Random Thoughts on the Draft #IPBill

 Computing, Politics, Security  No Responses »
Nov 042015
 

The draft #IPBill or more conventionally the draft of the upcoming Investigatory Powers Bill. And some random thoughts on it …

First of all this is not really anything new, as this bill wraps up and modifies existing legislation regarding legal "snooping" in the UK. Whilst it is sensible to pull in multiple existing bills and incorporate the powers in just one place, it makes it a lot harder to see what is new.  There could well be new draconian powers in this draft bill; in fact there probably are, but it is hard to see just what is new.

And there are few people I would rather trust less in drafting such a bill than Theresa May

It is worth noting that the most draconian powers under this bill are not new; in fact once we analyse it properly it may be that there is very little that is really new. 

Oh! And just to state the obvious: Ignore the spin at the beginning; it's the easiest section to read, but may be somewhat deceptive (either deliberately or because it over-simplifies matters).

There are new protections against abuse in this draft bill – specifically the Judicidial Commissioners who will sign off on warrents if they feel they are justified. However how much protection does a current or former High Court judge offer? Well one that co-operates with the government by reflex isn't going to be much help. We need one that is suspicious of government and protective of individual rights.

And there's an escape clause – an "urgent" warrent can be approved without a JC, although it only lasts for five working days rather than six months. Of course the JC gets to approve it (or deny it) after the fact, but this turns this protection into a fig-leaf. And of course the "national security notices" have no oversight before they are issued.

The other thing that occurs to me: What is the difference between a public telecommunications provider and a private telecommunications provider? I dare say that most people won't know when they connect to a network which they're on. And there are different provisions depending on whether the network is public or private – as an example it would be legal for a private telecommunications provider to intercept. 

The purpose behind the #IPBill is supposedly to combat serious crime and to defend the "national interest" in security matters, but some of the provisions allow for economic considerations to be taken into account. So the government plans to sell our communications data to interested parties? Perhaps that's not what they intend, but it doesn't look like there's anything to stop them.

It is interesting to note that local authorities are specifically excluded from certain provisions – they of course are well known for taking previous instruments, and using them for purposes other that what was intended.

MP's have extra protection under this bill, and people are somewhat cynical about the reasons for this – perhaps thinking it's to protect Theresa May's porn browsing habits (Ew! I think I just threw up in my mouth just a bit). Actually, in theory it's not entirely unreasonable when you think of it as a measure to protect the privacy of the MP's constituents who may be discussing privileged information with their MP.

Of course that very quickly dies a death when you look closer at the list of MP's that are protected – all the MP's from the national parliaments, plus MEPs from UK constituents. If you raise a matter with your MEP, she may very well suggest speaking to another MEP – such as the MEP from from somewhere other than the UK if they happen to be the rapporteur (yes Dave, I finally remembered) for a particularly specialised subject area.

There is a fair amount of wordage within the bill dedicated to keeping warrents and retention notices secret – disclose such the existence of such things and you're looking at gaol time. I can see the argument for why such notices should be secret – for a certain duration, but they should be made public eventually so that their use can be judged in the court of public opinion.

Undoubtedly I'll think of additional points to make as I get further into the bill …

Don’t Take Your Security Advice From The Media

 Computing, Media, Security  No Responses »
Oct 242015
 

Rusty_PadlockRelated to my rant regarding the TalkTalk hack that I've just posted, is an associated rant about security advice from the media. It's spotty at best, and downright unhelpful or just plain wrong at worst.

I've been stuck indoors today waiting for someone to paint my front door, so amongst various household tasks that I've reluctantly undertaken, I've also had the BBC News 24 channel blaring out. And of course the TalkTalk hacking incident has been making a regular appearance. And on occasions the security advice has been less than stellar; in fact some of it stinks like a rhino's rancid rectum.

It Was A DDoS

(bang) as my head hits the table.

No, the TalkTalk hack had nothing at all to do with a distributed denial of service attack. There may have been a DDoS attack just before the hacking incident, but it was not related (even if it was done by the same people). A DDoS attack is the cyber equivalent of getting all your friends to shout at someone you don't like; it's noisy, stops you communicating, and is as annoying as hell.

But once it is over, things are back to normal (except for writing an incident report). 

Breaking into a server and stealing the personal data of customers is not any kind of denial of service attack. It's an intrusion, and an exfiltration; there are two seperate events there. Labelling either as a "DDoS" just makes you look like an idiot.

Look At The Email Headers

(bang) as my head hits the table.

Email headers can be forged; those headers you see normally ("From", "Subject", "Date", etc.) are nothing more than comments. They are not to be trusted. Even if you reveal the hidden headers (and there's a lot you don't see), the story they show can be mostly forged. It takes a real expert to distinguish between a phishing email and a legitimate email from just the headers.

Even something geeky like PGP digital signatures can be forged if you are dealing with an organisation that has been compromised. And who uses PGP?

Don't trust emails with the name of a compromised organisation on.  

Change Your Passwords As Frequently As Possible

(bang) as my head hits the table.

Changing you password frequently doesn't actually accomplish that much. It is better to keep the same password for a year, if it is long and strong, than it is to change your password every month if it is simple and weak.

Long and strong passwords are tedious to remember – especially for web sites you rarely use. So use a password manager like KeePass. If you want to use a different password manager, seek out a security geek and ask for their recommendations. And the geekier the application site looks, the better; the site should be droning on about 3DES, AES, and all sorts of inscrutable cryptogeek mathematics; you don't have to understand it all, but it's absence on a web site is a bad sign.

Use different passwords on different sites. This is also tedious, and can be relaxed for less important web sites – that is those web sites that don't store more personal information about you than your name. And tedious is a good thing when it saves you from the stress of finding out your bank accounts are empty.

Don't Blame The Victim

It's all very well being sympathetic to those victims who have found their bank accounts emptied, but they are not necessarily related to this latest incident.

And they're not entirely blameless. 

If they hadn't shared information with hackers who already had some of their data, or they had not used the same password for their bank as TalkTalk, then they would not be victims.

And this is hardly new advice.

The media should be sending the message that these victims have been dumb; yes there may be extenuating circumstances, but they have still been dumb. And dumb TalkTalk customers will likely end up with their money and/or identity stolen.

TalkTalk Hack: Let’s Not Get Too Sympathetic To The Executives

 Computing, Security  No Responses »
Oct 242015
 

The reaction to the latest big leak (from TalkTalk) has been interesting … there's a certain amount of sympathy for TalkTalk, with people blaming the cybercriminals and claiming that no system can be made fully secure. There's a nugget of truth in saying something like that, but it's not the whole truth.

Yes, there is a truism within the security world that there is no such thing as a secure computer; or rather that the only secure computer is one that has been turned off, had it's disks thrown into an active volcano, has been entombed within a huge concrete block, and has been buried at the bottom of the Mariana Trench (add as many ways of saying "unreachable" as your audience can stand). But it's a truism, and isn't supposed to be used as a get out of gaol free card by anyone getting their data hacked.

If it is true about the ransom demand (and it's not impossible that the ransom demand came from someone other than the group that hacked TalkTalk), the hackers were probably just after money. In which case they didn't target TalkTalk directly; they probably targetted all of the big ISPs and picked the "low hanging fruit". That translates as the hackers did a vulnerability scan of all the ISPs and found that TalkTalk were the easiest to attack. 

And it is not as if this has not happened before :-

Looks like they keep getting hacked (and these are just the ones that we know about). By selling the details on, the hackers will have already made plenty of money from hacking TalkTalk.

Yes, ultimately the cybercriminals are responsible for hacking TalkTalk and stealing the data, but that does not mean that TalkTalk are not to blame for not taking adequate action to protect themselves against hacking. There is a whisper that this hack was due to an SQL injection attack which isn't some kind of masterclass hacking attack, it's in the hands of script kiddies. And is prima faca evidence that TalkTalk haven't reviewed their code for security vulnerabilities for years

There's calls for the government (it's interesting how the free market fans always cry help to the government every time they encounter a problem) to tackle cybercrime.  But it is also time to give the Information Commissioner the power to fire company executives, and use it against the TalkTalk executives. Simply blaming the cybercriminals lets executives who are asleep at the wheel to get away with their incompetance. 

And perhaps the Institute of Directors should start talking about minimum budgets for IT security.

But more importantly, it is essential that security is deeply embedded throughout every department of IT; it is all too easy to establish security tokenism. Simply appoint someone in charge of security, and then say "No" to any suggestion that requires money or incovenience.

 

Tinkering With The PS Command

 Computing, Linux  No Responses »
Oct 232015
 

Have you ever wondered if you can tinker with the ps command to change how and what is displayed? No? Well give up reading this post then.

I've known about ps for ages and also the way that the output can be tinkered with, but have not had an excuse to dig into it properly until I was looking for a way for ps to show the Linux container name for each process (don't get excited: ps -o machine is documented but not implemented at the time of writing). 

If you read the manual page for ps you will be quickly distracted by all the different options available. These can be grossly simplified into three different groups of options: which processes to list, what to output, and how to sort the output.

Which Processes?

This can be simplified down to almost nothing; ps on it's own lists just the processes running from the current terminal (window) :- 

% ps
  PID TTY          TIME CMD
 2591 pts/17   00:00:00 zsh
13325 pts/17   00:00:00 ps

If you want to display all processes, add the "-e" option :- 

% ps -e
  PID TTY          TIME CMD
    1 ?        00:00:03 systemd
    2 ?        00:00:00 kthreadd
    3 ?        00:00:00 ksoftirqd/0
    5 ?        00:00:00 kworker/0:0H
    7 ?        00:00:54 rcu_sched
    8 ?        00:00:00 rcu_bh
    9 ?        00:00:35 rcuos/0
   10 ?        00:00:00 rcuob/0
   11 ?        00:00:00 migration/0
   12 ?        00:00:00 watchdog/0
(cut)

And lastly (not literally – there are other options), add the "-p" option to list processes by process ID :- 

% ps -p 1
  PID TTY          TIME CMD
    1 ?        00:00:03 systemd

Tuning The Output

By default the fields that ps outputs is somewhat peculiar until you realise that the output fields have been frozen in time. The default choice is somewhat minimal; and I'm not in favour of minimalism. And what use is the TTY and the TIME fields?

The TTY field shows you what terminal the process is running on – this was handy on a multi-user system where you could find out who was on what terminal and then write a message directly to their screen. A great way of winding people up, but not so much use these days. And TIME? We're no longer billed for the cpu time we consume, so the time spent running on the cpu is a rather pointless thing to list.

The "-f" option displays more information :- 

% ps -f
UID        PID  PPID  C STIME TTY          TIME CMD
mike     26486 31092  0 21:24 pts/24   00:00:00 ps -f
mike     31092 31091  0 20:11 pts/24   00:00:00 -zsh

But the output is still somewhat peculiar, and there are other more interesting fields to display.

There are various options for choosing the output format amongst a set of predefined choices, but the best bet is to ignore these and jump straight into selecting the individual fields that you want. These can be found in the manual page in the "STANDARD FORMAT SPECIFIERS" section. Simply list the fields you want after the "-o" option :- 

% ps -o pid,comm,pcpu,pmem,nlwp,user,stat,sgi_p,wchan,class,pri,nice,flags
  PID COMMAND         %CPU %MEM NLWP USER     STAT P WCHAN  CLS PRI  NI F
28061 ps               0.0  0.0    1 mike     R+   3 -      TS   19   0 0
31092 zsh              0.0  0.0    1 mike     Ss   * -      TS   19   0 0

Obviously typing this in every time is somewhat less than ideal, but fortunately the authors of ps have already thought of this. By listing the fields within the PS_FORMAT environment variable, there is no need to specify -o :- 

% export PS_FORMAT="pid,comm,pcpu,pmem,nlwp,user,stat,sgi_p,wchan,class,pri,nice,flags"
% ps
  PID COMMAND         %CPU %MEM NLWP USER     STAT P WCHAN  CLS PRI  NI F
29440 ps               0.0  0.0    1 mike     R+   5 -      TS   19   0 0
31092 zsh              0.0  0.0    1 mike     Ss   * -      TS   19   0 0

To make this pernament, add this to your shell startup rc file; whilst editing you may as well set PS_PERSONALITY to "linux".

Sorting The Output

According to the ps documentation, by default the output is not sorted. In that case either my kernel's process table is remarkably well organised, or the distributions I use "cheat" and sort the output in process ID order. In the distant past where computers were shared amongst too many people, and the machines themselves were quite slow, it made sense for the output of ps to be unsorted. But it certainly doesn't make sense now.

And the ps command allows processes to be sorted by any field that you can specify in the "STANDARD FORMAT SPECIFIERS" section which conveniently enough you are now intimately acquianted. Simply add the relevant field to the –sort option :- 

% ps --sort pcpu
  PID COMMAND         %CPU %MEM NLWP USER     STAT P WCHAN  CLS PRI  NI F
31092 zsh              0.0  0.0    1 mike     Ss   * -      TS   19   0 0
31743 ps               0.0  0.0    1 mike     R+   5 -      TS   19   0 0

With just a short list (and such a low percentage of the cpu in use) it doesn't make sense, but added to -e, it does.

Rather than change the default sort order, I personally prefer to configure aliases to do the job for me :- 

% alias pscpu='ps --sort pcpu'
% alias psmem='ps --sort pmem'

Preferring to use an alias here is rather convenient as there doesn't seem to be a way to configure the default sort order – officially there isn't one!

Reading through the ps manual page (during which you will notice many different options referring to old Unix varients) is a reminder of just how long and bitter the fight over which ps varient was the best. And now for a completely irrelevant picture :-

damascus-unix-prompt

CSI: Cyber: Hit or Miss?

 Computing, Media, Security  No Responses »
Oct 212015
 

So there's this new TV series called "CSI: Cyber" (well technically it's new to me and the UK) which is all about an FBI cybercrime unit. 

As it hapens cyber security (if you insist on calling it that) is something I know a bit about. And so this new TV series has two ways of amusing me – the normal entertainment that TV offers, and of course the chance at falling about laughing at the mistakes.

Is it entertaining in the first sense? It's an American cop show with a bit of added "tech", so to some extent it stands out of the American cop show crowd (or perhaps flood). So yes, it's mildly entertaining; nothing worth staying in for, but it will kill an hour that you're too tired to do anything more productive with.

In the second sense I mentioned – yes it's got that in spades.

The most obvious flaw is that everything happens too quickly. Analysing a malicious printer firmware as you plug in the USB disk that contains it? Not going to happen. Finding a zero-day exploit in a collection of IoT devices within an hour? Not going to happen. Hacking a municipal transport network whilst being driven around at furious speed? Well that could happen if you had already done it (they hadn't), but it isn't something you would really try.

Causing a printer to burst into flames with a malicious firmware? I believe the possibility was jokingly mentioned a few years ago when printer firmware became a target for attack amongst the white hat community, but it was also mentioned that it was pretty unlikely as things like thermal cut-out units are isolated and hardwired – you can't turn them off.

Or a malicious exploit causing a laptop battery to burn up; I'm not saying that's impossible, but again battery pack microcontrollers are usually isolated from the computer they power. 

Labelling "zero-day exploits" as something that effects personal devices? Just plain daft, although the rest of the definition was Okay.

Is this a problem? Well, sensible people will realise that this is all just entertainment and will not take it seriously. Indeed it may increase the realisation that criminals with IT skills (and governments) can cause nasty things to happen; even if this show highlights the wrong kind of nasty things. 

Of course the knuckle-dragging neanderthals (with apologies to the real Neanderthals) who watch this show and pay attention (so perhaps there isn't much danger after all) will assume that everything this show demonstrates is for real. And starts panicing anytime someone whips out a copy of metasploit

I imagine I'll be saying: "It's just entertainment" many times over the years.

 Older Entries  Newer Entries