.:Computer Defense:.

For my 500th blog post, I figured I'd share something amusing.

From time to time, my wife and I order from Swiss Chalet and the order it pretty standard, quarter chicken and a baked potato. The one thing we've always found is that they don't provide enough sour cream with the baked potato but luckily, for $0.25, you could add an additional container of sour cream. Recently however, they've removed that option. The item is still on the menu, and you can still visit the page, however the 'Add this to your order' button was removed. This weekend, while we were ordering I decided to see if Firebug  could assist me in ordering my extra sour cream.

Read more...

I guess it's time for that post SecTOR write-up. Time to share every little thing I can remember... which, luckily for you, isn't much. I'm going to divide this up in sections to make it easier to organize my thoughts (or for you to skip parts).

Canadian Information Security Awards

Kudos to the organizers for attempting this, but it was a bust. I don't think it should be abandoned though. I just think we need improvements for next year. So few products are limited to one country for contribution that I wonder if a lot of people didn't vote because they didn't know what counted. I'd like to suggest new categories for next year:

• Best Canadian Security Blog
• Most Innovative Canadian Security Research
• Canadian Information Security Professional of the Year

Those are things I'd be interested in voting on and I think the prize of a netbook is much better suited as an individual award.

Speakers

Once again SecTOR had top notch speakers, some returning and some new. I have to admit though, that I didn't see nearly as many talks as I wanted to... I spent to much time chatting with people in the vendor area, keynote hall and hallways. I took in three talks the first day and that was the extent of it. I saw Raf's Web 2.0 talk... I love the look on people's faces when he mentions Native Client. I also took in RSnake and Hoff's sessions. I had intended to see two or three more sessions but other commitments kept me away from those. From what I heard, everyone enjoyed what they saw... and the complaints were few and far between, if they existed at all.

I definitely enjoyed being able to meet up and chat with a few of the speakers, at the speakers dinner and sitting around the bar afterward. I was able to share some stories and hear some at the same time. While Toronto has a strong security community, it's nice to expand the contact list and network until you can't even hold your beer, and even then you can simply pass over the business card as you fumble with your pint.

Reception & Speakers Dinner

While I preferred the reception in previous years with the open bar in the keynote hall, I was fairly impressed with the reception at Joe Badali's. The food was good and the drinks were free. We filled tables and chatted and had a great time.

Even though I'm in Toronto, I had never been to Joe Badali's before so I wasn't sure what to expect from dinner. I was surprised by how good the food was. I opted for the vegetarian option (pasta) and it was incredible. I will say that the last thing I expected to see at the speakers dinner was a lap dance... but at least it was good for a laugh (video I recorded coming later).

Vendors

Vendors are great because their money helps keep your ticket price down. I had the opportunity to chat with a number of vendors this year and while the talks were interesting... everyone's always interested in the swag, so let's give a run down of that.

In the 'best geek swag' category, eSentire had password keeper Post Its at their booth, unfortunately I didn't stop by and get any... they were pretty cool looking though but beyond the humor not overly useful.

In the 'best over all' category, I want to give it to nCircle, but people might call me biased. We had the only t-shirt give away and the slogan was my idea... so I need to vote for it We also had caffeinated chocolates that were mighty tasty.

Beyond that, most of my swag didn't even make it home... I've got a ForeScout stress cube that survived and I gave away my Tripwire flashlight because someone asked for it (always a nice offering, although when I first saw it I was hopeful for a laser pointer).  I took a couple of pens, which weren't bad but unfortunately there were limited offerings of notepads and papers, one of my favourite conference take aways... I did manage to snag some Post Its from Rapid7 but that was about it.

In the, 'I thought it would be cool but it wasn't' category is the travel alarm clock from Sentry Metrics. They had mentioned to me that the clocks were a rush order, so they can't be held responsible but the company that was peddling the clocks originally definitely had a horrid product. I actually have pictures from a table at Lonestar with the clock spread out in pieces. The hinge came out of the box broken, the open button worked once and the instructions reminded me that "PM is displayed in the afternoon". It was good for a laugh over beer and that was about it.

Socializing

The best part of SecTOR was the social scene... just like it usually is. Whether it was chatting at the con, or afterward at the bar, it was a great time. I got to put faces to names that I've chatted with and never met but also gather with people that I don't get to see often enough. We had some great conversations, some ideas for interesting concepts/research to put together and a whole lot of fun.

I'm already counting the days until SecTOR 2010, it'll be a great time!

Tomorrow is SecTor and I'm rather excited. There are so many talks I want to take in that I, unfortunately, can't see them all. On top of that the speakers dinner and meet-up at the Loose Moose should be awesome.

nCircle will have a booth this year and will be giving away T-Shirts and chocolate. So stop by and say hey to everyone there. I'll be floating around but I still haven't finalized my schedule (too many good talks, too many people to see, the conference needs a third day to fit everything in).

Anyways, ping me on twitter (@treguly) if you're floating around and want to meet up to chat or grab a drink. If I'm not around, it means I'm rushing to finalize my slides for the SSLFail.com panel.

I remember one day in elementary school when we were dressing up for our future careers. I don't remember why they had us perform this ridiculous act, but I do remember it happening. I got up that morning, got ready for school, dressed up in nice clothes and picked up my "brief case", in reality it was a cassette carrying case with the dividers removed but it served it's purpose. I was going to be a teacher. Then when I was old enough to see the looks in my teachers faces in high school... the face palms, the head shakes and the rolling of the eyes as they dealt with student after student, I quickly changed my mind. After about 20 other options, I settled on IT and then narrowed the field and ended up in IS.

I can't say that I've never looked back and had a "what if" moment. In fact, I had many "what if" moments over the years and I always told myself I'd make a great teacher. Unfortunately, no matter how many letters I sent to the Ontario College of Teachers, they were convinced that computers were not a "technology" course but rather general education... which meant a university degree (something I don't have) is required to teach computers. So teaching was always put on the back burner, something I would do as soon as I went back to school to turn my three year diploma into a degree.

In the end though, it turns out I can teach... I just can't teach high school. Where do you put someone you don't feel is educated enough to teach teenagers? In college . Earlier this year I was contacted to develop a new course on computer security, and after the course was submitted I was asked if I was interested in teaching it. I jumped on the opportunity and I'm now a teacher.

So now I'm sharing it with all of you... why? Because my students are required, as one of their assignments, to blog on the course and what the learn... I figure I should be subject to the same requirements (and it's another excuse to find time to blog).

I have to admit that on that first day, I was scared shitless... still am really but I'm having a lot of fun. So far it's been pretty basic stuff, setting up VMs, installing some tools, talking about malware and playing with python but it's been really good. There's something great about watching someone figure out the next line of code in a small python script or getting back thoughtful discussion comments to questions you pose. I'm really looking forward to seeing where the rest of the semester goes.

There are a few things to get used to though. One of those is that not everyone is at the same level, some people need more help and some people don't want help. I should have remembered this from when I was in college, but somehow it had slipped my mind. The really odd thing is being called 'sir'. I'm sure the last time I was called sir, it was followed by, "Would you please leave, you're making a scene." I'm from the same generation as a lot of my students, so hearing 'sir' actually feels rather awkward. That being said, it's a small price to pay to do something I've always wanted to do.

So, that's my story... I teach 6 hours a week, and probably spend another 20 hours working on class related material (sending emails, reading labs and thinking about what we're doing next). And on that note, this Friday we cover reverse engineering and I've got some prep to do.

If one of my college professors stumbled across this post she'd probably have a heart attack, since she taught an entire course on ethics. Yet it seemed like the most appropriate title for this post.

Over years the years, how many countless inventions have improved mankind, yet have introduced a negative side effect? The gun provides a means to hunt and defend more efficiently, yet it also provides a means to kill with ease. The plane decreased travel times, then someone thought to attach a bomb and fly over a target. Water is a basic necessity to life and even it has been used for evil.

Now according to Kurt Wismer the inventors of these (we'll leave water out of this since I don't want to start a religious debate)  should feel responsible when they are used for evil. That means that the Wright Brothers should have felt shame every time a bomb was dropped from a plane. I can't help but feel that's more than a little preposterous.

This all stems from a post by Kaspersky researcher, Roel Schouwenberg, discussing the lack of ethics in certain researchers. It seems that Roel finds it irresponsible for PolyPack to be considered valid research, especially research coming from academia. Dave Maynor responded to the post with his own write-up and that prompted Kurt's response.

So what is PolyPack? It's a research project out of the University of Michigan which has created a frontend that allows you to submit binaries for testing. These binaries are packed with 10 different packers and tested against 10 AV Engines. I happen to think that this is a great project that serves to highlights the many shortcomings of signature based AV detection. I'm also not the only one that feels this way as the paper was selected to be presented at WOOT '09.

So what's the unethical part of this research project? If it's about the use of packers to bypass AV, then I have something to share with Kurt and Roel. That's not a secret! It's fairly well known... it was mentioned in PaulDotCom podcast #125 and I'm also pretty sure I've heard HD Moore mention it during a metasploit training session. So what's left? They haven't released some super secret l33t h4X0r script that will cause every computer in the world to simultaneously self destruct nor have they reprogrammed our TiVos to record nothing but soap operas. There's only one possible answer left, and it's the conclusion that Maynor reached... they're making signature based AV look bad.

So in the end, I pose the title of this post as a question to everyone. What is ethical? Is it ethical to release research that may be used for evil? Or is it more unethical to sit on that research and keep it private, waiting for the bad guys to stumble upon it for themselves? Although in this case, the bad guys are probably well aware of packers and this becomes somewhat of a moot point, in the end if they were really desperate they could even pack their binaries themselves and upload them to VirusTotal to see ho well they do.

So again I'll attempt to close out this article. What is ethical? Personally I think sharing your research and working towards the betterment of technology is ethical and that sitting back and waiting for the bad guys  to beat you to the punch is highly unethical.

I think that the Security Bloggers Network (SBN) is amazing, so please don't misinterpret this post... I've provided the domain for the website and host a mailing list (although it was infrequently used even during the 2 months when people used it). Yet I have to wonder if it is perhaps becoming a little too large and if it requires a filter.

I know there have been debates in the past over whether or not SBN was full of noise and you can't really debate that... but it's full of noise in the way that twitter is full of noise... most of the noise is useful.

Let's take a look at the BrickHouse Security blog... first it should be stated that BrickHouse is an online storefront selling GPS Trackers, Spy Equipment, etc. Now let's look at some of their recent blog posts...

Taconic Car Accident Tragedy Could Have Been Avoided with Technology- For anyone who hasn't read it, or can't guess from the title... it's a blog post about a woman dying in a car accident... at least the first two paragraphs are. The second two? A write-up on how if she'd had a GPS Tracker in her car, she'd still be alive... Wait! What does BrickHouse sell again? Oh yeah... GPS Trackers. <-- I hope other people's stomachs turned... because mine sure did.

How about this post, spread FUD explaining bump keys (first thought: "Wait.. hasn't this been discussed everywhere for a couple years now, why bring this up now?"). Then I reached the last two paragraphs that contained the solution to bump keys... Biometric Locks -- Conventiently sold by BrickHouse Security (including a link to them)... with the following text:

These tools are the first step towards having a secure home and for thwarting the steps criminals take to get around security measures. As long as homeowners are smart and realize the technology that is at their disposal, the bogeyman will fade away.

I see... they can protect me. After all, we've never, NEVER, never seen biometrics bypassed!

I honestly don't see any value add from blogs like this being included with in SBN.

A couple of weeks ago, I posted regarding the logs of some SSH bruce force attempts I had logged on my server, and was looking through. One of the comments was asking for geolocation of the IP Addresses. Tonight I decided to make use of the service available at ip2location.com and geolocate each of the IPs that I had. I'm actually fairly impressed with the service, you can do 20 lookups per IP per day unregistered and if you register you can do 200 lookups per IP per day. I registered and then pasted my entire list into a textbox they provide and it looked them all up at once and provided the results.

Here are the screenshots. It was a small set of IPs, but the top three countries were China, USA, Poland.

I have to say that I was completely shocked when I read this (via SpywareGuide)yesterday... the first thing I did was send it to everyone I was talking to on IM. Write to help protect people from phishing sites and have a complaint filed with the FBI? There's something seriously wrong with this picture.

PayPal seems to be stepping all over themselves lately, they completely stall HFC (thankfully resolved now) and now this. I just can't imagine what goes through someone's head that they send a letter to the ISP and file a complaint with the FBI... did they even have any idea what they were looking at? Did they understand that the site was helping people not hurting them?

I could continue to rant on this, but mainly I just wanted to make sure as many people as possible saw and read it. Though it should be noticed this isn't the first takedown request with the threat of legal follow-up based on a screenshot, FailBlog was hit with this not too long ago. Although Guiness Book of World Records didn't go to the FBI.

I was reading about the Gmail Labs option to display a key icon if the sender's domain is signed using DKIM and the sender is eBay or PayPal. This allows you to quickly verify if the email is legitimate by looking at the icon.  Now it apparently takes some work for a domain to be "super-trustworthy", so this key can't just work for any domain. (I suggested two types of keys, one for all DKIM emails and one for these "super-trustworthy" DKIM emails -- almost like SSL vs EV SSL (it kinda hurt to say that though))

Anyways, to get back on track, as I was reading some of the comments on the Google Group, I came across this one, 'Censoring my Email'. It actually made me stop and think for a second. One one hand Gmail is indeed censoring the email you see, however they're doing it to filter spam... is it really censoring at that point?

I think we first need to consider what's being filtered. Any email from paypal.com or ebay.com (or their international counterpart domains) must be signed with DKIM. If Gmail can verify the DKIM signature, it delivers it to your inbox, however if they can't they send it to /dev/null. How much spam does this filter? Well, basically anyone who's set their own 'MAIL FROM' response to paypal.com/ebay.com.  People who set their name to 'PayPal Support' with an email address of paypal-support@gmail.com will not be filtered and will show up as just 'PayPal Support', unless the recipient clicks 'Show Details'.

Now imagine that you're a non-technical Gmail user who's read an article that says paypal.com/ebay.com emails aren't even delivered to you if they are spam (that wasn't quite the wording Gmail used, but it's not hard to imagine it happening). You see an email that says 'PayPal Support' and you're going to click on it (after all, users are trusting... that's why phishing works in the first place). This could cause a lot of problems (maybe this is why the idea of showing the key for "super-trustworthy" domains came along even). So Gmail responds by introducing this key icon... and when you look at it this way, it almost seems required. Yet it was this introduction that made the filtering more evident to people and which prompted the commented that sparked this blog post.

So, back to the original question... is filtering spam and phishing emails the same as censoring email. I definitely don't think so. I applaud Gmail for making an effort to limit the spam that appears in a persons inbox (if only they were filtering my personal and work email ). However, I disagree with their approach and I see two problems with it.

The first is that they waited over a year between filtering email and providing verification for valid email. This could have lead to many cases like the scenario I described above and since the feature is only in Labs, not everyone will use it and it could lead to many, many more cases like the that.

The second is that they filter anything not signed via DKIM from ebay.com/paypal.com. After reading about this I went and setup DKIM on my server to get a better understanding of how it works. It requires a trust in two protocols that can't necessarily be trusted, SMTP and DNS.  What happens when eBay/PayPal have  a DNS issue and restart DNS and it doesn't start immediately... how many potentially valid emails could be dropped? What happens if someone gets it in their heads attack Gmail with DNS Cache Poisoning? What if someone at eBay/PayPal adjusts a mail server rule and the DKIM header stops being sent?

It's entirely possible that this email is "super-trustworthy" because work arounds have been implemented for every issue I've mentioned above, that still doesn't protect users that don't have the key icon yet. At this point, I guess the best we can hope for, is that this feature spends very little time in Labs before being implemented across Gmail.

So in the end... (Spam|Phishing) Filtering != Email Censoring and we should be thankful for it, not fighting it.

Quite a while ago I modified an instance of sshd to log the client version and password for every attempted login. I then set it listening on a seperate interface that I never log into. I finally got a chance to parse the logs (3 grep lines to dump data from the auth logs and 27 lines of python to generate a CSV to load in excel). The result was 12,214 attempts from 27 different source addresses.

The top 10 offending IPs were:

On the username side, root came in at number one (did anyone not see that coming?) and the top 10 usernames accounted for roughly 1/3 of the attempts:

I also don't think that there's much of a surprise with the top 10 passwords:

I will most likely post the file going forward or release additional numbers (I'll admit that I'm kinda curious to read through all the usernames used),  either way, there will be more data.