Friday, February 3. 2012
I do not yet have all of the hardware and networking gear set up on my network; so this is merely a description of what I'm looking to do, to gather some ideas and feedback, and then figure out how to proceed. If, after reading the details below, you want to join, or have suggestions, please let me know!
History / Ideas
I've been thinking about starting a "nerd net" for quite some time. I have many friends that use a Linux/*BSD machine at their border, and typically have some kind of services running inside the network. I'd like to link these networks together and share access to services. This opens up all kinds of possibilities...
To avoid a single point of failure, and saturation of any one network's bandwidth, we would avoid linking in a hub-and-spoke fashion. Instead, I propose that we maintain a list of active nodes (essentially, each person's gateway box) and try to maintain at least 3 active VPN connections at a time. In other words, each node on the network would have a VPN tunnel to at least 3 other nodes. It would be very useful to have control of a DNS zone for maintaining this list. Each node would have it's own A record; say, mynode.domain.com. Each time a node wants to connect to the network, it would request the A record for something like connect.domain.com, which would hand out A records of each of the registered nodes in a round-robin fashion.
Authentication will be central in this; so some knowledge of SSL will be beneficial. I, and possibly a few key others, would maintain access to a CA signing key and the nodes would be authenticated to the network via certificates signed by that CA key. Any node that you attempt to connect to should trust you based on that certificate; and, based on the certificate presented, you should trust any connection attempt with a valid, signed certificate. I, and possibly others, can assist with any certificate-based configuration issues that you might have.
To allow for a private network that's going to be potentially changing topology on a regular basis, we'll need a routing protocol, such as RIPv2. For simplicity, each network would receive it's own /24 of RFC1918 space, with the gateway box running the VPN software being the "node" on the network. Most likely, you'd want to set up split-tunneling on the gateway box so that any requests going to the private network route over the VPN and the rest of your traffic (web surfing, email, etc) goes out your normal internet connection.
With each node on the network being connected to at least 3 other nodes at any given time, that requires us to keep track of the various routes from one network to another. Instead of trying to keep track of this by hand, we could easily set up RIPv2 and announce the routes we "know". I imagine using netblocks in the 172.16.0.0/12 range, with each network having a /24 and being multi-homed (connected to 3+ other nodes), there could potentially be several routes from one network to the other. A light-weight, distance-vector routing protocol like RIPv2 seems to be a good fit; open-source implementations, simple, and proven. The route to any network from yours would be the one with the least intermittent hops.
Another, more complex, possibility would be using OSPF and OpenBSD's open-source implementation. Given that each node will have different bandwidth, this may be a good idea to try.
Services and other ideas
This would be the whole reason for the network!
I would be interested in providing several services to the network, but not publicly. For one, a Linux- or FreeBSD-based shell server with access to the internet, compilers/development tools, documentation, email (anyone remember pine+procmail?), etc. A (small-ish) public web space to let people know that you're part of the network; something like Apache's mod_userdir. A blog application accessible only from within the nerd-net.
I would also maintain the internal network's intranet site. This could be a site used to post updates of system maintenance, new services being offered/tested, and a way to maintain an up-to-date list of all of the nodes.
A private IRC server is definitely on the TODO list. Any and all bots would be allowed; if anyone would be interested in linking the IRC daemons, I'll likely be using the Blackened or UltimateIRCd.
I could provide SMTP services for the network. If we find a zone to use, I can provide email services for that zone. Technically, unlimited user@zone email addresses. I would also be willing to host DNS services for the internal network; providing dynamic DNS and a "view" for those coming in via the network.
Another service I'd consider offering would be your own PostgreSQL database for development and testing. A big part of what I envision for this network is that it'll be a big collection of computer-savvy geeks; what better place to deploy and test code than on a network inhabited solely by those with the clue to help you in debugging, vuln testing, etc.
Other possibilities include shared-CPU time using tools like distcc(1). Maybe remote storage (NFS/iSCSI)?
The benefits of a private network are many, and extend beyond just the sharing of services. This is a chance to build a real-world, potentially large-scale network with changing topology. Any member wishing to add/configure new services or features is welcomed to; and the services could be advertised/listed on the internal network's intranet site.
Other benefits include the ability to policy-route certain traffic. For instance, I would be interested in routing my DNS traffic over the VPN to be routed out someone else's connection; it's low traffic, but my ISP mangles my DNS traffic to route to their servers regardless of what server I point to. Such configuration could even be set up where my DNS traffic goes out through a different VPN's node each time (i.e., a type of load-balancing).
As the network uses a VPN to set up, exactly what it is, a Virtual Private Network, we should seek to keep the network private. Configuring an Apache reverse-proxy, or some type of port-forward from your external IP address into the network would be frowned upon. Any need to create such accesses for the outside should be discussed with the entire group, and hopefully some sort of consensus reached.
It would also be the responsibility of each node's owner to keep the machine secure and up-to-date. Any breach of one of the nodes would lead to an open route to the network.
I will create the CA key used to sign all certificates used to access the VPN; but, as I do not wish to be the sole decider in who is allowed on the network and who is not, I plan to create a handful of sub-CA certificates to be distributed to trusted associates who may also sign certificates for potential users. If you've been given a sub-CA certificate, you're being trusted to know who you're letting into our private little clubhouse. :) Using multiple sub-CA certificates will also allow for anyone to validate who provided access for this particular user/network; and the ability to revoke access as necessary (hoping that it wouldn't ever become necessary).
A "nerd net" would be a fun project to gather a bunch of us geeks together and share services. This is the first time I'm really throwing the idea out there (beyond mentioning it to a few people here and there), so if anyone else thinks it would be fun, get ahold of me!
Thursday, July 28. 2011
Tunneling nmap through Tor
I looked at how to reduce your exposure using Tor earlier in the week. We installed Tor and Privoxy and configured our system to browse the Internet anonymously. We can use Tor and another great program called proxychains to Torify our network scans with nmap.
I checked this out and it seems to work well. Other than the fact that Tor doesn't seem to carry UDP traffic (other than DNS) or ICMP traffic, you're limited to TCP traffic alone, which isn't too much of a limitation.
It is a little slow getting your scan results back - especially if you don't pass -p<port1>,<port2> to nmap(1), but it's certainly more secure than just trying to use an open proxy server out on the 'net.
All in all, a neat trick.
Sunday, January 16. 2011
Common Threads: OpenSSH Key Management, part One
Many of us use the excellent OpenSSH [...] as a secure, encrypted replacement for the venerable telnet and rsh commands. One of OpenSSH's more intriguing features is its ability to authenticate users using the RSA and DSA authentication protocols, which are based on a pair of complementary numerical keys. As one of its main appeals, RSA and DSA authentication promise the capability of establishing connections to remote systems without supplying a password. While this is appealing, new OpenSSH users often configure RSA/DSA the quick and dirty way, resulting in passwordless logins, but opening up a big security hole in the process.
Yet another of the DeveloperWorks! series. I love these articles.
The vulnerability in question has to do with pub-key (RSA/DSA) authentication and leaving a null/blank passphrase on the keypair. This article describes how to configure ssh-agent to cache the decrypted private keys so you only have to type the passphrase once per session. This has the benefit of allowing you to use scripted SSH logins without being prompted for a password, but also means that the keypair is still relatively secure even if someone else manages to compromise them via the filesystem.
OpenSSH's RSA and DSA authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it's possible to establish secure connections without having to manually type in a password.
While the key-based authentication protocols are relatively secure, problems arise when users take certain shortcuts in the name of convenience, without fully understanding their security implications. In this article, we'll take a good look at how to correctly use RSA and DSA authentication protocols without exposing ourselves to any unnecessary security risks. In my next article, I'll show you how to use ssh-agent to cache decrypted private keys, and introduce keychain, an ssh-agent front-end that offers a number of convenience advantages without sacrificing security.
A more in-depth description of what I mentioned above.
For those already familiar with ssh-agent(1) - which you should be - then you can skip ahead to Part Two and Part Three.
Sunday, October 31. 2010
Linux Software RAID 1 Setup
This is the article I used in creating my 2-device (2 x 250 GB SATA) RAID1 in my desktop.
The documentation is fairly straight-forward and easy to follow. One thing this article assumes is that you're going to boot off a soft-RAID. This was not the case in my scenario; I just wanted a redundant storage slice.
Now, to enable crypto on the slice.
Monday, May 17. 2010
Secret Forum Reveals Oz Firewall Backroom Dealing
Circumvention legal, but you can't tell anyone how[.]
Emphasis is theirs.
Now say what? It will be legal to circumvent (technical details at the bottom), but illegal to explain to someone else how to perform this perfectly legal configuration. I wonder how this might affect a corporate or ISP helpdesk perform VPN connectivity setup?
Australia’s plans for a firewall to protect its population from smut on the internet are rapidly evolving from farce to total chaos. Weekly revelations on bulletin boards suggest that Stephen Conroy, the man behind the big idea, does not know what forthcoming legislation on the topic will say, when it will be introduced or how the firewall will work in practice.
This time, emphasis is mine. I want to continue to point out how big of an asshat this particular Australian politician is. He is the "Minister for Broadband, Communications and the Digital Economy." He's the one that floated the idea of this nation-wide "firewall" (which is technically a proxy since it will be filtering at layer 7 - hence the technical problems) to "protect" citizens from illegal, immoral, or "dangerous" content. This is nearly the same thing the Chinese and Iranians are doing, just using layer 7 proxy devices instead of what's assumed to be basic layer 3 IP filtering of destination hosts. Skip to the very end of the post for the technical details behind this.
To say this whole thing began as a farce is hitting the nail right on the head.
Meanwhile, it turns out that the Minister’s own Department of Broadband, Communications and the Digital Economy (DBCDE) has been hosting a secret forum for discussions with ISPs likely to be affected by proposals. Along the way it floated the idea of making it a crime to advise surfers on how to do things that are perfectly legal to do. Confused? You will be.
First up is the time scale for plans to introduce the new firewall. As already reported, the question of when legislation will be introduced has now been bouncing between the offices of Prime Minister Kevin Rudd and Communications Minister Stephen Conroy. Severe wriggling from Conroy’s office suggests that plans for an early introduction of legislation have been put on the back burner for now.
Conroy wants to shelve the legislation until after the elections. He's technically incompetent, but he's smart enough to realize that this is going to be a screw-up of biblical proportions and it will likely cost him the election. It's "on the back burner for now," but it's by no means dead.
Meanwhile further digging inside this forum revealed that departmental officials appear to have been discussing the possibility of making it a criminal offen[s]e to advise individuals of means that would enable them to circumvent the filter – even where the means themselves were perfectly legal.
I would say that this equates to information being illegal. In a way, that's in the same league as banning books.
As the EFA suggests, this answer raises more issues than it addresses, and relies on the degradation of the Australian network being gradual, rather than catastrophic. It does appear, however, that the government has no plans to deal with a possible overload of its firewall bringing the Australian internet to its knees – beyond setting up a review when such an event actually happens.
Why should there be any degradation of bandwidth at all? I suspect that if this goes through, there's going to be a noticeable difference in download speeds and initial access to websites.
Circumvention of these filters will be trivial; you can wrap your request in SSL (such as https:// if the website supports it), by using a VPN provider outside Australia (many more found on the link for the word "using"), by using Tor (which uses a technique known as Onion Routing), or even by viewing blocked pages via the Google cache.
This filtering is to take place with proxies (at the Application  layer) as opposed to the traditional large-scale deployments of firewalls (at the Network  and Transport ) layers). The deeper you have to inspect a packet, the more CPU and memory required to process the filters. It costs - in many ways, from actual dollars for the hardware and software, to performance impact, to configuration complexity to man-hours of maintenance - considerably more to filter at layer 7 with a proxy than layers 3/4 with a firewall.
The one benefit to filtering at layer 7 is that you block only what is intended to be blocked. In today's world (where we've been running out of IPv4 space for a dacade now) a lot of websites are configured using virtual hosts. This allows web hosting providers to host a virtually unlimited number of websites on a single IP address. Let's say there are two websites, both hosted on the same virtual host IP address, where one is banned and the other is not:
With a layer 7 proxy, when the user attempts to reach a website, the proxy intercepts the request, checks the request (including hostname and URI), and then either blocks the request, or requests the page on behalf of the end-user and returns her the requested webpage. So your mom can still access www.momsrecipes.co.au while nobody can access www.bannedwebsite.co.au. With a proxy, you can return HTML to the end-user explaining why access to this particular website is blocked and possibly a method of contact to dispute the denial of access.
() Finer-grained control of what's filtered
() Less "false positives"
() Expensive in many aspects (mentioned above)
() Complex configuration
() Considerable service impact due to use of DPI at Application  layer
() Slightly easier to circumvent; using https is the only circumvention measure mentioned that does not tend to work with the firewall approach - the rest should work against both types
With a layer 3/4 firewall, access to the virtual host IP address (or even the subnet it's part of) will be blocked. When anyone tries to go to www.bannedwebsite.co.au, they are unable to, which is the intended result. They will get a different error; the browser will just report that website was unreachable. End of explanation. If anyone tries to go to www.momsrecipies.co.au, they will also be denied with the same uninformative unreachable error. Since both websites are on the same IP address, the firewall has no way of knowing which website you're looking for, so it blocks everything.
() Cheaper to deploy
() Simpler configuration - hundreds of hosts/subnets vs. thousands of hostnames
() Can often be implemented on existing hardware - edge or core routers utilization IP ACLs
() Faster, more responsive access to allowed websites; less service impact
() Collateral damage - legitimate sites on the same virtual host as banned site are also blocked
() Slightly more difficult to circumvent (a websites https site will likely be in the same blocked subnet)
Comparison with Other Instances of State-Controlled Internet Access:
I see three major differences in the Australian proposal as opposed to the other major regimes implementing state-wide filtering of websites (China and Iran). They are as follows:
Another side effect of this proposal, from an economic standpoint, is that it is likely to put smaller ISPs out of business. Instead of putting the smaller burden on the backbone providers, with considerably more capital, it will place a more expensive burden on ISPs with less resources at their disposal. If these filters become legally mandatory, this will likely put smaller ISPs out of business. A smaller provider may not have access to the resources (money, manpower, and know-how) to meet these requirements and will thus have to shut down operations.
There is one other somewhat commonly used filtering technique involving DNS. The ISP or corporate gateway will transparently route all DNS requests by the end-user to DNS servers under their control. The DNS servers will be configured as authoritative for the blocked domains; typically configured to return an IP address that connects you to a website telling you that your access is blocked and possibly why. This is similar to the Walled Garden approach.
Friday, February 12. 2010
European Swift Bank Data Ban Angers U.S.
The European Parliament has blocked a key agreement that allows the United States to monitor Europeans' bank transactions - angering Washington.
I'm sure the nanotech engineers are currently working on the world's tiniest violin.
The US started accessing Swift data after the 11 September 2001 terror attacks on New York and Washington.
But the fact that the US was secretly accessing such data did not come to light until 2006.
My fear is not that this data mining was used to track terrorists; far from it. I'm inclined to believe that this monitoring was used for other purposes. Purposes such as finding and prosecuting tax cheats. That, in itself, isn't a bad thing either. My belief is that the only tax cheats that will be prosecuted will be the ones who failed to line the campaign coffers of our elected officials; the ones who've paid off the right people will continue to get away with whatever it is they're getting away with.
Swift handles millions of transactions daily between banks and other financial institutions worldwide. It holds the data of some 8,000 banks and operates in 200 countries.
Friday, January 1. 2010
TSA Withdraws Subpoenas Against Bloggers
In the wake of public outcry against the Transportation Security Administration for serving civil subpoenas on two bloggers, the government agency has canceled the legal action and apologized for the strong-arm tactics agents used.
Travel writer and photographer Steven Frischling, who was served with a subpoena by two TSA agents on Tuesday, told Threat Level that he received a phone call Thursday evening from John Drennan, deputy chief counsel for enforcement at TSA, telling him the administration was withdrawing its subpoena.
"Strong-arm tactics;" couldn't have said it better myself. I'm glad to hear that, given the publicity, they decided that they didn't want the negative PR and would do The Right Thing(tm). If only every case of over-reaching abuse of power could get this level of publicity. Sadly, people's privacy rights are trampled nearly every day, it just doesn't get the press that this case did.
In case you missed it, Slashdot linked to an article on the New York Times regarding the TSA subpoenas entitled "TSA Subpoenas Bloggers, Demands Names of Sources". You may want to read it first to familiarize yourself with the issue before reading the article about the TSA withdrawing the subpoenas.
A second blogger who was also served a subpoena on Tuesday, Christopher Elliott, was also told his subpoena was being withdrawn. Elliott had refused to cooperate with the agent who served him the subpoena and had indicated to the TSA that he would be challenging the subpoena in federal court next week.
Frischling said the two agents who visited him arrived around 7 p.m. Tuesday, were armed and threatened him with a criminal search warrant if he didn’t provide the name of his source. They also indicated they could get him designated a security risk, which would make it difficult for him to travel and do his job.
"They came to the door and immediately were asking, 'Who gave you this document?, Why did you publish the document?' and 'I don’t think you know how much trouble you’re in.' It was very much a hardball tactic," he told Threat Level.
So much for the First Amendment which includes freedom of the press. Granted, he was not obligated under any law to turn over the name(s) of his source(s), but they made it clear that if he did not cooperate, they would make his life unnecessarily difficult.
The agents searched through Frischling’s BlackBerry and iPhone and questioned him about a number of phone numbers and messages in the devices.
The agents then tried to image his hard drive, but were unable to do so.
There goes the Fourth Amendment, as well. The Fourth Amendment states, and I quote: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, ..."
I have the utmost respect for those who protect us from would-be attackers; I just feel that they go about it in the wrong way and overstep their boundaries. The TSA, CIA, NSA, FBI, and ATF have to be right every single time; while an attacker only needs to be right 1 time to be effective. That certainly makes the job of those who protect us very difficult.
"An ounce of prevention is worth a pound of cure" is most certainly true; but it also doesn't make sense to use a cannon to kill a mosquito.
If I were to be traveling, I would use the internet to transfer all files to before heading to the airport, and use strong encryption on my hard drive. That way, I am not entering the airport with any data on my computer, and anything left on the hard drive for the operating system and applications would be inaccessible due to the strong encryption. Unfortunately, if they cannot access the data easily, I believe the TSA has the ability (but I don't think the right) to confiscate your laptop indefinitely. If it takes them a thousand years to break your encryption and search your data - only to find nothing of use - you may never get your equipment back. Might I recommend GPG (for files) and the Linux cryptoloop driver (for file-systems - I recommend at least AES-256, if not AES-384, AES-512, or Twofish - all of which available in the Linux kernel)? It appears that FreeBSD also supports encrypted partitions. A Google search reveals several options for protecting your privacy on Windows; one appears to be a feature built into Windows XP, though I'm not sure I'd trust it to be free of back-doors. If you're looking for free, you might look into TrueCrypt. DISCLAIMER: I've never used TrueCrypt myself, so I cannot comment on it's features.
Friday, July 3. 2009
Two Centuries On, a Cryptologist Cracks a Presidential Code
For more than 200 years, buried deep within Thomas Jefferson's correspondence and papers, there lay a mysterious cipher -- a coded message that appears to have remained unsolved. Until now.
An interesting read; a mix of cryptography and history.
Saturday, January 17. 2009
GSSP (GIAC Secure Software Programmer): C Secure Coding Tasks, Skills and Knowledge
This is a PDF file from the SANS Institute on secure C-coding practices.
From the PDF...
This document enumerates common C coding tasks and identifies rules, recommendations, and guidelines for accomplishing these tasks securely.
A lot of the material I've seen so far has been common-sense stuff (input validation, mistrust of environment variables, etc), but it's nice having it in a form not unlike a checklist. You write a new function or new class, and then run down the list; making sure you've followed each item. There's also one of these for Java ("booo") and .Net ("hisssssss").
Weighing in at only 10 pages, I think this one is worth wasting dead trees on.
Friday, December 5. 2008
DNA Database Violates Privacy
All I'll say is you're damn right it does.
Europe's human rights court ruled on Thursday that Britain had violated two people's privacy by storing their DNA profiles, even though they had not been convicted of a crime.
The decision calls into question rules governing use of the DNA database under which police can take samples from anyone arrested for a recordable offence.
Civil liberties groups jumped on the ruling to demand a change in the law, which the government rejected.
It's nice to see someone trying to put things in check over there. While I've never been to England, everything I see and read tells of more cameras and massive databases. Seems very Orwellian to me.
Wednesday, July 16. 2008
There was an article on Slashdot earlier today bemoaning the uselessness of CAPTCHAs. While I don't agree that they're useless, they have been fairly fruitless at stopping comment spam on my blog here.
The article mentions two possible "successors" to the standard image and audio CAPTCHA, let's take a look at them.
This one comes from a site called spamfizzle.com. Their approach to going beyond the standard 2-dimensional image is to go 3D. Each object in a scene will be represented by a letter. Hundreds, if not thousands, of 3D images can be created using the exact same 3D "scene" but shown from different angles and with different lighting sources. You will then be required to enter, in order, the letter on the cat's tail, the letter in the upper left window pane, and the number of branches on the tree. Using only letters, no numbers, the possible combinations of the CAPTCHAs requiring only 3 letters is as follows: 26*25*24 = 15,600. At 4 letters, it becomes 358,800 possibilities. At 5 letters, it's now 7,893,600 possible combinations. There are also several other features that make nuking CAPTCHA-cracking programs obsolete within minutes; as well as features for making it easier for humans to work with. I really don't feel that I can do justice to this article by summarizing it here. I strongly encourage you to read the article itself (even though it is hosted on a Windows platform).
This site requires that you really know your math. How many people are going to know enough geometry, trigonometry, and calculus to figure out this challenge/response?
What can I say?
Thursday, June 26. 2008
Seizing Laptops and Cameras Without Cause
Returning from a brief vacation to Germany in February, Bill Hogan was selected for additional screening by customs officials at Dulles International Airport outside Washington, D.C. Agents searched Hogan's luggage and then popped an unexpected question: Was he carrying any digital media cards or drives in his pockets? "Then they told me that they were impounding my laptop," says Hogan, a freelance investigative reporter whose recent stories have ranged from the origins of the Iraq war to the impact of money in presidential politics.
Shaken by the encounter, Hogan says he left the airport and examined his bags, finding that the agents had also removed and inspected the memory card from his digital camera. [...] When customs offered to return the machine nearly two weeks later, Hogan told them to ship it to his lawyer.
Citing those lawsuits, Customs and Border Protection, a division of the Department of Homeland Security, refuses to say exactly how common the practice is, how many computers, portable storage drives, and BlackBerries have been inspected and confiscated, or what happens to the devices once they are seized. Congressional investigators and plaintiffs involved in lawsuits believe that digital copies -- so-called "mirror images" of drives -- are sometimes made of materials after they are seized by customs.
"As a businessperson returning to the U.S., you may find yourself effectively locked out of your electronic office indefinitely." While Hogan had his computer returned after only a few days, others say they have had theirs held for months at a time. As a result, some companies have instituted policies that require employees to travel with clean machines: free of corporate data.
This is one of the likely scenarios I would use if I was to travel abroad with my laptop and/or digital camera. I'd upload everything to a machine at home while I'm away, and work exclusively off shared-storage applications (i.e., Google Apps, Wiki, etc). When I came back through customs, the camera would be blank, and the laptop would be stock-as-a-rock. I don't think I could let them take the laptop, I think that could turn into a bad situation.
The security value of the program is unclear, critics say, while the threats to business and privacy are substantial. If drives are being copied, customs officials are potentially duplicating corporate secrets, legal records, financial data, medical files, and personal E-mails and photographs as well as stored passwords for accounts from Netflix to Bank of America. DHS contends that travelers' computers can also contain child pornography, intellectual property offenses, or terrorist secrets.
Now this is assuming you're running that one OS. ;) My laptop might be a little more difficult for them to "duplicate" things off of.
This brings me to my other idea. Encrypt the entire disk. Many Linux distributions now support a cryptoloop root file-system (using an initrd).
Notice how they manage to bring out three of the Four Horsemen of the Apocalypse. They forgot the drug dealers out there on the internet.
It makes practical sense to X-ray the contents of checked and carry-on luggage, which could pose an immediate danger to airplanes and their passengers. "Generally speaking, customs officials do not go through briefcases to review and copy paper business records or personal diaries, which is apparently what they are now doing now in digital form -- these PDA's don't have bombs in them," says Marc Rotenberg, executive director of the Electronic Privacy Information Center.
Neither does hair gel, but apparently that's a problem, too. If they're worried about the PDAs, cameras, and laptops, just let the dogs sniff 'em. That's all they need to know about what's on my digital devices.
More troubling is what could happen if other countries follow the lead of the United States. Imagine, for instance, if China or Russia began a program to seize and duplicate the contents of traveler's laptops. "We wouldn't be in a position to strongly object to that type of behavior," Rotenberg says.
Indeed, visitors to the Beijing Olympic Games have been officially advised by U.S. officials that their laptops may be targeted for duplication or bugging by Chinese government spies hoping to steal business and trade secrets.
How is it that these asshats get to host the Olympics? Maybe it's just me, but if I'm in a situation where I think someone is trying to "steal my secrets," I would remove myself from that situation as quickly as possible. We're told we can't trust them, but we're having a world-class event there?
Tuesday, June 10. 2008
Steganography of VoIP Streams
In this paper, we circumscribe available steganographic techniques that can be used for creating covert channels for VoIP (Voice over Internet Protocol) streams. Apart from characterizing existing steganographic methods we provide new insights by presenting two new techniques.
First one is network steganography solution and exploits free/unused fields of the RTCP (Real-Time Control Protocol) and RTP (Real-Time Transport Protocol) protocols. The second method provides hybrid storage-timing covert channel by utilizing delayed audio packets.
The results of the experiment, that was performed, regardless of steganalysis, to estimate a total amount of data that can be covertly transferred in VoIP RTP stream during the typical call, are also included in this article.
I've reformatted the overview here for readability. This is a truly brilliant idea. I'm already a huge fan of cryptography; steganography in particular. There are plenty of applications out there for "hiding" messages in the least-significant-bits of images, MP3s, and several other file formats. This article brings steganography into the realm of real-time, two-way communication.
I've not yet had the chance to read the entire paper (16 pages), but it's loaded with formulas and figures that should give you a fairly realistic estimate of exactly how much bandwidth you have. The conclusion states that they were able to achieve 1.3 Mbit/sec of one-way throughput. A typical POTS telephone line requires only 64 Kbit/sec to carry voice.
Picture this: The modem in your computer places an outbound call, you pick up your headset and put it on. The other end answers, and you're immediately placed on hold. Are you? While you're listening to the muzak on the other end, your computer is pulling out bits here and there. You hear a voice say "Hello?" You speak, and the "hold" music stops; now your computer is playing music to the other party. The person on the other end hears your voice, and upon recognizing it, responds with a hearty "hello!"
Couple this technique with a strong, public-key-based encryption algorithm and you've got truly secure real-time communication. Using this technique in combination with strong cryptography makes your conversation exponentially more secure. Obfuscated amongst the elevator music playing back and forth is PKI-encrypted voice. Assuming someone is snooping on your communications, this in itself makes it difficult to detect the "out of band" voice chatter. With the added benefits of PKI cryptography, you have the ultimate in caller ID (only the caller's public key would decrypt any useful voice data; and in theory, only the caller would have access to their private key to encrypt that voice data), confidentiality to an extreme degree, and guaranteed integrity (any altered data would not checksum out correctly and would immediately be identified as having been altered).
I would expect to see some implementation of this theory very soon. A likely project to be "first to market" with it would be Asterisk.
Saturday, May 31. 2008
Bank Loses Tapes with Data on 4.5M Clients
Bank of New York Mellon Corp. officials last week confirmed that a box of unencrypted data storage tapes holding personal information of more than 4.5 million individuals was lost more than three months ago by a third-party vendor during transport to an off-site facility.
The bank informed the Connecticut State Attorney General's Office that the tapes belonging to its BNY Mellon Shareowner Services division were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.
Well, it looks like the government doesn't have the monopoly on data loss these days. If I were to hire a "third-party vendor" to transport and store my backups, I'd insist on unlimited liability in the contract. I'd also encrypt the data on the tapes. Strong crypto is easily obtainable in the U.S.; it's often free in software form, and relatively cheap in hardware form, especially when compared to the cost of a loss of data such as this.
No doubt that BoNYMC's PR machine is going into high-gear at this very moment. Expect to see plenty of commercials for them on TV in the coming months. They have a lot of negative publicity to drown out.
BNY Mellon Shareowner Services, which includes handling employee stock option plans, said that it has begun notifying affected clients. It contended that none of the unencrypted data has been accessed or used.
Now with the data being unencrypted, and the tapes being "lost," how do they have any assurance that this data has not been accessed or used? I say they are in "damage control" mode, saying anything they can to save face. They have absolutely no way of verifying that this information is not in the wrong hands; likely the hands of identity thieves.
Blumenthal said that the bank's offer of a year of freed credit monitoring to those affected by the breach is "grossly inadequate." He also slammed the bank for not promptly notifying customers of the security breach.
A year's worth of free credit monitoring is essentially equivalent to calling the police after having your home burglarized, only to have them show up and say "yeah, we'll watch your house for the next year, but we can only notify you that you've been burglarized again after the fact." There is absolutely no deterrent here, only letting you know that you've been compromised after-the-fact.
This is truly sickening. It seems that the only people safe these days are the illegal immigrants that don't have social security numbers and are unable to get credit already. I guess they can't steal from you what you don't have. For the rest of us, it appears that it's only a matter of time.
Saturday, May 31. 2008
AJAX Security Tools
Certain vulnerabilities within Ajax applications can allow malicious hackers to reek havoc with your applications. Identity theft, unprotected access to sensitive information, browser crashes, defacement of Web applications, and Denial of Service attacks are just a few of the potential disasters Ajax applications can be prone to and which developers need to guard against when building Ajax capabilities into their applications.
This DeveloperWorks article has some interesting tools. One, aSSL, is an AJAX add-on that allows you to tunnel your AJAX requests back to the server over AES encryption. Very nice. It's licensed under the MIT license.
There are also links to several Firefox add-ons and extensions, such as Session Manager, that allows you to re-establish sessions on demand.
Wednesday, May 28. 2008
Phone Giant in Germany Stirs a Furor
Germany was engulfed in a national furor over threats to privacy on Monday, after an admission by Deutsche Telekom that it had surreptitiously tracked thousands of phone calls to identify the source of leaks to the news media about its internal affairs.
In a case that echoes the corporate spying scandal at Hewlett-Packard, Deutsche Telekom said there had been “severe and far-reaching” misuse of private data involving contacts between board members and reporters.
Tuesday, May 13. 2008
Charter To Begin Tracking Users' Searches And Inserting Targeted Ads
Charter Communications is sending letters to its customers informing them of an "enhanced online experience" that involves Charter monitoring its users' searches and the websites they visit, and inserting targeted third-party ads based on their web activity. Charter, which serves nearly six million customers, is requiring users who want to keep their activity private to submit their personal information to Charter via an unencrypted form and download a privacy cookie that must be downloaded again each time a user clears his web cache or uses a different browser.
This is an absolutely atrocious move on Charter's part. The article (at The Consumerist) does not state exactly where they have rolled out this "enhancement," but it has not yet been implemented in my local St. Louis area. Considering that Charter is based in St. Louis, it is likely that they chose not to test this change where, undoubtedly, the majority of their subscribers are.
The first rub is that you must submit your personal information to be excluded. It's opt-out, not opt-in. I go far and wide to avoid targeted advertisements, especially from those who wish to track my every move online.
The second rub is that you must accept a cookie to opt-out of this "enhancement." Considering that a cookie is specific to a single browser on a single computer, that means I would have to opt-out about 15 times to be completely off-the-list.
Fortunately for me, I run a transparent Squid proxy at my gateway, and I could insert the cookie there to cover all machines and all browsers (ranging from a Sun Blade 100 w/ Solaris and lynx to Firefox on AMD64 Kubuntu). I am certain that I am in the vast minority of their subscribers with such options.
I choose my ISP based on how much (or, hopefully, how little) they manipulate my packets. I require unadulterated IP from end-to-end for diagnostics and testing. The more an ISP meddles with my bits, the sooner I'll drop them for another. Price and speed are much less important to me than knowing that my packets will make it to their destination untouched.
Given the uproar that has already started, I don't suppose that Charter will continue this practice much longer. If they do, they will almost certainly be forced to accept a better solution for opting-out, or even making it an opt-in.
Wednesday, April 16. 2008
Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data
Note: This article was linked off Slashdot, so I can only assume the mods trust this source. YMMV.
One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.
The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed – and possibly, changed – any data within the DOC’s databases. It took [me] all of a minute to figure out how to download 10,597 records – SSNs and all – from their website.
The article is pretty funny (i.e., "and even managed to skip all of Common Sense 101.") but it looks like ~ 10K records were compromised. Small number in comparison to some of the compromises these days, but it's still 10,000 people's personal info.
This guy has screenshots of the whole process, including the SQL injections used! Considering it's a state DOC website, I'm not sure I'd be "poking around" for fear of ending up there myself.
Sunday, April 6. 2008
Internet Providers Quietly Test Expanded Tracking of Web Use to Target Advertising
The online behavior of a small but growing number of computer users in the United States is monitored by their Internet service providers, who have access to every click and keystroke that comes down the line.
The companies harvest the stream of data for clues to a person's interests, making money from advertisers who use the information to target their online pitches.
The practice represents a significant expansion in the ability to track a household's Web use because it taps into Internet connections, and critics liken it to a phone company listening in on conversations. But the companies involved say customers' privacy is protected because no personally identifying details are released.
So we're just expected to implicitly trust our ISP to "do the right thing?" Yeah, right, good luck with that. As I've said a million times; "encryption, encryption, encryption!"
The extent of the practice is difficult to gauge because some service providers involved have declined to discuss their practices. Many Web surfers, moreover, probably have little idea they are being monitored.
But at least 100,000 U.S. customers are tracked this way, and service providers have been testing it with as many as 10 percent of U.S. customers, according to tech companies involved in the data collection.
Coming soon to an ISP near you!
Although common tracking systems, known as cookies, have counted a consumer's visits to a network of sites, the new monitoring, known as "deep-packet inspection," enables a far wider view -- every Web page visited, every e-mail sent and every search entered. Every bit of data is divided into packets -- like electronic envelopes -- that the system can access and analyze for content.
"You don't want the phone company tapping your phone calls, and in the same way you don't want your ISP tapping your Web traffic," said Ari Schwartz of the Center for Democracy and Technology, an advocacy group. "There's a fear here that a user's ISP is going to betray them and turn their information over to a third party."
IMO, Deep Packet Inspection (DPI) is one of the biggest double-edged swords of the entire IT world. You can use it to manage your network, secure your web applications, prevent SPAM and viruses at your border (or distribution layer), and many other great things. You can also abuse it to prevent access to information deemed inappropriate by some party, whether it be your ISP, the state, or international law. China uses it as a means to suppress opposing political views. The idea of DPI excites me to no end, but scares me just the same. A double-edged sword indeed.
Friday, April 4. 2008
We Spied on 36,000 Customers Using the Internet, Admits BT
BT tested secret "spyware" on tens of thousands of its broadband customers without their knowledge, it admitted yesterday.
It carried out covert trials of a system which monitors every internet page a user visits.
All for the sake of "targeted advertising." *sigh*
An investigation into the affair has been started by the Information Commissioner, the personal data watchdog.
I'm glad to see that someone is investigating the legalities of this. Being in the UK, the laws are certainly more restrictive than they are in the U.S. regarding privacy (if you can believe that).
Privacy campaigners reacted with horror, accusing BT of illegal interception on a huge scale. Yesterday, the company was forced to admit that it had monitored the web browsing habits of 36,000 customers.
The scandal came to light only after some customers stumbled across tell-tale signs of spying. At first, they were wrongly told a software virus was to blame.
"A software virus was to blame." When working tech support, when all else fails, blame the problem on a virus or software issue. Viruses and spyware have become a blanket explanation to most anything a tech support group does not know how to handle. This usually results in the user taking their system to a professional who can then examine the system hands-on.
One of two things were happening here; (a) the tech support people were not made aware of the "testing" so as not to divulge this information to customers (quite plausable), or (b) they knew, but were not allowed to speak of it.
It then scans every website a customer visits, silently checking for keywords and building up a unique picture of their interests.
If a user searches online to buy a holiday or expensive TV, for example, or looks for internet dating services or advice on weight loss, the Phorm system will add all the information to their file.
Typical keyword-gathering advertising, much like Google's AdWords, except not quite so transparent as to how it works and what it logs.
Nicholas Bohm, of the Foundation for Information Policy Research, said BT's actions amounted to illegal data interception.
He told the BBC: "It seems a clear-cut case of illegal interception of communication."
Again, I am not a lawyer, and I'm certainly not familiar with UK law, but if that's not "illegal data interception", it certainly should be.
Sir Tim Berners-Lee, the British inventor and founding father of the worldwide web, said a person's data and web history are private property.
"It's mine - you can't have it," he added.
"If you want to use it for something, then you have to negotiate with me. I have to agree, I have to understand what I'm getting in return."
Exactly. I don't care if I'm banking online or just reading Slashdot, my packets are my packets. I don't have anything to hide in my data (other than the occasional CC number when ordering online), but it's merely the principle of the matter. I pay a monthly fee to have my IP packets sent and received without tampering, snooping, or filtering.
This is yet another strong example of why encryption should be mandatory. I encrypt everything I can, from https traffic to PGP signed/encrypted email, to SSL connections between my applications as their database back-end.
Some good places to start in regards to providing some security to your data are as follows:
GNU Privacy Handbook (GPG - Free OpenPGP implementation)
PGP (Commercial, proprietary OpenPGP implementation)
OpenSSH (ssh, scp, sftp, etc)
CrytoLoop file-system (Linux)
There are many other ways to encrypt data on your local hard drives and in-transit across the network. A search through Google for "encryption software" should be a good place to start.
Wednesday, April 2. 2008
Feds Lie About Link Between Software Piracy and Terrorism
The U.S. Justice Department seems to believe that if you tell a big enough lie, people will listen. Here's the latest: Attorney General Michael Mukasey claims that terrorists sell pirated software as a way to finance their operations, without presenting a shred of evidence for his case. He's doing it to push through a controversial piece of legislation that's bad for you.
Mukasey went on to cite numerous cases in which the Justice Department has arrested those who pirate software, and in which the department has cooperated with other countries in investigations. He mentioned arrests in Florida, investigations in China, and warned about the Russian mob being involved in selling pirated software.
In not a single instance did Mukasey include a link to terrorism. Not one. You can be sure that if there were any links, Mukasey would make sure to get them on the nightly news.
What doesn't fund terrorism these days? What's next? "Buying MILK supports terrorism." Do people really believe this stuff?
The post is a pretty good read, includes links to transcript of Mukasey's speech.
Monday, March 24. 2008
Obama Passport Files Violated; 2 Workers at State Fired; 1 Rebuked
Two State Department employees were fired recently and a third disciplined for improperly accessing electronic personal data on Democratic presidential candidate Sen. Barack Obama, Bush administration officials said today.
The officials, all contract workers, used their authorized computer network access to look up files within the department's consular affairs section, which processes and stores passport information, and read Mr. Obama's passport application and other records, in violation of department privacy rules, State Department spokesman Sean McCormack said.
Secretary of State Condoleezza Rice was notified of the security breach today, and responded by saying security measures used to monitor records of high-profile Americans worked properly in detecting the breaches.
It looks like nobody is exempt from having their private data snooped. The Washington Post seems to be the ones who broke this story, but they do not appear to mention the fact that Obama was not the only candidate affected. Apparently Hillary Clinton's and John McCain's passport information was viewed as well.
Mr. McCormack said the officials did not appear to be seeking information on behalf of any political candidate or party.
"As far as we can tell, in each of the three cases, it was imprudent curiosity," Mr. McCormack told The Washington Times.
This is an election year; you can count on the fact that there were political motivations.
The Obama campaign denounced the accessing as "an outrageous breach of security and privacy, even from an Administration that has shown little regard for either over the last eight years."
Spokesman Bill Burton said "our government’s duty is to protect the private information of the American people, not use it for political purposes. This is a serious matter that merits a complete investigation, and we demand to know who looked at Senator Obama’s passport file, for what purpose, and why it took so long for them to reveal this security breach."
This is a serious breach of security and privacy, I agree. However, I wouldn't hold my breath on getting any cooperation into who was accessing these records illegally or what their motivation was.
Government records of political candidates are tightly restricted because of concerns they could be used against candidates or the data could be altered as part of campaign dirty tricks.
In this case, it does not appear that records were copied or altered, Mr. McCormack said.
Considering that they got caught just trying to read these records, I'd imagine that they were stopped before they could copy or alter this information. I have to hand it to the government for being proactive enough with their security so as to catch someone during read access, long before they would have a chance to copy or change the information. Maybe these guys have heard the old proverb about an ounce of prevention.
"We have strict rules restricting access to passport records," Mr. McCormack said.
Each time an employee logs on to the passport-records network, they are informed that the records are protected by the Privacy Act and are "available only on a need-to-know basis," he said. But no technical bar prevents a person, once he is in the system, from gaining access to Privacy Act-protected records to which he has no "need-to-know" rights.
But the network has an electronic monitoring system that is tripped when an employee accesses a record of a prominent person, like Mr. Obama. The alarm then triggers an inquiry into the incident, and "when the answer is not satisfactory, a supervisor is notified."
Emphasis is my own, but I think it would be rather appropriate to restrict access at this point. If a contractor has a need-to-know clearance for certain records, they should be placed into a temporary access list that allows that contractor to access the information for no longer than necessary to perform their job.
I would, however, like to see more security like this in the enterprise, not just at the government level. I Tripwire anything sensitive that I have, but unfortunately, that will not catch exceptions unless they alter or remove the data. Just reading the information is not enough to set off an alarm, though I could implement such a setup using SGI's FAM or GAMIN.
Monday, March 24. 2008
White House: Computer Hard Drives Tossed
Older White House computer hard drives have been destroyed, the White House disclosed to a federal court Friday in a controversy over millions of possibly missing e-mails from 2003 to 2005.
The White House revealed new information about how it handles its computers in an effort to persuade a federal magistrate it would be fruitless to undertake an e-mail recovery plan that the court proposed.
"When workstations are at the end of their lifecycle and retired ... the hard drives are generally sent offsite to another government entity for physical destruction," the White House said in a sworn declaration filed with U.S. Magistrate Judge John Facciola.
While destruction of hard drives is part of most any decent corporate information security policy, it does not appear to fall in line with the Presidential Records Act of 1978.
One of the bullet-points of this law states:
Specifically, the Presidential Records Act: Places the responsibility for the custody and management of incumbent Presidential records with the President.
Yet, according to the article by the AP, these emails were housed on the mail servers themselves, while there was no official means of archiving these documents.
Under pressure to provide details about its computer system, the White House told the congressional committee that it never completed work that began in 2003 on a planned records management and e-mail archiving system. The White House canceled the project in late 2006 and says it is still working on a new version.
In the absence of a permanent archiving system, the White House has been archiving e-mails on White House servers since early in the administration.
The White House says it does not know if any e-mails are missing, but is looking into the matter.
They don't know if emails are missing? If that's true, then they need to find someone that knows how to manage a mail cluster. Give me a bunch of Linux or Solaris servers, a couple 'cudas, a failover pair of F5s or something and $100K/year and I'll do it. Any takers? ;)
I'm going to go out on a limb here and guess that no one ever officially "knows" if emails were lost. It appears that this may be legal, though, due to Executive Order 13233, signed by George W. Bush on Nov. 1, 2001.
Sunday, November 18. 2007
Hushmail Turns Out to be Anything But
A court document in a drug smuggling case has shown that the private email service Hushmail has been cooperating with police in handing over user emails.
Hushmail claims to offer unreadable email as it uses PGP encryption technology and a company specific key management system that it says will ensure only the sender and recipient can read the emails. However it seems the Canadian company has been divulging keys to the American authorities.
The news will be embarrassing to the company, which has made much of its ability to ensure that emails are not read by the authorise, including the FBI's Carnivore email monitoring software.
"Hushmail's security cannot be broken or weakened by this government sponsored snooping software," the company states.
I caught wind of this a few days ago, but it looks like it's just hitting Slashdot.
Hushmail offers two options; the more secure option that downloads a java applet to your browser and does the encryption on the client side, and a more "user-friendly" option that does the encryption on their servers. The ever-present trade-off of security versus ease-of-use.
Both solutions use a form of PGP to encrypt your email, both sent and received. What they don't bother to tell you is that even with the "more secure" option, requiring the download of a java applet, is that the applet _could_ easily be sending either the cleartext email to their servers, or at least your PGP passphrase. Either would easily allow them to view and archive your emails.
Is anyone surprised that they cooperated with a foreign government? I'm certainly not.
Anyone who has any expectations of privacy in regards to their email has a gross misunderstanding of how email works. Might I suggest reading RFCs 821, 822, 2821, and 2822.
Long story short, if you want end-to-end privacy in your email, you must run your own mail server (MTA - Mail Transfer Agent) and your recipients must also run their own mail server. Some form of encryption, such as PGP, must be used on the sending and receiving stations, built into your email application (MUA - Mail User Applcation). If encryption is taking place on the MTA, then the email is passing unencrypted between the sender and the sender's MTA; or between the recipient's MTA and the recipient.
This is becoming more and more relevant as we've recently learned of the NSA spying on U.S. citizen's email.
Tuesday, October 30. 2007
Germany Seeks Expansion of Computer Spying
The laptop of one of the suspects in last year's bungled bombings contained plans, sketches and maps -- a virtual road map to an attack that could have killed dozens.
What if law enforcement agents had been able to secretly scan the contents of the computer before the attempted attack was carried out?
To the unease of many in a country with a history of government spying through the era of the Gestapo and communist rule in East Germany, law enforcement authorities are using the suitcase bomb case to argue for measures that would significantly expand their ability to spy on the once-private realm of My Documents.
Makes me glad I don't run that OS with "My Documents". At least in Germany, the government is openly acknowledging their spying; that's more than we get here in the States.
And in today's high-tech world, the proposed measure causes a chill to those who see hard drives as the new window to the soul.
"Back in the '80s when people were fighting the census, it was because they feared the state could find out that they were not honest toward the tax authorities or something like that," said Sven Lueders, head of the Humanist Union of Berlin, which helped organize a recent protest against the so-called Bundestrojaner, or federal Trojans. "Now what people fear is that the state can actually look into your computer. Because almost everybody has something on his computer that he doesn't want somebody else to see."
(Page 1 of 3, totaling 54 entries) » next page