SPACE ROGUE

Trying to track down the origins of an Internet meme can be an almost fruitless endeavor. Other than giving credit to its originator and perhaps giving them a few minutes of Internet fame there really isnt a lot at stake by determining who was the kid in the success.gif or what meme Laina Morris is responsible for. Finding the origin of a story involving the breach of critical infrastructure however, can be rather important.

While I think it is great that TV shows like this bring technical issues to a mass audience, scaring people into thinking that the Internet is out to get them is probably not in anyones best interest. Humans often do stupid things when they are scared.

Googles goal of getting everything they find fixed within three months is laudable but unrealistic. Some bugs just take a little bit longer to verify, develop patches for, and test. It is not unreasonable to be a little flexible if you feel the vendor is working in good faith to develop a patch. To arbitrarily go full disclosure when you know the vendor has a patch just days away is immoral. It puts users at risk and makes you look like a stubborn child.

This has all lead us to the point where Google has a disclosure policy that basically says theyre going full disclosure in 90 days if the bug is fixed or not. And the point where Microsoft is asking for just a few more days so they can include the fix with their regular Patch Tuesday. Two big kids who should be setting the example are instead acting like a couple of teenagers on the playground. How does any of this get stuff fixed and protect users?

Hollywood has had a long history of doing tech wrong. Take a look at the recent Scorpion TV show, on second thought dont, its almost as bad. Occasionally Hollywood does get Tech correct, like with the recent Blackhat movie, but while the tech was good the movie itself was bad for other reasons. The last time, perhaps the only time, Hollywood got the movie and the tech right was Sneakers, which is coming up on a quarter century in age.

Good Afternoon, Im Space Rogue. Twenty years ago, out of fear of corporate retaliation through lawsuits Space Rogue was the only name I used. Today I also use the name Cris Thomas, although not as frequently, and I work as the Global Strategy Lead for IBMs X-Force Red which is the offensive security services part of IBM Security.

In this particular case both the vendor and the researcher are wrong. Microsoft obviously communicated the status of the fix to Google and told Google when to expect the patch. It is not unreasonable for Microsoft to ask for a few extra days and it should not be unreasonable for Google to grant such a request. On the other hand I am sure Google informed Microsoft that they would only wait 90 days before going full disclosure, Microsoft was informed of the risk of full disclosure and should have pushed harder to meet the deadline.

3. Everyone who watches this ad hopefully realizes that they use a similar password and quickly changes it to something better.

Of course there are still vendors who refuse to fix stuff or who wait forever to do so. According toTipping Points Zero Day Initiativethere are currently 212 known security vulnerabilities without fixes, several of which are over a year old. It is likely that the only way any of these ancient bugs will get fixed is by pulling out the old standby of Full Disclosure. In fact Tipping Point has threaten to do just that, giving vendors just six months to get stuff fixed before they publish limited details on the bugs.

One of the most egregious examples was the speed at which the characters analyzed the cameras source code and it came up all green and then turned red. Source code doesnt just magically turn red when malware is found. Reverse engineering is painstakingly hard, and it takes a lot of time. If code could just magically turn red if it did bad things, like it does in this show, the world would be a much much better place.

Microsoft blasts Google for vulnerability disclosure policy CSO Online

The explosion occurred two years before Stuxnet and while I doubt Stuxnet was the first operation of its kind the evidence to support a similar type of attack on this pipeline is mostly circumstantial at best. Even if this was a cyber attack it would not rewrite the history of cyberwar, as one expert quoted in the article claimed. It would just add one more data point to an already interesting history. Unfortunately the article does not give any proof that this was in fact a cyber attack.

4. The password is displayed in 100 point type on a 20 foot screen for everyone in the room to see.

The problem that many companies who have vulnerability disclosure policies dont realize, such as Microsoft, is they have forgotten that they are not the ones in control. Vendor disclosure policies are not binding on the researcher. It is the researchers choice whether or not to follow a companys disclosure policy. Vendor policies work great for the vendor, it gives them all the time in the world to fix a bug but for researchers who want to get stuff fixed such policies can be a major pain to work within.

A Call for Better Vulnerability Response ErrataSec

Lets face it, while slightly funny this ad will make no one stop and think about how secure their own password may or may not be. However, it might make some people think that ihatemyjob1 or something similar is perfectly ok to use.

If you didnt watch this show you didnt miss anything, at all, and I encourage you not to watch it, in fact just forget that that it exists and with any luck it will be canceled. And then we just have to wait for the next TV show to do tech wrong.

Senator Thompson: I ah, I hope my grandkids dont ask me who my witnesses were today, and say.. Space Rogue

To other learning process, weve made few waves with some large companies such as Microsoft, IBM, Novell, and Sun Microsystems. At the same time, the top hackers, and the top legitimate cryptographers, and computer security professionals pay us visits when they are in town, just to see what were currently working on.. so we kind of figured we must be doing something right.

Or: If a pipeline explodes in the desert and there is no one there to hear it was it really a cyberwar attack?

The second most important thing they got right was the weak security present in many Internet connected cameras. Many such cameras have default passwords and are easily searched for over the Internet allowing anyone to connect to the camera and watch and listen to what is happening.There have been cases where people will connect to a camera and then yell at the sleeping baby.Manufacturers of these cameras were told about their default password problems but most refused to fix the problem, that is until these stories started to hit the press andthe FTC started to levy fines.Even after the companies issues an update to the devices firmware it is up to the owner of each camera to learn about the update and apply the patch themselves. This seldom happens leaving tens of thousands of devices installed in peoples homes that anyone can access.

We are here today to talk about how things have changed in information security over the last twenty years. When we were here twenty years ago a lot of people said, we were a voice of reason attempting to warn people about just how much risk was inherent in our critical systems. A lot of people in information security, or I guess we call it cyber security now, thats one change right there, will tell you that nothing has changed, that we still have issues with passwords from password reuse, to weak passwords, to no passwords. We still have organizations who ignore the problems either through ignorance, ambivalence or just greed. And we still have people who try to blame users for technological failures.

Here is a copy of my introductory statement from the May 22, 2018 briefing where L0pht revisited its historicSenate testimonyof twenty years earlier. (supporting links at the end.)

And I could not overlook that they had the one black person on the show repeat a racist nursery rhyme Einie meane miny moe, catch a well they changed the word on the show but Im really surprised they let that through.

Two of the largest companies in the world are bickering with each other about how best to protect users. I wont get into just how historically hypocritical this is for both Microsoft and Google or how childish it makes them both look but it brings up a debate that has been raging in security circles for over a hundred years starting way back in the 1890s with the release of locksmithing information. An organization I was involved with, L0pht Heavy Industries, raised the debate again in the 1990s as security researchers started finding vulnerabilities in products.

6. While the password uses a number it is appended to the end.

2. He verbally shares his password for everyone to hear instead of typing it in himself.

1. A Single point of failure. (The General)

Microsofts latest plea for VCD is as much propaganda as sincere OSVDB

A few years ago I ran across a company offering to make a quilt out of old T-shirts. I thought this was a great idea! And the price was pretty inexpensive to. I almost sent my shirts in immediately but for some reason I hesitated. I started Googling and found there is more than one company making quilts out of T-shirts and way more than one way to do it. I knew nothing about fabric design or quilting, backing material, batting, stitch length, binding, etc.. Evidently there is a quite a bit that goes into a quilt and I only had one copy of many of my T-shirts. I didnt want to risk going with a low cost option simply because it was low cost.

If you have a box of valuable T-shirts taking up space under your bed you might consider getting a quilt made, but do your own research, the cheapest option may not be the best one for you and your T-Shirts.

For me, for the last twenty years or so, my most valuable t-shirts lived in a plastic box under my bed. I never wore them, because, well, I dont wear t-shirts much and these were a little too valuable to me to risk them fading due to over use. And so they stayed in the box, seldom seen.

In 2009 several researchers found the disclosure process so onerous that they started the No More Free Bugs campaign and promised not to release any vulnerabilities for free. In response vendors started bug bounty programs where they rightly paid researchers for their hard work. However, even that process comes at a cost for both the vendor and the researcher. So much so that there are now third party companies that will help vendors run bug bounty programs and help researchers disclose vulnerabilities.

On the second Tuesday in November I burned a vacation day, woke up at five in the morning and drove to a church down the street from where I live. I sat at a long table for thirteen hours and looked up names in a book. While I wasnt at the church to pray I still felt as though I was cleansing my soul in some way. Over the years for various reasons I had amassed what I felt was extremely high level of personal voter debt and I felt this was a way to at least begin to pay some of it back.

Let us count the bad security practices used in this ad

But we do, we do understand your and do appreciate your being with us. Do you, ah, May I ask your name?

In the beginning there was full disclosure, and there was only full disclosure, and we liked it. In the beginning the goal was to get stuff fixed, it wasnt about glory, it wasnt about bug bounties, it wasnt about embarrassing your competition. No, in the beginning it was about getting bugs fixed. It was about getting the software that you used, the software you deployed to your users, it was about getting it fixed, getting it to be safe. However, in the beginning vendors didnt see it that way, many of them still dont. Vendors would ignore you, or purposely delay you. There is no money in fixing bugs that no one else is complaining about so most vendors wouldnt fix them, at least not until it became public and all of their customers started to complain about them. That was the power of full disclosure.

Let me talk first about the few things that CSI:Cyber got right. The show mentions that social media is a huge aide to law enforcement and one of the characters jokingly says thats why he doesnt use it. This is absolutely correct; Facebook, Twitter and other sites are often the first step in an investigation of any sort, often even before they interview witnesses or suspects.

One recent storyhas me questioning if a pipeline explosion in Turkey was actually in fact an early example of cyberwar. The article claims that a large explosion along the Baku-Tbilisi-Ceyhan (BTC) pipeline, near the Eastern Turkish city of Erzincan on Aug. 7, 2008 was in fact a cyber attack. The article attempts to downplay claims of the Turkish government who said the explosion was caused by a malfunction, as well as discounting the claims of the Kurdistan Workers Party who claimed credit for the explosion despite the groups history of blowing up pipelines. Of course there was also a statement by the Botas International Ltd. company which operates the pipeline which said that the pipelines computers systems had not been tampered with.

During the last electionI spent a lot of time being a punditpreaching about the integrity of the voting process. I figured if I am going to keep talking about elections I should get a look at what actually happens at polling places. So a few months before this election I did a few google searches, found my countys voter information website and sent an email to the address listed for volunteers. The district where I vote was full so they assigned me to the neighboring district. In Pennsylvania the state voting website has a few videos to help explain to volunteers what to expect on Election Day.Despite them requiring Flash, I watched them all.

Senator: Mudge would you like to make a statement?

3. The password is displayed without a mask.

Id like to take the opportunity to let the various members talk about few of their various projects, their current projects and what they are going to be working on the future. Umm! Weld?

CSI has a proven formula for making popular TV shows. Unfortunately that history does not include accurate TV shows. When it comes to tech and things cyberthis is probably the preeminent example of CSI being bad and wrong at the same time.I thought there was no way they could top this, I was wrong.

Other than that just about everything else in the show is just completely unbelievably wrong. Not only are things wrong but they play on known false tropes, like that lead can block radio signals (it cant), that convicted criminals are allowed to work in the field on active investigations, that you can quickly separate overlaid audio and translate it, that you need big wall sized monitors in order to catch bad guys, that hackers who could be half way across the world are conveniently just an hour or less away, that non-smart phones can have GPS aps and that cops treat forensic data so carelessly.

Let us count the good security practices in this ad

Probably the most important thing that they got right in this show was when the Worlds Greatest Hacker was berating the lowly tech employee for allowing a vulnerability to exist in the companies software and the tech guy responds with I took it upstairs but they didnt listen. This is an all to common theme that is often repeated in the information security world. Company executives often refuse to listen to security concerns and instead focus more on the bottom line. This is probably the single truest thing this show got right.

1. The password is longer than eight characters.

And so the disclosure debate continues unabated for over a hundred years. With two of the giants in our industry acting like spoiled children we as security professionals must take the reigns from our supposed leaders and set a better example. It needs to be about protecting the user. It should not be about grandstanding or whining or even making a buck, in the end it should be about getting stuff fixed.

Also I loved how the characters on the show could do these crystal clear remote videoconferences from remote locations? How? They never bothered to explain where the camera was or what are they are using for bandwidth. If they did it with their cell phones I want to get on that data plan.

But vendors didnt like this one bit and so Microsoft developed a policy on their own and called it Coordinated Disclosure. Coordinated Disclosure calls on researchers to work with the vendor until a fix can be released regardless of how long that takes. Under Coordinated Disclosure there is no option for Full Disclosure at all. Of course Coordinated Disclosure assumes that the vendor is even interested in fixing the bug in the first place.

Cyber is generally understood to have originated in the Greek word U or kybernetes which originally meant helmsman, as on a ship, which came to mean to steer and eventually to govern. Norbert Wiener chose this word when, in 1948, he entitled his bookCybernetics or Control and Communication in the Animal and the MachineIt was Wieners work on the automatic aiming and firing of anti-aircraft guns during World War II that caused Wiener to investigate information theory. This was the first documented use of the word cybernetics in English.

I dont think there is another word in the English language that provokes as much of an emotional response from information security professionals as much as cyber. In fact, half of the people who just read that last sentence are like yeah, but cyber is not a word its a prefix. (The other half probably just started giggling.) Unfortunately for themMerriam-Websterand theOxford English Dictionaryhave both recently listed cyber as a stand-alone word as an adjective with the definition of, relating to, or involving computers or computer networks which to me is an extremely broad definition. TheCambridgeMacmillanandLongmandictionaries all still lists cyber as a prefix but I am sure they will upgrade it to full word status soon. Can official use as a noun, the cyber, be far behind?

Of course I had tolive tweetthe whole day. When I arrived on Election Day morning it was just me and Mary the Judge of Elections. Even though there wasnt much to see she showed me around, pointed out the coffee and the restrooms and mentioned the voting machines which were already set up off to the side. In my district we use a Direct Record Electronic (DRE) voting machine. They werent much to look at but I still had to fight my urges to immediately start pulling them apart. I wasnt here to test or even play with the machines anyway.

I was especially troubled by one of the statements made early in the show Any crime involving electronic devices is by definition, cyber While this is just a TV show there are people who believe this or at least will be influenced by this. This scares me as I guess that makes my electric drill cyber.

Southwest Airlines recently aired a TV ad in their Wanna Get Away series that features some serious password blunders. In the ad a General is asked for his password so that they can lock down the system which he then reluctantly provides. The password, ihatemyjob1, is rather embarrassing and hilarity ensures. Lets watch

5. Password does not use uppercase or special characters.

Hackers Testifying at the United States Senate, May 19, 1998 (L0pht Heavy Industries)

In another scene one of the technical characters, who is labeled as the greatest hacker in the world (Im not even going to touch that statement) claims that RATs or Remote Access Trojans are easy to get for $40 on the surface net. He is right about the easy to get part although his price is a little high and I have no idea what the surface net is. But yes, tools that online criminals use like RATs are very easy to come by. The thing about Remote Access Trojans is that they are very similar to legitimate Remote Access Tools like say Go To My PC or Remote Desktop,

The entire process has gotten out of hand. The number one goal here should be getting stuff fixed because getting stuff fixed helps protect the user, it helps defeat the bad guys and it helps make the world a better place.

This is why you see many companies and individual researchers not disclosing anything at all, and this should not happen. And I havent even gotten into the issue of vendors filing lawsuits against researchers as a means to keep them quiet.

Addendum: The generals uniform in this ad is a disgrace. Although probably done on purpose so as to not offend any one service they have in fact offended all services.

8. Everyone who sees this ad thinks that while ihatemyjob1 may be an embarrassing password it is perfectly acceptable since a general uses it.

Google has made anupdateto its 90-day disclosure deadline. They have decided to make allowances for deadlines that fall on weekends and holidays and more importantly have granted a grace period for vendors who communicate their intent to release a patch with 14-days of the 90-day deadline. It is nice to see vendors and researchers working together. The goal here should be to protect the users and not embarrass vendors. This grace period shows an understanding of the issues surrounding disclosure that impact vendors while at the same time continuing to hold them to a high standard.

Mudge: Yes I would. Emmm! Thank you very much for having us here. We think this is hopefully a very great step forward and are thrilled that the government in general is, is starting to approach the hacker community, we think its a tremendous asset that the hackers bring to the table here, an understanding! Emm! My handle is Mudge and I and the six individuals seated before you, which we run down the line: Brian Oblivion, this is John Tan, King Pin, Weld Pun, Space Rogue, and Stephen Von Neumann We make up the hacker group known as The L0pht. And for the last four years, the seven of us has been touted as just about everything, from The Hacker Conglomerate, The Hacker think tank, the hangout place for the top US hackers, Network security experts and the Consumer watch group. In reality, all we really are, is just Curious. For, well over the past decade, the seven of us have independently learned and worked in the fields of satellites communication, cryptography, operating systems design and implementation, computer network security, electronics and telecommunications.

It is hard to work in Infosec for very long and not amass a huge number of T-shirts. Vendors give them away like candy thinking that somehow a free t-shirt is going to make you spend thousands of dollars on their blinky light solution versus their competitors blinky light solution. However, some t-shirts tend to have a great value than others. Those shirts emblazoned with logos from projects or companies that you actually worked with tend to have the most value. Then the question becomes what do you do with them?

The softball shaped camera that is thrown through an open window into the bad guys lair near the end is an actual thing that is actually used by law enforcement. They got this right.

Senator Thompson: If you gentlemen would come forward.. Were joined today by the seven members of the L0pht, Hacker think Tank in Cambridge Massachusetts. Due to the sensitivity of the work done at the L0pht, theyll be using their hacker names of; Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan, and Stephen Von Neumann. Gentlemen

Vendors of course hated full disclosure because they had no control over the process, in fact there was no process at all and so they complained, vociferously. Vendors talked about ethics and morality and how full disclosure helped the bad guys. So a guy named Rain Forest Puppy published the firstFull Disclosure Policypromising to release vulnerabilities to vendors privately first but only so long as the vendors promised to fix things in a timely manner. If the vendor didnt get stuff fixed the researcher could still pull out their most effective tool, full disclosure, to get the job done.

No one questions the importance of keeping abreast of current trends and developments with regards to information security. Whether it is new malware techniques, attack vectors or just the motivation of some attackers. That means looking into the details of the Target and Sony breaches, checking out the specifics of Heartbleed and Poodle, and keeping abreast of the latest patches from Microsoft and other vendors. It also means trying to separate the facts from the fear, uncertainty, and doubt used to generate page views.

I recently heard of a new incident that seems to fall into this same scenario. The story claims that hackers broke into the control system of a floating oil rig off the coast of Africa, somehow messed with the ballast control and caused the rig to tilt. The rig had to be taken offline while the systems were cleaned up. As with most of these types of stories no supporting information is given. No actual dates, no name of the oil rig or its owner, even the location in this story is vague, off the coast of Africa, an entire continent.

Off Camera: I thought you were the Kingpin?

Like funny Internet memes, stories about compromises of water plants, steel factories, power companies or other systems controlled by SCADA or ICS can be repeated over and over until they are accepted as facts with no one questioning their authenticity. Previous events suchas power outages in Brazila water pump failure in Illinois, the improper shut down of a blast furnace at aGerman steel milla pipeline explosion in Turkeywere all originally attributed to cyber attacks. In fact cyber attacks were blamed in almost all cases not because there was any actual evidence but rather the lack of any other explanation. Since nothing else could have caused the problem it must have been those meddling hackers.

Microsoft says that full disclosure forces customers to defend themselves which is the wrong way to look at it. Full disclosure allows companies to defend themselves if they so choose. The opposite is non-disclosure, which helps no one. Just because a bug hasnt been disclosed doesnt mean it is not there. It doesnt magically pop into existence only when someone publishes something about it. The bug is there, waiting to be found. Maybe the bad guys already found it. Maybe they are already using that bug against you. And yet you are blissfully unaware that the bug even exists. Full disclosure gives you knowledge that you can use to protect yourself even if a patch is not available. You can choose to turn off the affected device, or add additional protections to your environment to help you mitigate the risk. Once disclosure happens this is now your choice, you can evaluate the risk this particular bug presents to your environment and make an educated decision of what steps to take depending on your own risk tolerance. While most users will continue on blissfully unaware or choose to ignore the information that too is their choice, not Microsofts, and not Googles.

I was pretty impressed. It looked great, especially the quilting design that showed through the back. My whole purpose for getting the quilt though was to hang it on the wall in my office at home. I ordered a custom quilt hanger fromRobinsons Wood Crafts. This allows you to hang a quilt on the wall without putting holes in the quilt itself.

Certainly the article lists plenty of circumstantial evidence to support the theory of a cyber attack to blow up the pipeline but the actual proof comes down to four people familiar with the incident who asked not to be identified. Obviousl

Disclosing vulnerabilities isnt an easy thing. In the mid nineties at L0pht Heavy Industries we quickly found that vendors had absolutely no interest in fixing bugs at all and instead would prefer that we just kept our mouths shut. A lifetime later it was part of my job to help coordinate vulnerability disclosure with various vendors that were found by our pentesters. If youre a lone researcher and only have one vulnerability its not such a big deal, you send a few emails, wait a little while and if the vendor is cooperative a fix is pushed out in a few days or months time. If you happen to have several dozen vulnerabilities that you are attempting to get fixed, all at the same time, and all by different vendors, the process can be a little more involved. In fact simply coordinating these disclosures can be a full time job for multiple people within an organization. There is no ROI here either, the simple process of attempting to disclose vulnerabilities eats up revenue in the time your employees take trying to coordinate vulnerabilities and get stuff fixed.

In the end I choseToo Cool T-Shirt Quilts. I boxed up my shirts and sent them in. They emailed me as soon as they got the box and asked me what sort of options I waned, how big of a border, any designs in the quilting, special positioning of certain shirts, etc.. 2 weeks later they sent me these photos.


Tags:

Leave a Reply