Please stop feeding the trolls

When I was in grade school, I came home crying because another kid called me a bad name on the playground. My mom taught me that words can only hurt me if I let them. She taught me that the best response was to ignore the bullies.

What she taught me applies to the recent cyber-bullying against Java blogger Kathy Sierra. The crux of this story is that one or more people posted nasty and anonymous comments about her. The following is an example of one of those postings:

fuck off you boring slut... i hope someone slits your throat and cums down your gob

This, and the other posts, were pretty nasty, but it really is a person's choice to pay attention to such words. Kathy has chosen to take the posts seriously. Indeed, she has become a bit delusional about them. She claimed that the comments were "threats", even though they don't quite meet the definition of the word . In her delusional paranoia, she has claimed that other well-respected bloggers were part of the conspiracy to threaten her (because nasty comments appeared not only on her blog, but on forums attached to other blogs as well). She implied that those other bloggers were responsible for the anonymous comments that appeared on their sites. She has sullied the name of well-respected bloggers who now struggle to defend their reputation.

Such bullying is part of the larger problem of "forum trolls". Trolls are comments designed to provoke a reaction. They could be nasty personal comments, or political claims, or religious statements, or anything else that will provoke people to give the trollers attention. As my mommy taught to when dealing with bullies on the playground, the proper response to forum trolls is to ignore them. Getting upset over what they post is a choice you make. Responding to their posts only encourages them to post more of the same.

Unfortunately, many throughout the blogosphere have leapt to support Kathy. They have been competing amongst themselves to see who can be the most righteous in their outrage over the vileness of the trolls. The main effect of all these posts is, of course, to encourage forum trolls in general, and more bullying of Katy Sierra in particular.

The other effect is to encourage the government step in and do something. In much the same way that I wanted my mommy to fight the bullies for me, people today want the government to fight back against the forum trolls. This is a very bad thing. We already have the tools to deal with bullies. We can just ignore them. We can turn off anonymous posts from our forums. We can turn on keyword filters for offensive words. We can moderate posts, or use a community-moderation system like Slashdot. Lots of forums are essentially "troll-free" because anti-troll efforts work. Government intervention comes at a high cost removing our freedoms, such as speech and anonymity. People like Kathy Sierra should at least try to use the tools available to her before becoming a cry baby asking for the government to do something about it.

The bloggers who support Kathy have frequently made the point that the forum trolls are cowards hiding behind anonymity. I would suggest that it's the bloggers themselves who are cowards. It doesn't take much courage to post something everyone agrees with. The situation is like a lynch mob. Nobody likes the forum trolls, and therefore nobody is going to stand up for their rights. It doesn't take courage to go along with the mob and lynch them. It takes no courage to express your righteous anger against them. What would take courage is to oppose the mob and suggest that no matter how vile those posts were, that we still need to abide by solid principles, namely that we deal with immature trolls as mature adults, and that we don't discard our rights to free speech and Internet anonymity just because we don't like what they said. It's mob rule, for example, that is responsible for eroding our rights after 9/11 with the so-called "Patriot" Act, because no politician was brave enough to stand up to the mob.

Many have used this incident to promote the idea that the computer geek community is "misogynistic" (hates women). The opposite is true. Forum trolls don't use such language because it's what THEY think, but use it because it's what WE are offended by. Indeed, it's precisely the soft-misogynism of Kathy's supporters that's at fault here. They will leap to a woman's defense more readily than a man. Insults and threats are treated more seriously when a woman is involved. I can call a man a "dick" in nearly polite conversation, but the equivalent insult for a female is so offensive that I can say it here. The words are more insulting because we are treating women differently, not because the trollers are. While it is appropriate to escort a woman to a car at night (there is a physical disparity), it's inappropriate to act as if a woman is less capable of defending themselves on the Internet than a man.

See also: Penny Arcade

New SCADA vulns

Researchers recently announced vulnerabilities in SCADA OPC systems. SCADA refers to the computerized control over things from dams to oil refineries to rail roads to nuclear power plants. As I discussed in a presentation last year, SCADA is completely open to attack, especially OPC.

OPC is a standard for Microsoft Windows that makes it easy to write GUI applications for SCADA. They translate between Windows primitives such as MS-RPC/DCOM to backend protocols that actually do the monitoring and controlling of switches, valves, pressure gauges, thermometers, and so forth. These backend protocols are often based upon standards that pre-date Windows. They are horribly insecure because few people in the SCADA industry know what a "buffer-overflow" is.

Unfortunately, OPC is completely open to attack. The code is horribly insecure. It took me 5 minutes to find a remotely exploitable bug when I downloaded sample implementations from the OPC Foundation a couple years ago. The real problem is not vulnerabilities but authentication. OPC installations are normally run without needing a username or password, which means a hacker can control them without having to mess around with things like buffer overflows. Moreover, if proper authentication and encryption are enabled, then you can't actually remotely exploit them without first logging on. This is the case with the recent announcement from neutralbit: it's only exploitable if the user has login privileges.

Unfortunately, many SCADA organizations are not going to take neutralbit's work seriously for this reason. They know that since their systems are already wide open to attack, that patching them against this bug won't stop a hacker. That would be wrong. First, there is the possibility of worm exploiting these bugs. Second, at some point the SCADA industry is going to have to catch up with the rest of the world with regards to securing their products. Neutralbit has done an excellent job of explaining to you potential problems with OPC, but they've also explained them to hackers and cyber-terrorists. Any kid who wants to prove he's a vulnerability hunter now knows he can go onto eBay, get some cheap OPC products, find vulnerabilities in them, and announce them to the world. There is a good chance that many more OPC vulnerabilities will be announced and/or exploited in the next couple years.

Of course, it doesn't mean you should take down your SCADA network to patch your OPC systems immediately, but it does mean you need to be looking into the problem. For example, you should never buy a SCADA product without first asking the vendor for an independent vulnerability assessment from a third party (e.g. Errata Sec, Matasano, ISS/IBM, Neohapsis, neutralbit, etc.). Chances are good that if they can't give you an independent vulnerability assessment for their products, that they will have the easily discovered vulnerabilities like those that neutralbit is announcing.

Cracking...

http://en.epochtimes.com/tools/printer.asp?id=50336

MD5, HAVAL-128, MD4, RIPEMD, and now SHA-1

Thats pretty awesome!

Wifi Beacon Seapage

Data 'seepage' refers to the fact that we broadcast bits of information about ourselves to the public world. Clever people who collect that information can exploit it in interesting ways.

One example is a startup called Skyhook Wireless. They have wardrivers in the major U.S. cities getting the GPS coordinates of all the major wireless access points. Then, when a user runs their software on notebook computers, the users can send Skyhook the MAC address of their current hotspot, and Skyhook will send them back their location. The software will also provide "location based" services, such as search and advertising.

Recently, they've partnered with AOL to provide a plugin to their instant messenger so that you can see where your chat buddies are on Mapquest.

All this sounds really cool, and I'm sure Skyhook is not evil, but of course, I get paid to think up ways it can become evil.

For example, the software they put on your computer can not only send Skyhook the MAC address of your access point, but of other access points near you. Since they know the GPS coordinates of one access point, they can discover the likely GPS coordinates of a lot of other ones - without sending one of their 200 drivers around to find it. This is not evil, but it does make you start to think. Most people don't secure their wifi access points because they believe nobody is listening to them. Once they discover that there is, indeed, a company keeping track of all these things, they might change their habits. For example, they might turn off the broadcast of SSID, which will prevent a desktop agent from discovering it. It won't, however, stop more advanced sniffers: a desktop agent would presumably retrieve SSID broadcasts from the Windows wireless configuration stuff, to get SSIDs from quieter networks requires custom drivers.

When one person runs the Skyhook desktop software, they will compromise the location of everyone behind an access point. Everyone behind an access point shares the same IP address. That means that while a Skyhook user is chatting on AIM, you are visiting ESPN.com, and you might see advertisements for the neighboring shoe store. This is because your fellow hotspot user told Skyhook about your common IP address, which in turn told ESPN. Indeed, Skyhook can shortcut this by including UPnP queries in their wardriving tool to map the current Internet-facing IP address from open access points. While such IP addresses change in theory, they change infrequently enough that it could still be useful to Skyhook.

If you are paranoid, there are some steps you can take to defend against this sort of seepage. Most home wifi access points allow you to turn off SSID beacon/broadcasts; that's a good step. Most home wifi access points allow you to change your MAC address. Rather than have unique identifiers for those, you could change them into something more bland. Indeed, you could search for wardriving information people have posted on the web, and copy down those SSIDs and MAC addresses. It'll really annoy Skyhook to have the same MAC address used in multiple locations throughout the Internet. I suggest using a MAC address of 00:00:DE:AD:BE:EF. Also, I use "Wayport_Access" for my SSID, precisely because it's so common.

Hit-pieces and ethical journalism

One of the under-appreciated problems in our industry is the "hit-piece", where a reporter twists facts and quotes to attack a victim. A good example is the recent hit-piece from ZDNet UK that attacks Microsoft's OneCare. In this piece, ZDNet UK made an official Microsoft spokesman appear to be saying something that no Microsoft spokesman would ever say.

To begin with, the guy probably has nothing to do with OneCare. Googling the interviewee, Arno Edelmann, only comes up with this presentation about the e-mail product acquired from FrontBridge (now known as ForeFront). These are completely different product lines. That's one of the tricks of hit-pieces: you find somebody at a company who is not qualified to talk on your desired subject, and then quote them as the "authority". You get comments about ForeFront and make them seem like they apply to OneCare.

One of the more interesting bits from that article is:

According to the security manager, security is only a small part of what Microsoft does, suggesting it does not have as much security expertise as established security vendors.

What does the word "suggesting" mean? Did Edelmann make that suggestion? Or does the reporter make that suggestion based on what Edelmann aparently said? It may seem like a small point, but if Edelmann didn't actually make that suggestion, then it's a severe violation of journalistic ethics. Journalism has weird ethics: its okay to interview 100 people until one of them makes a quote just like the one you want (at CeBit, I'm sure you can find somebody to suggest the above quote), but it's a firing/sacking offense to make up something like this yourself.

BTW, nobody worth their salt in the security industry would make the claim that Microsoft doesn't have the security expertise. While sales of security products may be a small part of revenue, security is huge part of their RND investment. I know a lot of the guys personally: they employ some of the best and brightest in our industry, and they employ a lot of them. That includes people in their OneCare group. They are the leaders in many areas, such as the SDL stuff that defines what it means to develop secure software.

Hit-pieces like this are damaging to companies. They rarely have a big impact on the market, but they severely impact the organization. Arno Edelmann's career at Microsoft could have been severally damaged, for one thing. His managers may be afraid to let him talk to the press again, for fear of a repeat incident (even though he probably did nothing wrong). Even if his managers stand behind him, he might be personally afraid, and could be less effective at communicating the company's message to the press (at least for a while). At minimum, I'm guessing that he'll be tortured with another round of "media training" where they attempt to teach him the lesson that the press likes to twist your words (a lesson, of course, that he now knows all too well).

A worse effect for an organization is that a bad experience like this causes them to doubt themselves and run away from the press. I saw this happen at ISS after the Mike Lynn incident. Instead of being out front in the press talking about the wonderful stuff we were doing at the company, our PR went into a reactionary mode trying to avoid saying anything controversial. That's hell for people in companies like ISS and Microsoft that do great, but controversial, things.

I'm curious to see Microsoft's response to this, such as complaining to the editor. Editors normally don't like hit-pieces. Taking down the powerful appeals the population at large, but the people with their fingers on the purse-strings are more mature than that, and can recognize the vapid populism and questionable journalistic ethics when they see it. They recognize that when a member of the press catches an "official spokesman" saying such damaging stuff, it's the reporter who is at fault and not the spokesman. Since their credibility is on the line, such editors would like to hear complaints from a company like Microsoft so that they can take appropriate steps. ZDNet UK is unlikely to do so, however, because their editors have based their op-ed position on the "facts" of the hit-piece. Indeed, one wonders whether it was writer who was responsible for creating a hit-piece, or whether he did so at the behest of the editors.

OSX vs Vista...

http://blogs.zdnet.com/Ou/wp-trackback.php?p=450

I find this to be funny.

A round up of things...

If you have been asking how to get Metasploit on the N800, you can find instructions here.

Its clock change time. If you have a blackberry and its not displaying the right time, you might need this patch.

I am on a eWeek panel this week with Jon Ellch, HD Moore, and Joanna Rutkowska. That’s right, 4 of the top 5 hackers on 2006 according to eWeek. I guess Mark is busy.

We will be making a new version of Ferret available at Blackhat Europe, with some really cool new features!

I also saw the 300. It made 70 million this weekend. That’s almost unheard of for a R rated movie. It’s great to see that there are movies moving away from the mindset that you have to make a movie PG-13 to make any money.

Maybe I am jaded but I didn’t really find it all that violent. A lot of reviewers seemed shocked over the level of violence, but it was more comic book style stuff that hardcore gore that you would find in something like Saw or Hostel (neither of which i really liked). Here is a tip for aspiring filmmakers, if half you movie is in slow motion you should find a different way to build drama or suspense. Every time there was a huge action scene I thought the slow-mo killed all momentum, it was like watching a music video...for two hours.

PayPal security token…not ready for prime time yet?

I was excited about PayPal releasing a two factor auth system for account access. I spent the $5 and ordered one. I have a soft spot for responding to random emails asking for my PayPal account info. I thought with a device such as this I would no longer have to worry about which email asking me to verify my account details I needed to respond to. I got my slick looking security token today, went to the website and set it up. Now when logging in I am asked for the 6 digit number on my token.

Here is the rub: it doesn’t work. When I enter the number I get an error message telling me to check the value and try again. You can still login in but you have to do something like use your entire bank account number as authentication. I deactivated it an setup it up again 3 different times and still no joy. If I can’t get it working I have no idea what mom-and-pop user are suppose to do. Of course I freely admit this may be an error on my part, although I followed the instructions step-by-step 3 different times.

Bad PayPal, no cookie.

UPDATE: Alot of people missed my sarcastic post here. I really don't repsond to emails asking form my paypal details and I know that two actor auth won't stop a real time phisihing attack.

Yet more Ferret

The ZIP containing our presentation and the tool Ferret is on our website for download.

You need to have wincap to run it on Windows. The tool itself is the command-line version. We also have a "viewer" for the raw data, but that's JavaScript code that I don't know the redistribution rights for. The raw data is pretty good by itself, but the tree view version is a bit better.

Remember that the purpose of the tool is to catch all the things you broadcast about yourself and correlate it. It's not to sniff passwords, exploit bugs, or otherwise catch things that the users aren't willingly broadcasting to the word. The things we catch, such as mDNS, are those things that computers make public in order to make communication easier. For example, iTunes broadcasts it's presence on the network so other people can listen to your music. This means it also broadcasts your name so they know who you are. We capture this "seapage" and show a picture of the many things you are "seaping".

The source code will also compile on Linux or MacOS with only a couple obvious modifications. Just "gcc *.c" the source code and fix __int64, stricmp, and memicmp. Again, you need libpcap for it to work. Add these when things don't work on gcc:
#define __int64 long long
#define stricmp strcasecmp
#define strnicmp strncasecmp
#define memicmp memcmp

Helping reporter in Bay Area

Dan Fost, a reporter for the San Francisco Chronicle, would like somebody to help him run the FERRET tool at access points in the Bay Area. You should also bring along a copy of dsniff (Ferret doesn't actually do a good job at that, it's focused more on the broadcast info). I would also like to see any info you get.

You can contact him at: dfost@sfochronicle.com.

Convenient Half-Truths

I finally saw Al Gore's movie last night. He definitely deserved that Oscar. I haven't seen a propaganda film that good since Leni Riefenstahl's Triump des Willens of 1934. I watched the movie with a notebook computer in my lap and Googled every bit of data Gore presented, but unfortunately, I couldn't actually find any of the "truths" that the movie promised.

We should now come up with the Inconvenient Truth Drinking Game. You drink every time he distorts scientific data. Specifically, drink whenever he:

...distorts the X axis of data by choosing a convenient start time, such as hurricanes getting more intense in the last 30 years, instead of showing that they were just as intense 40 years ago, and that they've been going in intense/quiet cycles for centuries.
...distorts the Y axis of a graph by changing the baseline, such as showing fuel economy standards between 20mpg and 50mpg, instead of 0mpg and 50mpg.
...distorts data by showing the part of a study that agrees with him, rather than the parts that don't, such as one ice core of six in a study showing the past millennium being colder than today, rather than four other cores in that study showing periods warmer than today (such as the Medieval Warming Period that he mocks for not being visible in his cherry-picked ice core).
...shows a smokestack belching water vapor that he implies is pollution.
...confuses "computer modeling" with "scientific experiment".
...shows a glacier that has been steadily disappearing since long before CO2 built up in the atmosphere, and implies that it only started melting recently (or melting faster recently).
...shows a picture of the earth from space that has been photoshopped to make the planet prettier.
...says that the relationship of temperature and CO2 over the last million years is "complicated", thus hiding the inconvenient truth that temperature rises BEFORE CO2 does, and not the way that he implies.
...presents a scenario that even pro-global-warming scientists think is wack, such as Greenland melting and flooding major cities.
...tells us to disbelieve the scientific consensus. Drink the entire glass when he shows Katrina, which pro-warming scientists overwhelmingly believe had nothing to do with global warming (and everything to do with building a city below sea level in a hurricane zone).
...claims it's a moral issue not a political issue, then distorts it with politics. Drink the whole glass when he bravely stops trying to recount the election until he gets the results he wants.
...when a room of fawning sycophants break into applause.
...when a red shirt bites it.

Seriously, though, every piece of scientific data I googled didn't stand up to scrutiny (other than the fact that humans are indeed dumping a lot of CO2 into the atmosphere, and that CO2 has at least some greenhouse effect). I might have missed something though, so if anybody knows of a piece of scientific data that wasn't a distorted half-truth, I'd like to know about it.

Before seeing the movie, I assumed that global warming was likely, although distorted by leftists. The lack of truths in Gore's movie now makes me question this. Did Gore distort the truth because the actual facts are too complicated for a mainstream movie? Or did he distort it because global warming, like space aliens, doesn't exactly exist?

(And what does this have to do with hacking? I think we need a yearly award for Best Social Engineering Attack. He wins for 2006).

Yet more blogging blackhat

I was in a talk where the presenter made a statement that polymorphic-shellcode evades IDS. Specifically, he mad the claim that IDSs fix the ADMmutate problem by triggering on it's polymorphism engine, and that he did a test with a different engine that he tested against many IDSs, and evaded virtually all of them.

He was wrong. The major IDSs rarely trigger on shellcode. Snort relies more on shellcode than many, but if you look at its signatures, you'll find that only a couple percent trigger on shellcode. When you restrict you analysis to just those signatures for the major vulnerabilities, I think that 0% of Snort's signatures use shellcode. The same applies to McAfee, Cisco, 3com, Juniper, and of course the IDS I created, IBM/ISS Proventia. I have probably written more IDS signatures than anybody else on the planet, and I have never written one that triggers on shellcode.

If an IDS does not trigger on shellcode, then polymorphic shellcode will not evade it. (An obvious point, but humorously, many people miss this).

An example of a signature (written in Snort syntax) would be the following for the Slammer bug:

alert udp any any -> any 1434 (\
msg:"MS-SQL version overflow attempt"; \
dsize:>100; \
content:"|04|"; depth:1; \
)

This signature does not trigger on the shellcode, therefore ADMmutate will not evade it.

While the high-end IDS avoids triggering on shellcode, low-end products do something else. One off the most common signatures in low-end products is just triggering on strings like "AAAAAAAA" that appear in proof-of-concept (PoC) exploits. These are non-functional exploits that do little more than cause a crash demonstrating that the "got execution" when it tries to execute code at 0x41414141. They then claim "0-day protection" for the vulnerability, and IDS-reviewers confirm that by testing with the PoCs. Again, polymorphic-shellcode won't really help evade these crappy products, because ANY real shellcode would evade them.

The most common signature for exploits isn't shellcode at all, but triggering on the shellprompt. For example, the Windows cmd.exe shell prompt displays:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Fancy IDS evasion tools like Core Impact, Metasploit, and Canvas still get caught because of shellprompt signatures. We recently added what we humorously called "Advanced Shell Prompt Evasion" to Metasploit to get rid of this nonsense. The humor is derived from the fact that launching "cmd /k" instead of "cmd" gets rid of the prompt, so it's not really advanced. The irony is that it actually does a better job of evading IDSs than ADMmutate does. There was a time when ADMmutate was important, but it that was half a decade ago.

Apple info...and thats all folks...

I will answer a couple of popular questions about my presentation. Other than this I feel Jon and I have proved we found vulnerabilities and attempted to work with Apple. This is now a dead subject for me. The presentation and code samples should be up on both our site (erratasec.com) and the Blackhat site soon.

I thought you said it was a hijack yet you only showed a DoS.
Yup, I showed a crash. I didn’t feel the need to do the do the entire hijack for two reasons: Apple already confirmed that this vulnerability leads to remote code execution (they said so in the advisory here). Everybody that was running a sniffer during my talk now has a copy of the DoS code. The demo had two parts. I showed the crash happening on a 10.4.6 machine since it didn't have any of the airport patches. I then rebooted into 10.4.8 and the crash no longer happened. I did this to prove that the Airport patches issued on Sept 21st, 2006 fixed the problem I was demoing. The only real change to airport code was the security fixes that were issued.

Why not just release everything?
You see the correspondence between my email address at my former employer and anybody is not my property. That correspondence owned by my former employer. Due to legal reasons I can’t just release them, and then I would be violating employment agreements. This is what got Mike Lynn into a lot of trouble.

You just reversed the patches and found what you then showed on stage.
I find this to be a funny argument. If I have the skills to reverse the patches and do a binary difference analysis of them, why couldn’t I use those same skills to find the bugs in the first place (they weren’t hard to find). This argument also doesn’t take into account the fact that I showed that the first crash of the exploit occurred on Jul 15th, 2006, or emails to Apple helping them build a wifi auditing box (A linux machine with madwifi patched with LORCON) and pointed them to a vulnerability that was fixed in their patches (a problem with overly long SSIDs). The picture below is from the day I bought the Macbook, July 15th 2006. This crash occurred because I was fuzzing other devices and the Macbook crashed before I got to run the initial setup.

More Blackhat...

Rob and I just gave a talk on Data Seepage. To be honest Rob mostly gave the talk. It was fun and we found peoples password in the audience.

UPDATE: Slides and code are now up at the Errata Security site, here.