Tuesday, December 16, 2014

Why Do Security Sites Penalize Tor Users?

If you are a regular user of Tor, you are already on an NSA watch list. That came out back in July. OTOH, being on an NSA watch list is not a very exclusive club: all you have to do to qualify is read Linux Journal. That came out in July as well.

Tor development, IIRC, was originally funded by the US Navy, and received additional funding from the State Department. It was useful for dissidents living under repressive governments. You can probably fact-check me at on About Tor, with no additional penalty, because NSA are likely to be targeting most likely readers of this blog.. Systems or network admin? Check. Encrypted mail user? Check. Ad nauseum.

Is startpage.com on the side of light?

Startpage.com bills themselves as  "the world's most private search engine", and are the default search engine of Tor. But if you use Tor, you will be periodically presented with a CAPTCHA. On the page, you will see the following text.
As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.
Thank you,
The StartPage Team
But I have never seen this using Firefox, upon which Tor is based.

What about that symbol of rebellion and hackerdom, BlackHat?

I am not a fan, for reasons that seem good to me. But no security worker can ignore the storied history of this conference. For those with short memories, BlackHat 2009 was when Moxie Marlinspike, Dan Kaminski and Mike Zusman, in separate presentations managed to collectively beat SSL/TLS to death.

Yet Tor users will see something that is probably a bit familiar.
One more step
Please complete the security check to access www.blackhat.com
aaaaand... Another CAPTCHA.

The Worst Thing is Teh Stoopid.

CAPTCHA is far past any sort of relevance. Mechanical Turk CAPTCHA-solving was available years ago. Neither faster timeouts nor more obfuscated puzzles have fixed the problem. At this point, I can only characterize them as both increasingly annoying, and increasingly useless.

Google, whatever you may think of them from a privacy standpoint, recognizes this, and has introduced RECAPTCHA.Though this entire approach is fundamentally flawed, this is at least temporary and partial fix. Now, if only sites that choose to market themselves as either secure Internet tools, or security-focused, would just suck a bit less, I am sure we all appreciate it very much.

Monday, December 15, 2014

Today Was an Infrastructure Day

Sometimes we are all under the hammer of time, and things have to happen Right Now. But now and then most of us get lucky, and slack time. I treasure those days, because I can drag out that mental, digital, or physical TODO list of things that need to be done for the future. And I pound on it, because that it some of the most interesting work that I do, and there is always a reward of some sort.

Most times, it involves working on infrastructure; the scaffolding that we have to have in order to keep doing what we do, only better. So slack time doesn't mean go sit on a beach. Which is just as well, in my case. This is December, and Oregon almost perfectly fails to resemble Hawaii. I touched on this back in August, in Optimize for the Exploration of Ideas.

So, What Did I Do?

I organized some stuff. I have a directory named 'REDACTED' (naming specific directories and what they contain is a huge information leak, if you care about security) that accumulates ideas, design notes, TODOs, etc., on where various internal projects need to go. It can accumulate a lot of cruft, and lose value as a planning tool. It needs all the care I can give it, and I measure success in this at least partially in how much useless crap I deleted.

I rebuilt some stuff. Because sometimes it only takes a few changes in a tool (either physical or software) to radically improve your capabilities. The bad guys are innovating at a tremendous pace, with the value and speed benefits that innovation always provides. If we cannot more than match that, we are hosed. Economics does not much care whether your hat is black or white.

I wrote some stuff. I never intended to become a writer of any description, but I have always admired talented writers. It was writers that turned me into a technologist at an early age, and the power to steer a life is something to be respected. But I follow a couple of writer blogs, and they tend to advocate things like writing a minimum number of words per day, which my life completely fails to allow. I wrote a lot of fragmentary, but hopefully clear notes to myself. I wrote this post, and hopefully moved a few others closer to publication. I also wrote final versions of template files that will change my software documentation workflow completely. Perhaps that should have fallen under 'rebuilt'.

Thursday, December 11, 2014

Good News: Power Failure

Rather expected it, actually. There are high winds blowing in from the Oregon coast, the weather news is full of it, etc.

So there I was, minding my own business, coincidentally thinking about data QA and reaction times, for an entirely unrelated. Which makes for a very sweet coincidence, as now I've pulled data from a couple of scripts I wrote to check the APC UPS. There is frequently a PostGreSQL db server running on this machine, and the combination of databases and unreliable power always ends badly.

That usually happens sooner rather than later, but like most people I tend to put off characterizing what things actually look like as systems fall down. I advocate doing this all the time, to the extent of of periodically killing test systems at the power distribution panel. "Really. Now and then, just replicate into a test environment, and flip the breakers".

That can be a huge pain in the ass, but there is really no other way to be absolutely certain. Cloud is not the answer to this issue. Or, at best, it can only be part of the solution. There are many examples of cloud failure.

Today, I got some great data on UPS drain and recovery, and found a problem with time-stamping of notifications. Discovering that bug in my code is a win. As is jogging me to post on the topic of a bug in the Linux APC UPS monitor daemon. Which I (obviously) have had no control over, and served as an example of why greater care should be taken than previously before turning on SELinux enforcement.

Things Are Going to Go Wrong

As long Murphy is alive and well, and Murphy seems to be immortal, things will continue to go all pear-shaped, at the worst possible times. I almost wrote 'periodically pear-shaped', but we don't always have the benefit of periodicity. Aside from the Big Three of periodic FUBAR announcements (Microsoft, Adobe, and Oracle), anyway. I might justifiably add OpenSSL and other Open Source projects, but the data to back that up is a whole new post. That is not going to happen today. Which is just as well, because the ongoing incompetence of Sony beggars the imagination. I don't even want to think about it, beyond being very happy that I am not on their security team.

Today, As An Example 

From a security perspective, we are most concerned with the CIA triad of Confidentiality, Integrity, and Availability of data. Power problems on database systems will cause issues with integrity and availability, as mentioned above. Confidentiality only becomes a factor if disparate systems with responsibility for authentication/authorization fail open if a remote system is not available. That is rare, these days. Possibly because it is an easy test. So run it, just to be certain. Really. It's just a temporary firewall rule. And, as always, make it a test, so that pass/fail is always recorded.

But, we can never miss an opportunity to get better. Particularly under circumstances so benign as a power outage. Which, for people focused on security rather than pure availability, really is benign.

So, We Are Back to Logs

I first mentioned logs in We Still Fail at Log Analysis back in July of 2013. Nothing much has happened since then to change my opinion. 18 months, and little or no progress on an operational problem that has been with us for time out of mind. That is a bit discouraging, so I feel the need to visit this issue again, and probably not for the last time.

Please look at log policy again. Logging takes many forms, of course. System and application state and performance data are both vital. Were those recorded? Was it possible for an adversary, possibly internal, to avoid detection by shutting down a remote log host, or a network path to that host? In a virtualized environment, do you have records of what machines were spun up or migrated, and the security posture of those systems? If so, are those records amenable to analysis, or are they just data for the sake of data?

That last question is not meant to imply that you may be doing anything obviously wrong, BTW. Effective means, which will stand the test of time, have yet to evolve. I regard this as an open research question. Which is a bit sad, considering how badly the failures have been in legacy environments.

Possibly, for some environments, the future lies solely in data exfiltration detection.

Wednesday, December 3, 2014

Yet More Trouble in Toyland

The spasm of Point-of-Sale exploits this year and last (Target, Home Depot, Subway, Dairy Queen, Jimmy John's, and recently even car parking and washing facilities, etc.) has been enough to do some damage to consumer confidence.

Though these were Point-of-Sale issues, they were network attacks. So if any consumer was frustrated enough to decide that it was probably just as safe doing their holiday shopping online... Oops. And now we have more evidence, if any were needed, that those security seals commonly seen on eCommerce web sites offer less surety than a shopper might be led to expect. In some cases, they can even assist an attacker.

The paper is Clubbing Seals: Exploring the Ecosystem of Third-party Security Seals
Tom Van Goethem, Frank Piessens, Wouter Joosen, Nick Nikiforakis
in Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS 2014). 

It is available to the public at https://securitee.org/files/seals_ccs2014.pdf. It's only eight pages, a nice piece of work, and one example (see page 6) is jaw-droppingly funny. Which is good, because the news is pretty grim, and you will need your sense of humor.

Give it a read. If you are a consumer, quit trusting security seals on Web sites, to whatever extent that you ever did. If you are a site operator, be advised that you may not be getting what you thought you were paying for, if these scans were intended as a component of continuous audit.
Here's the abstract.
In the current web of distrust, malware, and server compromises, convincing an online consumer that a website is secure, can make the difference between a visitor and a buyer. Third-party security seals position themselves as a solution to this problem, where a trusted external company vouches for the security of a website, and communicates it to visitors through a security seal which the certified website can embed in its pages.
In this paper, we explore the ecosystem of third-party security seals focusing on their security claims, in an attempt to quantify the difference between the advertised guarantees of security seals, and reality. Through a series of automated and manual experiments, we discover a real lack of thoroughness from the side of the seal providers, which results in obviously insecure websites being certified as secure. Next to the incomplete protection, we demonstrate how malware can trivially evade detection by seal providers and detail a series of attacks that are actually facilitated by seal providers. Among other things, we show how seals can give more credence to phishing attacks, and how the current architecture of third-party security seals can be used as a completely passive vulnerability oracle, allowing attackers to focus their energy on websites with known vulnerabilities.
The paper also notes that it would be trivial for a shady shopping site operator to dodge the scans these vendors perform, either to outright save themselves mitigation expense, or to give themselves a longer grace period, while still presenting the seal to the public.

Tuesday, December 2, 2014

Law Always Lags, As It Should

The rule of law, instead of the rule of individual persons, is of critical importance. I'm not going to throw in qualifiers, such as 'to Western Civilization', or otherwise defend that viewpoint here; if you don't buy into the concept, you are so very much on the wrong blog.

Now, in an apparent contradiction, let us talk about Western Civilization law, if for no other reason than to leave China and APT threat hype out of the picture. We do many of the same things, after all. State Department warnings about carrying devices into China? We are equally guilty of the same privacy violations. It just doesn't get as much as much press.

The current state of our legal framework lags quite a bit behind the times. Much of this is about politicians, who must be seen to be Doing Something about whatever threat is most in the daily news. Threats, of course, take many forms. Too Big To Fail gets a lot play, for instance. What we should be concerned about is criticality, not size, and these are not necessarily the same thing.

But, I digress.

I Have Hacker Tools, and Know How to Use Them

I am also confident that Oregon law enforcement does not care. Because 'Western Civilization' is not this vast uniform thing. A few years ago, Germany made this illegal, and much Internet drama ensued in the security trade press.

I suspect it has been selectively enforced, if it has been enforced at all. Oregon could pass a similar law tomorrow, and it would pose no threat to me. We have these people known as District Attorneys. They decide who to prosecute, which costs money, they do not have unlimited budgets, and they are not stupid.

I can prove that I'm on the side of the good guys, and have been for years. I seriously doubt that I would need to prove that 'hacker tools' are dual-purpose; I am confident that they get that perfectly well without my having to explain it to them. They are going to be far more interested in going after real bad guys, and will protect the budget that they need to do that.

Fine. I will likely help, pro bono (for the public good). Because living in a state with very low corruption (and I have lived in states, such as Louisiana, where corruption was just assumed) is great, and I do security at least partially because bad actors, arriving over the wire, have caused quite enough human suffering. Frankly, it just pisses me off.

I expect that the very same situation exists amongst pragmatic Germans.

That said, I am concerned in that laws passed in the heat of the moment, selectively enforced, are not compatible with the rule of law. Sadly, this has been seen, even here in Oregon.

Let's Talk WMDs 

Weapons of Mass Destruction. This language evolved from the military NBC (nuclear, biological, chemical) acronym. Simplistic, more understandable to the public, hence conducive to larger budgets, etc. But there has been an Oregon prosecution of a random bomb-throwing idiot, under WMD language.

I am not defending the guy; this was one of the more egregious displays of human butt-headedness in recent local history. But he wasn't exactly the sharpest knife in the drawer; I doubt he had the faintest idea of the horror of true NBC weapons. More importantly, I doubt most people who bought into WMD language do either. A random street bomb-thrower in Portland, Oregon is in no way equivalent to the Enola Gay, and the delivery of the atomic bomb that fell on Hiroshima, whether the first use of nuclear weapons was justified, or not.

Circling Back to My Point

There is a long history of laws being passed because politicians must be seen to be Doing Something. Given the immense (and increasing) amount of lobbying dollars available, and the desperation of candidates to somehow break into the modern news cycle, this seems likely to get worse before it gets better.

People complain that a large segment of law is out of touch with the times. Often it is about their pet peeve, whether that is issues connected with the Internet, such as copyright or net neutrality, or more general issues.

The universal claim seems to be that the law is behind the times. My take is that is better to have law that lags than law that leads. While lagging legal thought will certainly lead to injustice, it is less likely to lead to wholesale injustice. It is the lesser of two evils in an imperfect world.

Monday, December 1, 2014

BTW, Cyber Monday is Bogus

Unless it is a marketing (the art of manipulating people for your own purposes) success. When the Cyber Monday hype started, it was exactly that: hype. No basis in fact. Created in the early days of eCommerce, by marketing droids, as a means of extending (and cashing in on) Black Friday.

Total lie, at the start. So, to whatever extent it has become a Real Thing is a measure of the extent to which people have been manipulated.

Now it gets worse, as the US has managed to export Black Friday as well. What was once a day that many retailers went into black ink (profitable) on the busiest shopping day of the year (day after Thanksgiving, for non-US readers) has now been exported to other countries, which do not share that holiday. Canada. The UK, where there were problems with displays being ripped up in frenzied shopping.

This is the triumph of the marketing droids, and yet another thing that I dearly wish that the US had failed to export. It's right up there with Walmart and fast food. I would include universal surveillance, but the UK has arguably been in the lead on that since the founding of the royal mail, and they still loves them some surveillance cameras.

I mention this because I posted Just Buy Spam Nation earlier today, after first mentioning it back in July, and I do not routinely recommend things. No, this is not some sort of Cyber Monday marketing campaign. These days, cynics are possibly more justified than at any time since Ambrose Bierce penned The Devil's Dictionary in 1906. In this case -- no. But his definition is still worth reading.

A blackguard whose faulty vision sees things as they are, not as they ought to be. Hence the custom among the Scythians of plucking out a cynic's eyes to improve his vision. 

Just Buy Spam Nation

I am still getting traffic to http://fubarnorthwest.blogspot.com/2014/07/you-can-order-pre-order-krebs-spam.html. I'm not sure why that is. The book is out, to good reviews. For those that prefer audio/video discussion, see http://krebsonsecurity.com/2014/11/spam-nation-book-tour-highlights/ where there are numerous links to media that does not specialize in security matters.

Or just generally follow his blog, dammit. He's already back on ATM skimmers, which can be considered as a separate consumer safety area where he has carved out yet another niche as the go-to information source.

Here at casa de FUBAR, things are a bit busy at the moment, with things that will completely fail to interest most of the public, who just want to know how their confidential information became a $1 item in a foreign black-hat market, and what they can do to fix it.

A couple of those issues I will actually get to write about. That is not a common thing, so I am happy when it does manage to happen. But I have to repeat that this is stuff that, unless you operate in the security field, is technical, of little use to you, and will bore you to tears. In short, a waste of your time.

I'll be writing up my opinion of Spam Nation in the near future, but it will have my own twisted twist, in that it will not be a generic consumer review. Those are everywhere, so that shouldn't matter to you, if you are a consumer trying to understand this FUBAR new world. The book completely wins on that score. Really. Just buy it.

What I want to write is a post that discusses why security professionals should regard Spam Nation as important. The book succeeds on both consumer and professional levels. That is more difficult, and as I mentioned, things are a bit busy right now.