An exploit for the denial-of-service-considered remote SCTP vulnerability in the linux kernel has been released.

http://sgrakkyu.antifork.org/sctp_houdini.c

The exploit contains multiple targets and covers 32/64 bits architectures… play time started this morning =X

Continuing from Hiring Hackers - as speakers (part 1):

Are those who conduct breaches and intrusions of computer systems important sources of information?

I suppose it seems intuitively obvious that the answer is “yes.”  After all, these are the people who are breaking into the things we want to protect: surely they know how.  However, with a little consideration, the “obvious” answer evaporates.

First of all, in purely logical terms, it is not necessary that those who break into systems know all possible ways to do so.  In practice, it is true that many attacks these days involve multiple vulnerabilities, but logically it is only required that the attacker knows one.  This truism is well known, in slightly different form, in relation to testing and systems development: testing can be used to prove the presence of bugs, but never their absence.  Or, as I frequently point out in relation to system security, the attacker has a much easier job than the defender.  The defender must be correct in every single instance and activity.  The intruder only has to be right once.

Therefore, the interloper has the easier job, and can afford to be lazy.  If they can be lazy, they probably will be lazy: that is human nature.  (After all, a number of people would argue that blackhats have already shown themselves to be morally lazy.)  As the proverb has it, everything is always in the last place you look.  Once you’ve found it, why keep on looking?

(Oh, curiosity, you say?  Well, curiosity is great: it keeps us learning.  But it is hardly the exclusive preserve of those on the wrong side of the law  In addition, properly identifying, researching, and documenting what you find, in such a way that it will be useful to others, tends to require a lot of boring work, and discipline.)

So, at the very least, we can say that attackers have no advantage in terms of scope and a comprehensive view of vulnerabilities, and may be at a disadvantage.

Do intruders have any advantage in depth of knowledge?  This is almost impossible to answer in any meaningful way, of course.  Individuals vary in knowledge, comprehension, analytic ability, and creative or imaginative thought.  Despite years of attempts to create testing instruments and metrics for cognitive processes, we have only the most general ability to predict a specific person’s accomplishments in the real world.  We do know that ability varies widely, and it would be foolish in the extreme to contend that all whitehats would be as able as any given blackhat.

However, that said, I would suggest that it should be possible to assert that, collectively, security professionals are more knowledgeable than intruders.  This is due to my earlier argument: those people who have had more demands (even sometimes arbitrary demands) placed upon them will have more discipline (and more background) to address the problem.

The argument is sometimes made that we should study “successful” exploits.  The hypothesis here is a bit harder to dissect: after all, a “successful” exploit is simply one that works.  It is true that certain attacks are more effective in a given environment, and that intrusions or infections which work over very large numbers of systems tend to involve a number of factors, not all of them technical.  Historically, though, it seems to be that the most astounding and newsworthy of attacks are as much a surprise to their authors as they are to the rest of us.  It is unlikely, in the extreme, that our adversaries have these events fully planned, or understand all the determinants of an overpowering offensive.

It is a truism that two heads are better than one: this is recognized by fields as diverse as auditing and extreme programming.  This statement is formalized, in the open source community, by Linus’ Law: with sufficiently many eyeballs, all bugs are shallow.  Most systems professionals would recognize that the more people examine a system, the better (in terms of identification of vulnerabilities).  The “Hire a hacker” crowd tends to jump on this in advancing their cause: why not listen to the attackers when they come up with a new exploit?

This, however, is a spurious argument.  There is no choice between listening to an intruder or not knowing about the vulnerability at all.  Once a vulnerability is known, it can be explained by anyone who understands it, and can present it accurately and clearly.

Which brings up a final point.  As I said in the earlier piece, blackhats tend to have more-than-healthy egos.  Yet their opinion of their own prowess is seldom supported by the materials they produce in evidence.  I’ve read a great many “zines” produced by those in that community (and even the occasional book ostensibly written by a reformed or active hacker) and almost never have I found anything worth reading either for the technical content, or in regard to readability.  (Yes, those who have read my book reviews will know that I don’t think highly of all technical books, but sometimes I do find one worth reading.)  And, in fact, reading the books by professional authors who base their text on “as told to” information from those on the dark side gets to be very boring as repetitive as well.

Writing is a skill, and not everyone can do it well.  Teaching is a skill, and not everyone can do it well.  (Presenting at conferences is a slightly different skill and, as anyone who has ever attended a conference can tell you, not everyone can do it well.)  Both writing and teaching require, as well as certain technical competencies, a feeling and empathy for a large and often ill-defined audience.  Since criminal hackers have clearly demonstrated, by their actions (and continue to demonstrate, in subsequent interviews long after their intrusions, conviction, and even release), a lack of consideration for their victims, it is unlikely that they would make good teachers.

Or conference speakers.

It seems I get this IN MY INBOX everytime I post…

We have received your request to join the puitika
group hosted by Yahoo! Groups, a free, easy-to-use community service.

This request will expire in 7 days.

TO BECOME A MEMBER OF THE GROUP:

1) Go to the Yahoo! Groups site by clicking on this link:
http://groups.yahoo.com/i?i=oyhn042ed3ckqjsszqpggnyd5xxe0l1b&e=0xjbrown41%40gmail%2Ecom

(If clicking doesn’t work, “Cut” and “Paste” the line above into your
Web browser’s address bar.)

-OR-

2) REPLY to this email by clicking “Reply” and then “Send”
in your email program

If you did not request, or do not want, a membership in the
puitika group, please accept our apologies
and ignore this message.

Regards,

Yahoo! Groups Customer Care

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Okay, I saw this a couple of days ago now, and well, to say that it’s interesting is a bit of an understatement to be honest.

Full entry can be found in the Full-Disclosure archives:

Last night, Twitter was in a state in panic over a �worm� that had
exploited the site. Unlike previous bugs which required you click a
link of some sort, users could be affected by simply visiting someone
else�s profile.
……
�I am the person who coded the XSS which then acted as a worm when it
auto updated a users profile and status, which then infected other
users who viewed their profile. I did this out of boredom, to be
honest……

This post was written because a very good friend of mine asked me to send them a mail about decent reasoning to use Tor, and explore the Onion net, so thank you (you know who you are), and this post will be followed by another more detailed post on the Onion net soon.

Okay, so with all that’s been going on in the world lately, I’m starting to think that we should really start moving things underground, by underground, I mean that we should start encrypting our traffic more, and making use of the means that we have available to us, and helping to support them more as a security community.

The things in the world that I’m referring to are not only UK based either, here are a few examples:

Pirate Bay - Guilty Verdict

Mobile Phone Tracking

CCTV Cars

Directive 2006/24/EC Of The European Parliament And Of The Council

It seems that we are seeing more and more of the worlds governments moving towards an Orwellian culture, and I for one really don’t feel comfortable operating in this way.

You may be asking yourselves at this point, what can we do to stop this, the honest answer is, really not that much right now.
We can however start to move our information systems somewhere else, somewhere more secure, and we can all help others to secure their online habits by setting up Tor relays.

The more relays the Tor network gets, the better it is for everyone involved, if you can’t configure a relay, or just don’t want to, then if at all possible, please dontate to the Tor project here.

So please people, if you value your privacy at all, please help the Tor project out in any way that you can, even if it’s translating articles.

Below are a few links that you may find useful:

Tor Overview

Volunteer

Download

This may seem like a shameless Tor plug, but I can assure you that it’s not, and I am in now way related to the Tor project at this point in time, but I really feel that it’s an extremely worthwhile project, and I plan on getting a lot more involved. This project has come a long way in the 2 years that I’ve been using it, and the more users we get contributing the better the anonymity and speed gets.

Keep it safe and private people.

By the time you read this, CIO magazine will probably have already done its “In Cloud We Trust” Webcast.

The ISSA, ready to provide links to any security related activities, inadvisedly advertised the Webcast.  I say inadvisedly, because the Webcast, or at least the promotional material, features Kevin Mitnick.  This juxtaposition created a bit of a furor over the fact that a prestigious security institution was promoting a former computer criminal.  (It is entirely possible that Kevin Mitnick rather enjoyed the discomfiture of ISSA, since ISSA had the affrontery, in 2003, to turn down Kevin Mitnick’s application for membership.)

All of which sparked yet another debate, in at least one venue, over the advisability of hiring or attending to (for the purposes of security), those formerly convicted of computer crimes.

Feelings are strong, and tempers rather short, when this topic comes up for discussion.  Passions are surprisingly high on both sides of the debate.  However, I would like to attempt to present some opinions on the matter.

(I’m not going to speak about the Webcast itself.  As chance would have it, I’ll have to be getting on a bus at about that time in order to go downtown.  To speak to an ISSA meeting.)

Those who feel that hackers can and should be hired suggest that those best qualified to protect systems are those who have broken into them.  We, in defence of our systems, should not let foolish moral quibbles stand in the way of gaining the best information and advantage that we can.

I am on the side that opposes the use of former criminals.  I do not disagree with the risk management analysis of those on the pro side, but I feel that it is based on faulty assumptions.  My objections to the hiring of hackers are practical as well as moral, and, in terms of ethical analysis, lies in the area of practical morality.

In order to address the practical issues, I have to clarify, and separate, the different types of help we think we are going to get from cybercriminals.  Do we employ them for security management and administration?  Do we hire them for penetration testing?  Do we use them as security consultants?  Or do we just listen to them in seminars, webcasts, and conferences?

This last is the most difficult to oppose.  What is the harm in listening?  Should we not take every opportunity to learn all that we can about security?  Why block ourselves off from an important source of information?

So, I’ll address this first.

What is the harm in listening?  Well, we aren’t just listening, are we?  First off, most “reformed hackers” aren’t exactly doing this out of the goodness of their hearts.  Those who are on the lecture circuit generally make pretty good money out of it.  A lot of them make more than most legitimate security researchers, analysts, and consultants.  Then there are the spin-off benefits in books, workshops, and just plain advertising for John Q. Hacker’s Security Consulting.

Money isn’t the only benefit, though.  I’ve always been interested in the social side of technology, and for more than twenty years I’ve been studying those on the dark side.  Most of these people are charter members of Egos-backwardsR-Us.  Not all of them, but certainly enough to make it pretty much a defining characteristic.  Given a choice between money and a chance to grab the limelight, they might have to stop and think about it.

Regardless of whether we are paying cash or just stroking egos, one thing we are definitely doing is tacitly promoting the importance of what they have done.  We are saying that it is better, in the sense of obtaining security information, to break into systems than to study in other ways.

And I’ll address that later.

Dinosaur that I am, it never occurred to me that long URLs were a major problem.  Sure, I’d gotten lots that were broken, particularly after going through Web-based mailing lists.  But you could generally put them back together again with a few mouse clicks.  So what?

So the fact that there were actually sites that would allow you to proactively pre-empt the problem, by shortening the URL, came as a surprise.  What was even more of a surprise was that there were lots of them.  Go ahead.  Do a search on “+shorten +url” and see what you get.  Thousands.  http://bit.ly/ http://tubeurl.com/ http://www.shortenurl.com/index.php http://urlzoom.org/ http://ayuurl.com/ http://urlsnip.com/ http://url.co.uk/ http://metamark.net/ http://8ez.com/ http://notlong.com/ http://shorten.ws/ http://myurl.si/ http://dwindle.me/ http://nuurl.us/ http://myurlpro.com/ http://2url.org/ http://tiny.cc/

I would not, by the way, advise visiting that last.  .cc is a domain used by those on the dark side.  In fact, I wouldn’t recommend visiting many of those: I have no idea where they came from, except that a search pops them up.  Which is part of the point.

Are URL shorteners a good thing?  Joshua Schachter says no.  Therefore, in opposition, Ben Parr says yes.  There are legitimate points to be made on both sides.  They add complexity to the process.  (Shorteners aren’t shorteners: they are redirectors.)  They make it easier to tweet (and marginally easier to email).  They disguise spam.  Some of the sites give you link use data.  They create another failure point.  They hide the fact that most Twitter users are, in fact, posting exactly the same link as 49,000 other Twitter users.

URL shorteners/redirectors are going to be used: that is a given.  Now that they here, they are not going away.  Those of pure heart and altruistic (or, at least, monetary only) motive will provide the services, have reasonable respect for privacy, and add functions such as those providing link use data to the originator (and, possibly, user).  A number of the sites will be set up to install malware on the originator’s machine, to preferentially try to break the Websites identified, to mine and cross-corelate URL and use data, and to redirect users to malicious sites.

If you are going to use them (and you are, I can tell), then choose wisely, grasshopper.  There are lots to choose from.  Choose sites that offer preview capabilities.  If someone doesn’t use the preview options, you can still add them.  http://tinyurl.com/a-short-url-that-expands is the same as http://preview.tinyurl.com/a-short-url-that-expands : you just have to add the “preview.” part.  http://is.gd/ is even easier: just add a hyphen to the end of the shortened URL.  I’m hoping that one of the sites will start checking the database for already existing links, and returning the same “short form”: it’d make it easier to identify all the identical tweets.  (With the increasing use of the sites, it will also ensure that the hash space doesn’t expand too quickly, which would be to the advantage of the shortening sites.)

I remember a few years back, when I heard about the blackouts in California (oh yes, the good ol’ Enron days). It was quite shocking to hear that major dot-coms were down for hours. Even the “365 Main” facility in San Francisco with its earthquake proof infrastructure lost power, proving that no matter how equipped, no single location can withstand a big disaster.

Nowadays this is less and less a real issue - hurricanes and power failures are not an excuse to stop providing service: Amazon and google showed that you can reach close to 100% reliability (barring software bugs) by eliminating all physical single points of failure. Today in the cloud age, every web site service can get Amazon-like reliability without worrying about a power failure in its office in Mountain View or a natural disaster in its colocation farm - and all this for hundreds of dollars a month.

But as the local disaster problem is solved, there’s a new one that may shape the way we think of disaster recovery. Register.com got hit by a massive DDoS attack on its DNS servers. This attack will have many casualties - not just register.com’s users who may have their web sites unavailable if they used register.com’s DNS services but also all those hit by the collateral damage; we don’t yet have a technical information on how the attack was done, but a DDoS attack is typically logical and not geographical - if your site is somehow ‘logically’ connected to a site that is being attacked, you will be DDoS’ed and that won’t be nice. When blue security was DDoS a few years ago the attackers decided to take down Blue Security’s providers along with anything hosted there, in any of the provider’s geographical location.

A DDoS attacks the server wherever he is - if you span your server across multiple physical locations the attack will be done on all of them; there is always a limit to the number of transactions you can handle in a single second, and once the attacking botnet passes this limit your services will effectively be denied. You will then have nothing to do but lean back in your chair and wait for the attack to end, counting the lost visitors/revenue/reputation with every minute passing.

While the cloud can save you from Hurricane Katrina, if someone decides to DDoS facebook.com they only need to pay a fee; there is nothing facebook - with its massive server infrastructure - can do to stop them. In fact, we don’t know of any real way to stop DDoS (snakeoil solutions aside) and Rob is very correct in saying that probably the only solution is raising security awareness to reduce the size of botnets and make DDoS less practical (or more expensive). Until that happens, I wonder who will be the first to use DDoS to take out a competitor?

What could be worse: a vague and hastily thrown together mashup of security protections masquerading as a security framework or standard, or having the government get into the act?  Now you don’t have to choose: you can have the worst of both worlds!  Follow the US Congress hearings on PCI!  Or, follow the commentary into the hearings on Twitter (which is fairly random and noisy, but probably makes just as much sense).