Internet shut off switch?

Reports are saying cell phones and Internet connections are off in egypt at the moment. Can a country really shut off its Internet connection?

China, who has placed restrictions on its Internet infrastructure from day 1 (meaning, the whole infrastructure for connecting to the Internet was built with government control in mind) and that develops a lot of its own networking equipment, is unable to really block users. When I’m in China, twitter and facebook are blocked in the hotel and in the office, but not on the blackberry. Most anonymizers work, and some twitter-over-instant messenger bots work as well. Most of the time, I can find the new list of working anonymizers on google, while I’m there – so there’s no special preparation involved. On my last visit I was introduced to a free VPN service that enables unrestricted access to facebook, twitter and other blocked sites, that seems to be quite popular in the country.

Egypt is not as big and certainly not as advanced as China, but is fairly big. As anyone who worked for a large company knows – it’s difficult if not impossible to track all incoming and outgoing connections. We know the DNS servers are refusing to resolve .eg domains – but what if we go into the inner-works. Are some of the IP’s inside Egypt reachable?

One glaring example is the Egyptian stock exchange. Its IP rotates, but at least some connections point to  217.139.183.2, which belongs to the ISP “the Noor group”, in Cairo. Other times it points to 41.222.175.2 that belongs to “Misr Information Services and Trading” in down-town Cairo. Both are clearly reachable and pingable; is every router on the way configured to route communication only to those IPs? Are there other routers, IP’s or servers that are still open for communication? I would imagine that some emergency lines run on IP-based infrastructure that must be kept on; some devices – military ones perhaps – might rely on IP infrastructure. Dial-ups might still exist. Speaking of which: can one dial from Egypt into a modem in Germany?
Also, one has to wonder about internal communication. Blocking the country’s gateways is one thing; but blocking all internal communication is extremely hard to do. If internal communication is available, is there a way to piggyback into those few holes in the dam to get external communication? Taking the egyptse.com example: if the perimeter routers only allow communication to/from the Noor network, can I route my connection through them?

We all know the Internet was designed to be resilient; and forty years after its initial deployment, it’s proving to be very hard to kill, even by those who believe they have their hand on the cut-off switch.

What was your favorite book of 2010?

Wanting something good to read, I found myself reading “Neuromancer” again, probably for the hundredth time now.

Looking around for recommendation for new books in the usual places like “NYT Best Sellers list” turned up fairly dull results. So given that the crowd that reads this blog probably shares the same preferences as me, what book did you enjoy this past year? Any genre.

Is SetFsb a Trojan?

This was sent to me by a friend who wanted to stay anonymous:

There’s a utility called SetFSB which tweaks the clock speed for overclocking stuff.
It was written in Japan, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable.
The batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alarm and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

there’s a uility called SetFSB which tweeks the clock speed for overclocking stuff.
It was written by some Jap, and is used for many years already.
Recently it came to me that I can speed up my old machine by 25% so I dl’ed it as well,
however, when running, I discovered that upon termination, the .exe creates 2 files,
1 batch file and 1 executable,
the batch file is being spawned, and starts a loop trying to delete the original executable, and continues indefinitely until it’s deleted. after that it will rename the new .exe to the be the same name as the old one.
Now, isn’t that suspicious?
I’ve tried googling it, and just found 1 reference in PCTool’s ThreatFire, but the shmucks just got the threat and couldn’t see the .exe and .bat, so they just decided it’s a false alaram and whitelisted the utility.
I thought it would be a good idea to contact the author, give him a chance to explain, and this is message train, which I find very funny:

ME>>>

Dear Mr.

Why after exiting SetFsb, it will create a .bat and new .exe
the .bat will loop to try delete the old .exe, and rename the new .exe to old .exe ?

Thanks!

HIM>>>

Hi,

Yes,

abo

ME>>>

Hello.

Yes… good…

but WHY???
is it a VIRUS?

thanks!

HIM>>> (here comes the good part :))

I do not have a lot of free time too much.
Why do you think that i support you free of charge?

ME>>>

to make viruses?

HIM>>> (this is the original font color and size he used!!!)

I do not have a lot of free time too much!

ME>>> (trying to hack his japanese moralOS v0.99)

Please, dear Abo,

You must understand. People start to be VERY worried about your software,
because it behave like a virus.
If you will not give a good explanation to WHY it behave like this,
then people will stop using it, and stop trusting you forever.
Then your name will become bad, and you will have a lot of shame.
I only try to help you.

I hope you understand!

HIM>>>

It is unnecessary. Please do not use SetFSB if you are worried.

Personally, I’m not sure who’s more weird: my friend, overclocking his computer in 2011, or the Japanese programmer not willing to explain if his downloadble program is a Trojan or not.

FBI Planted backdoors in OpenBSD IPSEC?

Not sure what to make of this yet:

“FBI Added Secret Backdoors to OpenBSD IPSEC”

Theo De Raadt seems to be ambiguous about this:

It is alleged that some ex-developers (and the company
they worked for) accepted US government money to put backdoors into
our network stack, in particular the IPSEC stack.  Around 2000-2001.

[…]

I refuse to become part of such a conspiracy, and
will not be talking to Gregory Perry about this.

Bring on the cyberwar

There is something special about Berlin. Just a feeling that can’t be fully explained, that the cold and snowy weather enhances well. But I also can’t help thinking about the Len Deighton cold-war-espionage books, checkpoint Charlie, east and west clashing in this city that was like an explosive tip of a gun powder barrel.

When I grew up, Sting sang “I hope the Russians love their children too” and what he meant was love them enough to not annihilate the entire planet. War was serious, and war between world powers was scary. Remember War Games? You’d think people will be afraid of Kevin Mitnick’s hacking skills, but what they were more afraid of was him starting world war III that would potentially wipe out hundreds of millions of people.

So I must admit I’m slightly amused by the threats of ‘cyberwar’. Lets assume for a minute John Lennon was wrong and there will never be ‘peace on earth’. Lets assume that whether it’s because of testosterone, ego, or some other reason taught in psychology 101, nations will continue to fight each other. If that’s the case, what better way to do that than on the Internet? Have them hack each other Ad Nauseam; bring down computers or networks, plant Trojan Horses and steal sensitive data. Assuming the current superpowers are China and the US, isn’t cyberwar the perfect way to ventilate mutual aggression without human casualties?

Of course, there’s a worse case scenario where that stops being funny: if cyberwar can be used to shut down critical infrastructure, people will get killed. But that doesn’t seem to be the direction this “war” is going. Nations fighting on the Internet? I say bring it on.

On a related note, check out Richard Stiennon’s new book about Cyberwar. And if you are in DC, go hear him speak on Thursday about Google Aurora, Stuxnet, and the wikileaks DoS attacks. Really fascinating stuff.

Email is unreliable. So should we face it or fix it?

Despite what Dilbert Comic Strips may teach you, our job as security professional is to enable information services – not prevent them.

The bad guys do evil: we try to prevent it (or clean-up after) so that users can continue and use systems as if there is no evil in the world. If IT security had a Hippocratic oath, it would probably be along those lines.

Here’s a recent example. This morning I got a call from my credit card company asking me if I’d done some transactions that seem suspicious. I hadn’t, and so they will cancel the transactions (and unfortunately, cancel my credit card and send me a new one). I’m not going to stop using my credit card, and will probably completely forget about this incident. I didn’t lose any money, and the inconvenience was minimal: this is all thanks to the people that chase up the credit card fraud and enable customers around the world to use their cards despite countless attacks on credit card users, some (as my example shows) successful.

Things are not so simple in the email war front. When SMTP was introduced, it described a simple, reliable, scalable system for communication. Almost 30 years after that, we stripped email of some of its most important features. By we, I mean the IT security world. In fact, we’re slowly doing to SMTP what TSA is doing to air travel.

First, the major feature of SMTP: sending and receiving emails. This is probably our biggest failure today: There is no guarantee you will be able to send or receive emails. In fact, if you communicate with the external world, it is almost guaranteed that you will not receive a certain percentage of your emails, and that some emails you send will not arrive. Sure, there are legitimate reasons: we need to protect from spam, viruses and phishing. But the bottom line is that SMTP was designed to reliably deliver an email from point A to point B. Today, we send an email and then call to verify it was received (or send a second email which mysteriously arrives after the first one was blocked).

Next, we kill useful SMTP features. Remember the days when you got an email ‘bounce’ when mistyping the email recipient’s address? Forget about it; those days are long gone. I’m not sure what Spamcop’s exact mission statement is, but it might as well be “make email unuseful”. They have outlawed email bounces (which, by the way, are required by the SMTP RFC) and continued to take out all auto-responders.

Remember read-receipt? Gone. The postal service had this feature in 1841, but we can’t have it in 2010. Do you want to know if a certain email exists? You can’t.  Want to send email directly from your computer without using a mail relay? A non-starter. Ever heard of email fragmentation? This is an awesome feature of SMTP but don’t waste time learning it – it won’t work on the Internet today (and this time we share some of the blame).

Look at HTTP. You click on a link, and you get to the page. If you get an error, you know it’s the web site’s fault. An attack on NCSA’s httpd server is one of the first documented buffer overflow attacks, and yet attacks on modern HTTP servers are practically non-existent. SQL injection and XSS are everywhere and yet users surf dynamic pages all the time without being blocked. We’re doing a good job fixing up HTTP without being a “Mordac”. Too bad we couldn’t do it with SMTP.

Is there hope for SMTP? I think there is. Last decade the doctors were ready to pull the plug on email: spam and viruses were so frequently in the users’ inbox that email was on the verge of being unusable: You had to spent a noticeable percentage of your day clicking the ‘del’ button. These days are over: you rarely see spam in your inbox today, and if you’re like me, you get more irritating chain letters from family members you can’t block (hi mom) than shady ads for pills.

This war can be won. We just need to remember the Hippocratic oath for the IT security world and enable reliable communication again.

Close the Washington Monument

Bruce Schneier suggests closing the Washington Monument:

An empty Washington Monument would serve as a constant reminder to those on Capitol Hill that they are afraid of the terrorists and what they could do. They’re afraid that by speaking honestly about the impossibility of attaining absolute security or the inevitability of terrorism — or that some American ideals are worth maintaining even in the face of adversity — they will be branded as “soft on terror.”

Damn right.

Who’s behind Stuxnet?

Stuxnet is a worm that focuses on attacking SCADA devices. This is interesting on several levels.

First, we get to see all of those so-called isolated networks get infected, and wonder how that happened (here’s a clue: in 2010, isolated means in a concrete box buried underground with no person having access to it).

Then, we get to see how weak SCADA devices really are. No surprise to anyone who has ever fuzzed one.

After that, we get to theorize on who’s behind it and who is the target. What’s your guess?