The Anatomy of a Security Breach

Without going into too much detail, there is a guy who the security industry collectively hates.  When you hear a statement like that, the happy parts of our brains think this guy must be an underdog.  He must be awesome at what he does, and the big corporations hate him for it.  Or maybe he’s a world-renowned  hacker that nobody can catch.

Suffice to say, neither are the case.

Earlier today it appears that Greg Evans of LIGATT was, for lack of a better word, pwned.  His twitter account was broken into, his email was ransacked, and by the looks of it, his reputation has been ruined.  I think it’s time to look into how and why this happened.

Side Note: I have zero affiliation with whoever broke into his accounts and stole his data.

The Impetus

Before going into the how, it might help to explain why this happened.

[My opinion doesn’t necessarily reflect that of the attackers, nor does the opinion of my employer.  This is strictly an interpretation of the messages]

Good people get hacked.  It’s a fact of life.  Bad people get hacked.  It’s a fact of life. 

Part of this attack left a note explaining why all of this happened, and explained the contents of the data.  You can find the original post to this from his twitter account.

As it happens, the people who did this see it as retribution for all the things Evans has done in the name of the InfoSec industry.

"Do not meddle in the affairs of hackers, for they are subtle and quick to anger"

The first argument being made is that he tries really hard to be a major representative of the industry.

He's been on TV, he's been on radio, he's trying to draw as much attention to himself as possible.

This I would argue isn’t too much of a problem.  The industry needs spokespeople.  However, it goes on:

This man in no way represents this industry. […] He's gone after people at their home to intimidate them and their family. He's gone after them at their work to discredit them with their employer. And as everyone knows, he recklessly sues anyone who speaks negatively of him on the internet.

Nobody likes it when someone says something mean about you, or when they correct you in public.  However, sometimes it happens.  We are all sometimes wrong.  Evans doesn’t appear to agree with that statement, and will try to sue or slander anyone who disagrees with him. 

Don’t poke the bear.  It pisses the bear off, and gets you attacked.

Especially when you have a secret or two to hide:

Finally, to Gregory D Evans: it is done. All your lies are out in the open. Your investors will know. Your lawyers will know. Your employees will know. Your mother will know. Your lovers will know. Just step away and move on. Stop the stock scams. Stop the lawsuits. Stop the harassment. Stop robbing your employees. Stop embezzling. Stop deceiving every person in your life.

If you were someone who wanted to take justice into your own hands, I guess this is reason enough.

So how did this breach happen?

The Attack

It looks like an inside job:

To the brave soul who helped make this possible: thank you. You took great personal risk to bring this information forward, and none of it would be possible without you. It's unclear how you tolerate his lies day after day, but you've redeemed yourself by supporting this cause.

i can only speculate, but there are two-and-a-half basic ways this could have gone down.

  • Insider has administrator access to email servers and downloads the contents of Evans’ inbox
  • Insider gets Evans’ password and downloads the contents of the inbox
  • Insider gives administrative access to attacker and does one of the first two things

Once they had the contents of the email they had to get access to his twitter account.  This leads me to believe that the insider had administrative access, because they could then reset the twitter account’s password and catch the reset email before it got to the inbox.  Seems like the simplest approach.

Either that, or Evans used really weak passwords.

Once the attacker had their package, they just needed to distribute it and the message explaining their actions.  From his twitter account they posted the anonymous message to pastebin.com:

[…]

Enough is enough. He must be stopped by any means necessary. To that end, at the end of this message is a torrent of the inbox of [Evans’ redacted email address]; the only condition of receipt is that you not talk about the spool or this email release on twitter until after you have the full copy and are seeding it. He may be an idiot but his staff watch twitter for any mention of him, and it's imperative that this file be distributed as much as possible before takedown begins.

[…]

The message had a final, succinct message:

Happy Birthday Mr. Evans
[Redacted link to torrent]
archive password will be released shortly

I haven’t downloaded the torrent, so I don’t know what’s in the package.  I suspect the contents will be publicly disclosed shortly on a number of anonymous sites once there are enough seeders.

This could potentially just be a hoax.

The Fallout

Lots of people get hurt when security is breached.  In this case, quite a number of people will have some of their most private information disclosed.

Contained within his inbox is personal information of many, many people. Social security numbers, bank account routing numbers, credit reports, and other reports by private investigators. It was completely impractical to redact all of this information in any effective manner […].

Some people say that justice comes at the price of people’s privacy.  The attackers feel guilty about this:

This release immediately follows with a small regret. Apologies much be given to all the bystanders, innocent or otherwise. […] and for that: sadness. If in your search through this release you find personal information, please contact the person and notify them.

They also don’t have much faith in the likelihood of Evans properly disclosing the breach:

Even when GDE finds out of this breach, it's quite unlikely that he will follow proper breach notification procedures.

Once enough people have downloaded the torrent and started seeding the content, there isn’t any real way to remove the data from public access.  That means every one of those SSN, bank numbers, credit reports, and whatever else is in the archive will be publicly available for the foreseeable future.

Conclusion

Breaches occur all the time for reasons of profit.  This particular breach on the other hand was done in the name of justice and retribution.  While the motives may be different, the moving pieces work the same way, and there are still three basic parts to a breach: the motive to do it, the attack itself, and the fallout after the attack.

Hopefully everyone learns a little something from this particular breach.

My guess is that Evans will.

Kerberos: Very Claims-y

I’ve always found Kerberos to be an interesting protocol.  It works by way of a trusted third party which issues secured tickets based on an authentication or previous session.   These tickets are used as proof of identity by asserting that the subject is who they claim to be. Claims authentication works on a similar principle, except instead of a ticket you have a token.  There are some major differences in implementation, but the theory is the same.  One of the reasons I find it interesting is that Kerberos was originally developed in 1983, and the underlying protocol called the Needham-Schroeder protocol, was originally published in 1978.

There have been major updates over the years, as well as a change to fix a man-in-the-middle attack in the Needham-Schroeder protocol in 1995, but the theory is still sound.  Kerberos is the main protocol used in Windows networks to authenticate against Active Directory.

The reason I bring it up is because of a comment I made in a previous post.  I made an assertion that we don’t necessarily abstract out the identity portion of our applications and services. 

Well, It occurred to me that up until a certain period of time, we did.  In many environments there was only one trusted authority for identity.  Whether it was at a school, in a business, or within the government there was no concept of federation.  The walls we created were for a very good reason.  The applications and websites we created were siloed and the information didn’t need to be shared.  As such, we created our own identity stores in databases and LDAP directories.

This isn’t necessarily a problem because we built these applications on top of a foundation that wasn’t designed for identity.  The internet was for all intents and purposes designed for anonymity.  But here is where the foundation became tricky: it boomed.

People wanted to share information between websites and applications, but the data couldn’t be correlated back to the user across applications.  We are starting to catch up, but it’s a slow process.

So here is the question: we started with a relatively abstract process of authentication by way of the Kerberos third party, and then moved to siloed identity data.  Why did we lose the abstraction?  Or more precisely, during this boom, why did we allow our applications to lose this abstraction?

Food for thought on this early Monday.

WinFS

WinFS has been puttering around my idle thoughts lately. 

Yep, weird.

Why is it still available on MSDN and TechNet subscriptions?

Food for thought.

Database Shrinkage

Don’t do it!

shrinkDatabase

Bad User Interfaces are Insecure

The Best of Intentions

So you’ve built this application.  It’s a brilliant application.  It’s design is spectacular, the architecture is flawless, the coding is clean and coherent, and you even followed the SDL best practices and created a secure application.

There is one minor problem though.  The interface is terrible.  It’s not intuitive, and settings are poorly described in the options window.  A lot of people wouldn’t necessarily see this as a security issue, but more of an interaction bug -- blame the UX people and get on with your day.

Consider this (highly hyperbolic) options window though:

BadSecuritySettings

How intuitive is it?  Notsomuch, eh?  You have to really think about what it’s asking.  Worst of all, there is so much extraneous information there that is supposed to help you decide.

At first glance I’m going to check it.  I see “security” and “enable” in the text, and naturally assume it’s asking me if I want to make it run securely (lets say for the sake of argument it speaks the truth), because god knows I’m not going to read it all the way through the first time.

By the second round through I’ve already assumed I know what it’s asking, read it fully, get confused, and struggle with what it has to say.

A normal end user will not even get to this point.  They’ll check it, and click save without thinking, because of just that – they don’t want to have to think about it.

Now, consider this:

GoodSecuritySettings

Isn’t this more intuitive?  Isn’t it easier to look at?  But wait, does it do the same thing?  Absolutely.  It asks the user if they want to run a secure application.

The Path to Security Hell

When I first considered what I wanted to say on this topic, I asked myself “how can this really be classified as a security bug?”  After all, it’s the user’s fault for checking it right?

Well, no.  It’s our fault.  We developed it securely, we told them they needed it to be run securely, and we gave them the option to turn off security (again, hyperbole, but you get the point).  It’s okay to let them choose if they want to run an insecure application, but if we confuse them, if we make it difficult to understand what the heck is going on, they aren’t actually doing what they want and we therefore failed at making the application they wanted secure, secure.

It is our problem.

So what?

Most developers I know at the very least will make an attempt to write a secure application.  They check for buffer overflows, SQL Injection, Cross Site Scripting, blah blah blah.  Unfortunately some, myself included, tend to forget that the end users don’t necessarily know about security, nor care about it.  We do like most developers do.  We tell them what we know: “There has been a fatal exception at 0x123FF567!!one! The index was outside the bounds of the array.  We need to destroy the application threads and process.”

That sounds fairly familiar to most error messages we display to our end users.  Frankly, they don’t care about it.  They are just pissed the work they were doing was just lost.

The funny thing is, we really don’t notice this.  When I was building the first settings window above, I kept reading the text and thinking to myself, it makes perfect sense.  The reason for this is by virtue of the fact that what I wrote is my logic.  I wrote the logic, I wrote the text, I inherently understand what I wrote.  We do this all the time.  I do this all the time, and then I get a phone call from some user saying “wtf does this mean?”, aaaaaaand then I change it to something a little more friendly.  By the 4th or so iteration of this I usually get it right (or maybe they just get tired of calling?).

So what does this say about us? Well, I’m not sure. I think it’s saying we need to work on our user interface skills, and as an extension of that, we need to work on our soft skills – our interpersonal skills. Maybe. Just a thought.

The Known Universe

Holy crap this is cool:

> > >

Interesting Email Attack Method… Cannot Send Shipment

I’ve gotten two emails like this in the last week or so.  One was from DHL Shipping, and this one was from UPS.  Attached to the email was a zip, with what I presume to be a Trojan of some sort.

The content of the email was:

Dear customer!
We were not able to deliver the postal package which was sent on the 28th of December in time
because the recipient’s address is incorrect.
Please print out the invoice copy attached and collect the package at our department.
United Parcel Service of America.

For a moment I thought the initial email was legit, until I saw it had an attachment.  After reading it, I called phooey on it and deleted it.  Then I saw the UPS email.  I’ll have to dig through the application that came in the zip, and see what’s going on.

I wonder how this type of attack will pan out?

A Thought on Windows Mobile 7

The other day while I was sitting in the airport in Washington, D.C., I had a random thought.  When the ZuneHD first hit the shelves people were talking about how Mobile 7 might borrow the look and feel.  It’s sleek, easy to use/easy to understand, and is very simple.  So I started thinking about what such an interface might look like.  This is something I did quickly.  Nothing was provided by Microsoft.  Nobody has said anything about Mobile 7 design (at least, not at that point, but nobody cared anyway).  This is simply something I thought the interface might look like.

homeScreen

Some things to notice are the list-like menu’s, and the bing search at the bottom.  Blah-blah-blah anti-trust, the point is search is easily accessible, not necessarily just to Microsoft’s own search engine.  It could be Google’s search too.  Also, there is the location-specific information at the top showing the current weather.  Also mimicking the Windows 7 interface is the idea of pinning things to the home screen such as the Internet Explorer application.

There are some things that should probably change.  It feels a little cluttered at the bottom showing current messages and the appointments color is iffy.  There may not be any need for the middle separation either.

Just a thought…

Pictures from Techdays and FailCamp in Toronto

After getting my camera back from Mitch Garvis after Techdays and FailCamp in Toronto, I decided to upload photos from the events, and to my surprise there were some pretty good shots.  Here is what I came back with:

4007417044

4006643533

4007406358

4006631995

4007393754

4006623627

4006616273

4007373722

4006582013

4006587385

4007358462

4006597103

4007340130

The Boston Tea Party has gone Batty

This morning I saw an interesting post on Twitter.  Which in-and-of-itself is kinda amazing, but that’s not the point.  The post was on something called the Windows 7 Sins site.  It is a campaign created by the Free Software Foundation to highlight everything that is wrong philosophically with Windows 7.  Now, I’m all for philosophical debates, but this is just plain batty.  So what did I do?  I acted!  I emailed the FSF people at campaigns@fsf.org the following email:

Ya know, if you sold software, you wouldn’t need to keep asking people for money. Basic principle of economics. Just sayin.

Also, a widget provides functionality and interaction. An image doesn’t. See the Windows 7 Sins “widget”.

Now, what I don’t get is this whole Boston Common thing. Is this an attempt at recreating the Boston Tea Party, except with (what I hope is) more regard for the environment and not tea, but software, as the “widget” proposes? If this were the case, in order to get a hold of said software, legally, you would need to buy it. Sounds counterintuitive.

Unless you are proposing people illegally obtain, as per license agreements define, the software and do what they will with it. Which is pretty much just plain ol’ illegal. “So was the Boston Tea Party” is an excellent counter argument. However, the Tea Party was about rebellion from a Government, not a company. The government makes laws, a company does not. The rebellion was against unfair taxation, something the Government controls. Unless of course you are rebelling against the government too. Which I guess is ok, except the government has already ruled against Microsoft in many cases regarding such topics as anti-trust, anti-competitive nature, etc. They don’t like ‘em either. Well, the justice department doesn’t anyway.

I just don’t get it.

Regards,

Steve Syfuhs
Software Developer and/or Architect Guy

I wonder how many people I annoyed with it.  We shall see.