.:Computer Defense:.

If one of my college professors stumbled across this post she'd probably have a heart attack, since she taught an entire course on ethics. Yet it seemed like the most appropriate title for this post.

Over years the years, how many countless inventions have improved mankind, yet have introduced a negative side effect? The gun provides a means to hunt and defend more efficiently, yet it also provides a means to kill with ease. The plane decreased travel times, then someone thought to attach a bomb and fly over a target. Water is a basic necessity to life and even it has been used for evil.

Now according to Kurt Wismer the inventors of these (we'll leave water out of this since I don't want to start a religious debate)  should feel responsible when they are used for evil. That means that the Wright Brothers should have felt shame every time a bomb was dropped from a plane. I can't help but feel that's more than a little preposterous.

This all stems from a post by Kaspersky researcher, Roel Schouwenberg, discussing the lack of ethics in certain researchers. It seems that Roel finds it irresponsible for PolyPack to be considered valid research, especially research coming from academia. Dave Maynor responded to the post with his own write-up and that prompted Kurt's response.

So what is PolyPack? It's a research project out of the University of Michigan which has created a frontend that allows you to submit binaries for testing. These binaries are packed with 10 different packers and tested against 10 AV Engines. I happen to think that this is a great project that serves to highlights the many shortcomings of signature based AV detection. I'm also not the only one that feels this way as the paper was selected to be presented at WOOT '09.

So what's the unethical part of this research project? If it's about the use of packers to bypass AV, then I have something to share with Kurt and Roel. That's not a secret! It's fairly well known... it was mentioned in PaulDotCom podcast #125 and I'm also pretty sure I've heard HD Moore mention it during a metasploit training session. So what's left? They haven't released some super secret l33t h4X0r script that will cause every computer in the world to simultaneously self destruct nor have they reprogrammed our TiVos to record nothing but soap operas. There's only one possible answer left, and it's the conclusion that Maynor reached... they're making signature based AV look bad.

So in the end, I pose the title of this post as a question to everyone. What is ethical? Is it ethical to release research that may be used for evil? Or is it more unethical to sit on that research and keep it private, waiting for the bad guys to stumble upon it for themselves? Although in this case, the bad guys are probably well aware of packers and this becomes somewhat of a moot point, in the end if they were really desperate they could even pack their binaries themselves and upload them to VirusTotal to see ho well they do.

So again I'll attempt to close out this article. What is ethical? Personally I think sharing your research and working towards the betterment of technology is ethical and that sitting back and waiting for the bad guys  to beat you to the punch is highly unethical.

A couple of weeks ago, I posted regarding the logs of some SSH bruce force attempts I had logged on my server, and was looking through. One of the comments was asking for geolocation of the IP Addresses. Tonight I decided to make use of the service available at ip2location.com and geolocate each of the IPs that I had. I'm actually fairly impressed with the service, you can do 20 lookups per IP per day unregistered and if you register you can do 200 lookups per IP per day. I registered and then pasted my entire list into a textbox they provide and it looked them all up at once and provided the results.

Here are the screenshots. It was a small set of IPs, but the top three countries were China, USA, Poland.

When you speak to individuals working in our industry, you'll get a variety of answers for what they do. This near endless list of titles includes:

• Software Engineer
• Software Developer
• Security Engineer
• Support Specialist
• Research Engineer
• Network Admin
• System Admin

The list goes on and on. Historically, I've divided those within IT into one of four groups:

• Developer
• Information Security (IS) Professional
• Information Technology (IT) Professional
• Web Developer

These days Web Developer could probably be folded into Developer since there's so much beyond simple HTML used to build web sites. That leaves us with Developer, IS Pro, and IT Pro. I tend to think that that is a fairly reasonable distinction, at a high level with one caveat. IS isn't really on the same level as the other two. Most people that you talk to have experience in either IT or Development when they move into IS. IS is a skillset that's built onto one of those two. Let's look at this another way...

Imagine this is a RPG and your Level 1 IT Worker. You can choose the abilities you upgrade and they include "Programming", "Router Config", "OSI Model", etc. The level ups for these may include "C++", "Java", "Routing Protocols", "Routed Protocols". This means you could follow the path of IT Pro, Developer or "Jack of all Trades". It isn't until you reach one of these levels that you unlock the next round of abilities (the IS skills) which may include "Packet Analysis" (requires Routing and Routed Protocols) and Binary Analysis (requires "Programming" + 1 Level UP). Only at that point do you move to "IS Pro".

You're probably saying to yourself, "WTF is he talking about?" After all, I'm reading this and thinking that. What I'm talking about is this blog post, 'what do you need to know to work in infosec'. To put it plainly, the list is wrong. Well the list isn't wrong, the list is correct, but the title is wrong. With the exception of one or two items, this list reads more like a "what do you need to know to be a sysadmin" or "what do you need to know to work at a helpdesk"

Now as I said, IT is a stepping stone to IS, so yes, at one point or another you probably learned many of these if you now work in IS, but these aren't the things you need to know to work in IS, these are the things you need to know to work in IT.

So let's take a look at the 'What you need to know...  ' list and figure out where the line items fit. If we take the ones you really need to know to work in IS we've got maybe 5-7 items (1, 11, 14, 15, 17, 18 and 19) - I'll let you decide if it's some or all.  Let's think about some of the others. Numbers 2 -5 are all networking related, I know people in IS who've never touched them... now as a network admin or member of the network group (which would fall under IT) these would be important skills. With numbers 6 - 9, we're looking at a sys admin, or help desk employee (again positions I'd consider to be IT related). Now 10, 12, 13, and 16. These could be argued a few ways but I'm going to call them help desk or support type things and bundle that up into the IT category.

So what's my point? To state that I disagree with a definition of infosec that "needs" all those abilities. Then again, people may even disagree with the 5-7 I felt could be kept. In the end that list is a great list if you want to go get the title of Network Admin or Sys Admin, or even in some cases Security Admin but even at that, working in a enterprise security group where you may deal with all those tasks (it seems doubtful that you'd rely on the security team to install software though) that's one very small aspect of infosec.

A recent SANS ISC diary entry mentions an interesting configuration point that I had been previously unaware of. It seems that AddType doesn't just enable the extension, it enables all files containing that string.

Example: AddType application/x-httpd-php .php

In the above example, both phpinfo.php and phpinfo.php.bak would be parsed as PHP.  I found this to be rather interesting and started testing with a few servers I have handy.

It appears as though this isn't the case 100% of the time.

I tested 3 servers running Apache 1.3.34, 2.2.4 and 2.2.8. It was true on the server running Apache 1.3.34, however it wasn't true on the two Apache 2.2 systems.

I contacted the handlers at ISC to follow-up with them, however I haven't heard anything confirming one way or another. Has anyone else tested this on their servers?

Yesterday I stopped halfway through and said I'd continue with the responses today. So tonight I'm going to look at the responses to:

• Does Web 2.0 Make Availability More Important?
• Are Denial of Service and Availability Interchangeable?
• A Browser Crash is...?
• A Firewall Denial of Service is...?
• A Web Server Crash is...?

These are the questions that drew the responses that I was really interested in... so let's jump right in.

Question 5 - Does Web 2.0 Make Availability More Important?

With this one here, I was rather impressed by the splits, overall we had 89 'Yes' responses to78 'No's. Our biggest group (IT Professional) saw 34 to 20 in favour of 'Yes', while the second biggest group (Security researcher) was an even split of 26 to 26. Perhaps the most surprising was IS Professional with 16 to 10 in favour of 'No'. Going into this survey if I had to pick one question that I thought would be clear cut, it would have been this one. I thought that everyone would say yes, that obviously isn't the case. So what did people have to say about this question?

If anything Web 2.0 has shown how little people care about availability. - Security Researcher/No

Web 2.0 (Web 'Uh-oh') actually opens up an entirely different set of security issues... - Security Researcher/No

There are just more people pissed off about it. - Developer/No

Availability is an issue for COBOL apps written in the 1960s.  Mission critical is mission critical.  Platform is irrelevant. - IS Professional/No

It really shouldn't it should have been just as important 10 years ago. I think the big difference is rather than 10,000 web users on a site 10 years ago, today there may be 1,0,000! Web 2.0, to me, signifies a big uptake in people casually using those tools. This makes A seem important as it really affects revenues and perceptions.  But should it have been less important? I guess that's a paradigm difference amongst people, but I think it should always have been important. - IT Professional/No

The purpose, not the technology dictate when availability is more important. - Management/No

As you can see, I've only selected comments where the commentor selected 'No' as their answer. So it seems to be that it's not, 'more important' but should be considered 'as important', at least to some people. That's complete valid... just not how I looked at it. I had assumed more people... more importance. The developers comment is interesting, "There are just more people pissed off about it". That follows the logic that I had used in my assumptions, yet they answered no. I guess that means the question comes down to "more important to who"? The business, the user or both? I'd say both. If I can access the service, I'll be happy. If I'm happy I'll most likely be retained as a customer. If I stick around, I'll probably buy more and the business will be happy.

The remaining comments either passed off 'Web 2.0' as a horrid buzz word or revolved around the concept I just mentioned, more people and more business make Web 2.0 more important.

Read more...

So here we go... I know some people have been waiting to see these numbers so it's about time I share them. In the end 279 people responded to the survey, and I'm fairly happy about the responses... only one of those 279 used the comments inappropriately but I've still counted the drop down boxes from that survey. There were 204 anonymous responses and 75 with names, email addresses or websites attached to them. People that follow me on twitter may have noted last night that I was really enjoying the comments. Based on the comments to the first question I had done a quick estimate, expecting ~600 comments... however the numbers dwindled on the following comments and picked up again for the last question. In the end I received 250 comments in addition to the survey responses. I haven't yet decided if I'll make the survey data available but if I do, I'll definitely remove all personal information.

The survey posed 9 questions and allowed for plenty of space to provide comments, so I was really excited to see the answers that I would get.  Some people felt my questions biased the responses (I believe it's impossible to do anything without introducing personal bias on some level) and others questioned what I was trying to get at.  I think I'll start by summing that up as simply as I can.  If someone causes me to lose access to something, I believe they've denied me service and it is therefore a denial of service. I've seen all sorts of responses that it depends on if the denial was malicious or accidental, that it only applies to servers and so forth. I think it's much simpler than that... if I visit a website and it crashes my browser... Denial of Service. If I run a web server and someone crashes it... Denial of Service. So I wanted to know who shared my opinion and how people felt about Denial of Service.

For this post I'm going to provide graphs of the responses, mapping response to profession and some minor feedback.

Read more...

Quite a while back I had posted everywhere and contacted everyone I knew regarding a Denial of Service survey that I was conducting. It came out of the frustration of watching people and companies disregard denial of service as a valid security concern. It seemed to be an ongoing debate -- Confidentiality & Integrity vs Availability, instead of all three being treated as important. Anyways I've been under constant hounding to release some statistics from the survey, so I figured I'd do a multi-part series on Denial of Service (ok... so right now it's planned as a 2-part series). This first part is a precursor, since I had numerous people argue on whether or not DoS and DDoS were the same thing or different things and also on whether or not DoS was still valid (more on that to come). Since the survey was part of a conference talk that I wanted to do and the talk wasn't accepted, I figure it's as good a time as any to start posting.

One of the most interesting things that I came across during my initial investigation was that there's no clear definition of Denial of Service. A simple define: denial of service search on Google yields numerous results:

Attacks on wired networks require a far greater deal of computing power, often even requiring the need of distributed computing. Attacks on wired networks of course do not require any NICs or external antennae, yet often does have the need of a (broadband) connection to the Internet. (Wikipedia)

I rather enjoy this one because it has two interesting remarks. The first is that you require a great deal of computing power to perform a denial of service attack. The second is that when attacking a wired network you do not require a NIC.

A type of attack that tries to block a network service by overloading the server. (Ingate - A firewall vendor)

Blocking a network service is definitely one form of a DoS, however a single computer usually doesn't accomplish the task very well and this will usually be a DDoS.

denial of service: An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes. (The Linux Security How-To)

This time instead of "overloading the server" we see "consumes the resources". One again, we seem to be confusing DoS as a whole with a single type of DoS or a DDoS. This confusion seems to occur everywhere. When I was initially distributing the survey link, I had numerous people question why I was even bothering. They claimed that DoS was irrelevant because it was simply a packet flood, that you were "overloading the server" and "consuming the resources". This is not the case at all and, as I've mentioned repeatedly, they were looking at a single piece of the Denial of Service Pie.

So what is a Denial of Serivce? Excellent question. There are actually a few sites that define it more appropriately.

Denial of Service: Result of any action or series of actions that prevents any part of an information system from functioning. (KeyBank)

Denial of Service: Unwanted or malicious messages that render network resources non-functional. Some examples are Ping of Death, SYN flood, IP spoofing and Smurf attacks (SEQUI)

This is a much more accurate definition of Denial of Service and I'm glad to see that there are proper definitions floating around.

If I were to define Denial of Service, I would say, very simply, "The absence of Availability." I don't think the definition itself needs to go much beyond that. It is very broad, but broad can be good. Some people may argue that it's too encompassing but that definitely isn't the case. Think about the recent Slashdot downtime, while the problem was internal, it was a Denial of Service in the broadest sense of the term. Whether it's a power outage, a tornado, a tank driving through your data center, a packet flood or a malformed packet bringing down a listening server... it's all Denial of Service.

Now DDoS is another beast. Distributed Denial of Service tends to be defined more reasonably most of the time and people are generally clear on what it is. Essentially, it's what everyone I quoted above was describing, a wide-scale, multiple-source attack that consumes resources and renders the device or service inaccessible. Metasploit, and many others, have experienced this recently.

So why is all of this important? It helps you to understand the logic and reasoning behind some of the questions on the survey. Many people left comments stating that the questions were unclear, primarily because they were thinking of Denial of Service in terms of a packet flood. Before I release details on the survey, I want to be sure people have a clear understanding of what I'm talking about. I know what you're thinking, and I should have done this prior to the survey, however I didn't realize that what I considered to be a industry standard definition was not.

That is why I asked questions like, "Is Denial of Service a Vulnerability?" Some said 'no', it's a packet flood and that isn't a vulnerability. Many said 'sometimes', with the logic that some times it's taking advantage of a vulnerability and other times it's a simple packet flood. Personally, I like 'sometimes' as the answer to this question, although the comment that I'd add would be that I consider the majority of DoS to be a vulnerability (in other words, 'sometimes' doesn't need to be a 50/50 split). The answer however, may depend on where you sit within IT/IS or perhaps where you sit within your organization.

I see a vulnerability as any weakness, within reason, that leaves you vulnerable. Some see a vulnerability as a coding flaw or poor protocol implementation, while others see a configuration option as a vulnerability. I've been told that a null pointer dereference shouldn't be labeled as a 'critical vulnerability' but we've all seen what Mark Dowd can do with one. I guess my point is that no answers were cut and dry, that's why I left the ability to comment on the majority of the questions.

So back to my point... my goal was to find out what everyone thought Denial of Service meant, and when they felt the label "Denial of Service" applied. Is a web server crashing on a malformed HTTP request a DoS? If it is, then is a web browser crashing on a malformed HTTP response also a DoS? The opinions on answering this can be quite varied, and in writing this I believe I just talked myself into a third post... a follow up with my commentary to the survey data, especially to this point as the answer really intrigues me. That being said, I invite everyone to comment on this point in particular (of course I always welcome comments on everything).  Whether it's a comment below this post, or a blog post of your own... I would love to see full responses (in greater detail than the survey could have possibly allowed for) to those two questions.

I have theories and thoughts that I will expand on as well, as I explore this series (I believe I've just through of a fourth post now)... but up next will be the survey results. I just wanted to be sure that everyone had an understanding of the difference between DoS and DDoS, and that it was understood, or at very least understood that I feel, that a DoS is more than a simple packet flood.

[Update: Due to Bandwidth concerns and the popularity of DVL, I've had to remove the public mirror. If you really require a direct download and can't get one... contact me and I'll share a private link. I just need to limit the number of downloads.]

DVL 1.5 is out, and I have mirrored it again.

There is also a call out for people to create training materials, so if you can, swing by the DVL forums and volunteer to make a video or two. However, I'm unsure of where to find the forums (there's no link on the main page and I'm not a user). Please share a link if you know how to get to them.

I wanted to take a minute to mention a new project that Marcin and I have started that we're calling SSLFail.com. One of the primary purposes of the site is a gallery of images of sites with failed SSL due to invalid certs, bad domain names, etc. Browsers can add more and more protection against sites with poor SSL implementations, but until these big players on the web ensure they have valid SSL, users are going to continue to click through these error messages.

This isn't all the site will be though. Expect to see future discussions on our reasoning for the gallery, as well as tips and tricks and anything else.

We've already added two additional contributors. Jay Graver and Romain Gaucher.

Romain Gaucher mentioned this on twitter and I had to post a screenshot for anyone who hasn't seen it... it's awesome.