Weev got 41 months for a… ‘victimless’ crime?

Posted: 21st March 2013 by Rick Deckardt in blogpost
Tags: , , ,
0

So two hacker security researchers find a hole in one of the biggest telco’s IT-systems and with a small script one of them wrote they harvest around 117000 email adresses of iPad 3G users, including high ranking officials and celebrities. They decide to share this information with news site Gawker and from there the ball starts rolling.

Fast forward to now. They both got arrested. One (the scripter, Daniel Spitler) pleaded guilty and is still awaiting sentence and the other (Andrew Auernheimer aka ‘Weev’, who found the vulnerability) just got 41 months in jail and has it is expected that he and his ‘co-researcher’ have to pay restitution in the vicinity of 73000 USD. (http://www.wired.com/threatlevel/2013/03/att-hacker-gets-3-years/)

Let me first start with saying that the typical hacker would possibly score very high on the autism spectrum, lacking certain empathy and not have a keen sense on where social boundaries are.

From the part of the defense in this case I’d have gone down this track: with a psych-profile. The NASA-hacker Gary McKinnon was diagnosed with aspergers syndrome and this helped in his defense against extradition to the US from the UK. (http://en.wikipedia.org/wiki/Gary_McKinnon)

Looking closer at the AT&T hack case, these hackers did two things wrong when they found the vulnerability:

1) They did not report the vulnerability to AT&T first, but to journalists.

This caused damage to AT&Ts reputation, and generally this type of action pisses off a company enough that they want to put you behind bars. (AT&T has a bad reputation already, expensive and being commercial greedy bastards with very bad customer service… but what would you expect from a telco)

I believe the vulnerability was not deliberately created by AT&T. The hackers should have reported it to AT&T first, with a proof of concept with just a few email-addresses and enough information for the AT&T developers to fix it. After it was fixed they could have published a statement together with AT&T that they fixed a privacy issue. Kudo’s for the hackers and for AT&T, cake for all!

2) Through a bit of clever scripting they tried the complete range of id-numbers to get a huge list of email-addresses (~117.000) through the vulnerability.

This is absolutely ridiculous, why do you need to check the complete range if you just need a proof of concept? Autists…. I am anxious to know what the other guy (Spitler) will get.

Looking at these actions and not taking into account that the hackers were possibly autistic… could explain the sentence. The only damage done was not to the users and/or the IT-systems, but to AT&T’s reputation. And that damage in my opinion does not compare to a prison sentence of 41 months.

This ruling could also be seen as highly counterproductive to the security of AT&T and other companies who would react in this way, and here’s why:

Ask yourself: What will an autistic guy (and other hackers who sympathize with him) learn from this?

– Simple; never report shit like this again!

It is in their nature to look for vulnerabilities, this is play/fun to them. But this ruling will likely push them to share the vulnerabilities they found on deep-web hacker forums for kudo’s (honor system) or possibly even sell them on the black market (cold hard cash). Both will end up badly for the companies, they will be attacked in the end by folks who want to do a lot more than just prove that they found a vulnerability.

I read somewhere that a remote iPhone/iPad exploit that would enable an attacker to take over that device remotely without user intervention would gross about $400.000 US on the black market? That’s right… we’re talking about serious money. Once these guys score, and get recruited by the digital crime syndicates, combined with their lack of social boundaries you could say you have a real problem.

A good defense in IT-security is done by an open defense. A good ‘responsible disclosure‘ procedure for ‘white-hat’ or ethical hackers should be published and promoted by companies like AT&T. Herein they should put out the rules of the game should vulnerabilities be found in their systems. A couple of sites and companies do this, and they get better security through this. These companies include Facebook & Google, it seems to work for them. Good read is the paper from Weis referenced on the responsible disclosure wikipedia page http://en.wikipedia.org/wiki/Responsible_disclosure

Denyhosts to iptables – crontab script

Posted: 6th October 2012 by Rick Deckardt in blogpost
1

I’ve been running denyhosts for a couple of years now and always wanted to hook it up to my iptables firewall. So a couple of nights ago I wrote a script that did just that. It doesn’t apply the denyhosts block immediately as it runs once every minute by crontab.

It’s quick and dirty, I don’t run a firewall on my server as my router is my main firewall. I do however want to block access to all services should someone/something trigger denyhosts.

Here’s the script.

 

-- denyhosts2iptables.sh:


#!/bin/bash

# this is used to filter out localnet devices, only use the first three octets
LOCALNET=192.168.1.

if [ -f /var/run/denyhosts2iptables ];then
echo already running
exit
fi

# touch the lockfile
touch /var/run/denyhosts2iptables

# some state files
DENYFILE=/root/.dh2ipt_deny
ALLOWFILE=/root/.dh2ipt_allow

CURRDENYFILE=$(ls -al /etc/hosts.deny)
CURRALLOWFILE=$(ls -al /etc/hosts.allow)

LASTDENYFILE=$(cat /root/.dh2ipt_lastdenyfile)
LASTALLOWFILE=$(cat /root/.dh2ipt_lastallowfile)

# generate the allow and deny iplists from the hosts.allow and hosts.deny file
grep -vE '^($|#)' /etc/hosts.deny|awk {'print $2'} |grep -v $LOCALNET |sort -n > $DENYFILE
grep -vE '^($|#)' /etc/hosts.allow|awk {'print $2'} |sort -n > $ALLOWFILE

# setup the iptables firewall, using the iptables-save/iptables-restore functionality
(
cat << EOF
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LOG_dh2ipt - [0:0]
EOF

# generate the rules for the blocks
cat $DENYFILE |awk {'print "-A INPUT -s "$1"/32 -m comment --comment \"dh2ipt\" -j LOG_dh2ipt"'}| grep -v -f $ALLOWFILE

# add the rest and feed it to iptables-restore
cat << EOF
-A LOG_dh2ipt -p tcp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "TCP LOG_dh2ipt: "
-A LOG_dh2ipt -p udp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "UDP LOG_dh2ipt: "
-A LOG_dh2ipt -p icmp -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "ICMP LOG_dh2ipt: "
-A LOG_dh2ipt -f -m limit --limit 2/sec --limit-burst 10 -j LOG --log-prefix "FRAGMENT LOG_dh2ipt: "
-A LOG_dh2ipt -j DROP
COMMIT
EOF
) | iptables-restore
# feed it to iptables-restore, using the iptables-restore technique the change should be direct

# remove the lock file
rm /var/run/denyhosts2iptables

The line for your crontab
* * * * * root /PATH_TO/denyhosts2iptables.sh
I’ve tested this on a huge hosts.deny file with over 3000 records, it loads in about 0.1 seconds.

 

And here’s a nice breakdown of 2 years of denyhosts ip blocks, on originating country.

Kiezen, MicroSD met muziek of goud

Posted: 16th March 2012 by Rick Deckardt in blogpost
1

De vraag van vandaag, 28 gram goud of hetzelfde gewicht aan MicroSD’s met mp3′s?

Een ounce (28gr) goud kost nu zo’n € 1250. (Goldprice.org)
Een MicroSD van 0,5 gram met een capaciteit van 32Gb kost € 22 (tweakers-pricewatch).
Een nummer uit de iTunes store kost €1 voor 4Mb (iTunes).
Even uitrekenen hoeveel 28gr aan volle MicroSD kost:

Hardware: 56 kaartjes * € 22 per stuk = € 1232
Tracks: 56 kaartjes * 8000 tracks * € 1 per stuk = € 448000,-
Grand Total: € 449.232,-

It’s true folks, 28 gram aan MicroSD gevuld muziek is ongeveer 500x meer waard dan goud en ongeveer net zoveel waard als twee leuke opknapperts in het Havenkwartier van Hillywood

Maarrr, hoeveel is het waard als we het baseren op illegale mp3tjes? In de US van A is de schade per mp3 gezet op 150000USD…

Even snel doorrekenen en we komen uit op 56*8000*150000 = 67.200.000.000 USD

Copyright math is gaaf en goudeerlijk!

Informatiebeveiliging enzo

Posted: 26th February 2012 by Rick Deckardt in blogpost
0

Goed stuk van +Arjan Dasselaar op nu.nl http://www.nu.nl/column-zaterdag/2749590/generale-faal.html.

Ik vraag me af hoe ze informatiebeveiliging doen bij defensie. Zoiets moeten ze wel hebben. Blijkbaar is de risicoanalyse niet (goed?) gedaan bij het project voor dit systeem. Steken vallen overal wel een keer, dit is bijzonder pijnlijk en geeft aan dat er beter informatiebeveiliging moet worden gedaan.

Niet verwarren met IT-beveiliging! Informatiebeveiliging is veel breder dan dat en heeft impact op veel meer dingen dan hoe IT-systemen gebruikt en gekoppeld worden.

Dit is niet een fout van de ICT-afdeling. Dit is een organisatorisch probleem en komt neer op een slechte informatiebeveiliging en een falende Security-afdeling. Die zouden moeten toezien op de juiste beveiligingsmaatregelen bij de implementatie van dit soort systemen.
Vooral de triviale dingen zoals een videoconferencingsysteem vallen vaak bij security buiten de boot omdat ze niet als belangrijk worden gezien. Foute inschatting, de nadruk bij dat soort systemen ligt niet bij de Integriteit noch de Beschikbaarheid van het systeem (hier ligt hoofdzakelijk de focus van de ICT-afdeling). De nadruk bij dit systeem ligt bij de Vertrouwelijkheid. En dat is bij deze hack heel duidelijk naarboven gekomen.

De vraag naar informatiebeveiligers en pentesters zal in de toekomst toenemen, ik zie deze rollen zelfs als onderdeel van de interne afdeling security worden. In ieder geval bij middelgrote en grote bedrijven. Deze rollen horen niet thuis bij de afdeling IT, eigen vlees keuren werkt gewoon niet.

Older Entries