the population has little or no understanding of what the Internet is or how it works. They simply see a web browser, normally with Google as a home-page, and conflate the Internet with Google. The Prime Ministers advisors are either just as simple-minded, or are cynically exploiting the situation.