Green Hat Ninja

If Anonymous had a like button I would click it, and I have. I also “follow” them and have traipsed around their #IRC in hopes of understanding more. What you all do via @RobinHood is not only a good thing, for the most part, but a valid and necessary position given the current state of the world. You have the right idea. I understand, because of the nature of what you all do, how becoming centralized and more structured could be a negative thing. Being cautious and against giving sway to egoists, or anything that would distract from the under-riding focus and ~mission, is not only understandable but serves an essential purpose for many reasons. Over the long-term though, closing the door to some form of order, will ultimately be detrimental.

In the US we have an essential freedom and process: democracy. Change will truly never come through just Tweeting a Tweet, posting on Facebook, chatting on IRC, holding up a sign, taking a website, or many of them, offline, or hacking a network(s). Anarchy, or some variation thereof, will never bring more than temporary disruption, leaving what is truly needed in the long run to the best intentions of the past.

Positive movements that have created lasting change throughout history had order and structure. Leadership even. The only way to create lasting change in this great land of ours is through participating in our democracy and the democratic process. Some of what you all do does that… kinda. 

I’m not saying that what you need is a politician, or a candidate, or a president, a secret handshake, or even a BFF.

Be creative. Create something that is compatible with our democracy but that still holds true to your ~beliefs.

Maybe that is what we are watching evolve right now? Or, is what we’re watching, however “unstructured”, starting, or continuing, to deconstruct?

Either way, God’s speed. It will be fun as hell to watch, read, post, blog and RT;)

lulz

You wanna stop piracy? Provide something better than what Blackbeard is offering.

So, I’ve tried to keep this blog strictly about cyber-security and info-sec but there is something that is eating at me that I think defintely relates to the cyber world, if not in a very direct way.

I’m not a proponent of piracy at all. I don’t download or use pirated software or media of any kind. All of my music is traditionally purchased and all the software I own I have a valid license for. If not unethical or harmless, piracy, and downloading pirated material, is a great way to get a virus and make your entire network completely insecure. I’m not joking. Especially with the pirated ISO copies of Windows.

That’s not why I’m writing about the recent Megaupload shutdown and why it was wrong and completely misguided for the DOJ to do. Megaupload, from a technical perspective, is no different than any online storage service like Carbonite or Dropbox. Expecting a company with that many servers, data and throughput to police every bit and byte on their network is absurd. Expecting the DOJ to police it, is even more absurd.

First off, the Megaupload take down proves that we don’t need laws like SOPA to begin with. SOPA supporters argue that its needed for foreigh sites outside US jurisdiction like .ru and others. Its important to note that it doesn’t give the US the power to shutdown servers in Russia but just makes it so ISPs have to block access to those sites via DNS. Ergo mega-censorship and a host of security and privacy issues.

SOPA aside, and my point in all this, is that the DOJ used laws that are in place to combat cartels and drug related crimes. I assure you there wasn’t any Cocaine or Meth on Megaupload’s servers. Now, I’m not a legal expert but when the DOJ doesn’t go after criminals, like those responsible for the destruction of our economy, but uses laws in place for drug trafficking, to take such extreme criminal empires down, such as Megaupload that, God forbid, store users data and allows people to backup their computers, OR share pirated material, then I think we have a problem on hand that is much bigger, and far more dangerous, than digital copies of Katey Perry’s latest album, or Disney’s the Lion King.

The DOJ just took down an entire organization without due process, that’s what is troubling to me, all other issues aside. Usually in cases involving copyright violations traditional avenues are taken that involve traditional legal proceedings e.g. that oft unfamiliar process known to humans who existed many years ago in a galaxy far far away, as “DUE-PROCESS”. What is that you ask? It’s called justice and its something that is eroding from the very institutions in this great land of ours that are supposed to be proponents of it, e.g. the Department of Justice.

(BTW, we’re so arrogant in this country that we think if we name a department of our bureaucracy after an ideology that somehow that ideology will actually come to fruition… e.x. “I know, we’z can call it ‘The Departmentz of Meat-Space’… then we’z can all have meat… in space… [insert cute looking picture of your cat here]”) 

Seriously though, If I may draw your attention to exhibit A (the 14th Amendment to the Constitution):

“No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without DUE PROCESS of law; nor deny to any person within its jurisdiction the equal protection of the laws.” 

Sure, that’s directly referring to States (like Utah) but it applies to the federal branch as well e.g. the DOJ. So, what is “due process”. Well, in this case, shutting down an entire organization, seizing all of their assets and taking all of their servers offline (making petabytes of private data obsolete), without due-process, is completely absent of that. Google lost a lawsuit for infringing a copyright on a much grander scale and was ordered to compensate the company because of that. (Another recent example is AT&T’s millions of dollars in fraudulent charges.) They didn’t seize the CEO’s and owner’s property and freeze their bank accounts, or the Google domain, before OR after due process. In fact it wasn’t even a criminal matter to begin with.

There are plenty of examples today of what is due process and traditional legal proceedings (are there really?). The same should have applied in this case and it didn’t, why? With the passage of the National Defense Authorization Act that makes it so you, or anyone, can be detained INDEFINITELY without trial or charge (e.g. due process), I think its no surprise the precedent that is being set and, in my opinion, the Megaupload take down was an indirect result of.

How should have this been handled? I think keeping the federal branch and DOJ out of what should be civil proceedings is a start. Let the RIAA handle it or Katey Perry for that matter, NOT the same department that is meant to enforce major criminal infringements.

DOJ’s reasoning: “Copyright violation illegal, we enforce law…” UGH!!! What is happening to this great land of ours??? Where is that seemingly ever elusive ideal known as justice?

Sorry, uploading a digital copy of “Firework” is NOT the same as uploading barrels of cocaine to a Cuban submarine! 

I don’t mean to beat a dead horse, but…

The Stratfor incident was just another typical hacking attempt that took advantage of lapses in security, that my grandma could walk through, that seem to be all too typical for companies of all kinds today. Stratfor should have encrypted their clients data (<=the dead horse in the room), and everyone assumed that they did. If someone asked you to give them a user and pass, and possibly more, wouldn’t you want to know if that info is going to be kept secure as it should be? Would you give it to them if you knew it wasn’t? There needs to be some kind of system of verification for users and companies to see that their data is being kept safe by ANY online service or anyplace that stores that data. We have BBB ratings so why not a SBP, Security Best Practices, rating (or something like it)? Make it out of a scale of a factor of 10 or 10.10, or even 100, so that we all know that x company or x online service is actually storing my info securely. It should be based on regular, quarterly atleast, penetration testing or security auditing of some kind by independent and third party consultancies that show something as simple as “yes, they are encrypting their clients data and that means they have a rating, based on many other tests, of x.”

Until there is something like that, or more accountability of some kind, we aren’t going to see a change in even the most sensitive of cases. 

Ok, so let me point out the obvious:

If you Google “Certificate Authority” the first result, at least for me, was a Wikipedia entry describing what certificate authorities are etc. It seems to me that this wasn’t a bad idea initially but it was destined to fail at some point be it that in order for a digital certificate to be trusted it must be known only to the appropriate parties. If there is one thing we know for sure in Info-Sec it’s that there is not a 100% secure way of doing things. This was going to happen eventually. The weakness isn’t in the actual CA and the encryption or WOT and how it is handled. In fact all of the parties involved like Google, have responded appropriately and in a timely manner in response to mitigating this event.

The weakness was in the storage of these certificates and like storing anything on a server, or computer of any kind, it can be hacked and was in this case. You’re only as strong as your weakest link, or so the story goes.

What’s the solution? A good penetration test would have uncovered the flaws in DigiNotar’s systems, allowing them to secure their servers, and where they store everything, accordingly. There is something that goes deeper though and urgently needs to be addressed: companies, and individuals in companies, just assume that someone else is doing the job so they don’t have to.

It looks like most of the third party CAs are only tested and audited once a year, if that. That’s unacceptable, especially considering how vital this system is, and how it will not change anytime soon either. I propose that there be periodic “blind” penetration tests and audits to be carried out at least every quarter and be mandatory for all CAs and third parties if they want to issue certificates. The companies should be expected to cover the cost of such tests but be awarded some kind of incentive for doing well and actually implementing, and maintaining, best practices.  

(I’m not implying by any of this that there needs to be more regulation or intervention by governments or bureaucracies of any kind. Some of the most successful organizations of all time didn’t need big brother to begin with.)

This was destined to fail at some point and not because the CA system is weak. It’s a good system, and really all we have, but it will continue to fail, and keep being hacked inevitably unless people take the initiative and stop assuming that the other guy/gal is taking care of it so “I don’t need to”.

A simple pen-test and security assessment of DigiNotar would have unveiled the flaws behind it and would have prevented all of this from happening to begin with.

It’s time to re-invent the wheel. The methods of yesteryear do not work. Re-inventing the wheel in this case requires just a little common sense and a keyboard.

Securing a network should be affordable for anyone.

I’m not a 31337 or an expert but I’ve volunteered for a non-profit for the last few years and one thing I’ve noticed is that sometimes the biggest hurdle in securing a network, especially a network for a non-profit, is funding. Even after recognizing and determining where you’re vulnerable, and then knowing the importance of the problem, and knowing the solution, with certain things you still have to have the necessary funding and/or personnel to implement it.

EVERYONE should have access to good software and hardware security solutions no matter their financial status, or at least viable alternatives that are affordable and easy to maintain. One of my favorite things about a lot of open-source is that it makes all of that possible. Now, you can’t find a network based, stateful, deep packet inspection firewall for free but there are affordable alternatives to the more expensive brands, or even rolling your own from open-source and unused available hardware.

Our network is probably the most secure in the region, and it’s not because we throw a ton of man-power and money at it. It’s because we creatively seek viable and affordable solutions that work! Granted that may take more time and brain power on behalf of the security professional.  

The future of cyber security everywhere resides in making excellent software and hardware solutions affordable and available to everyone, especially to the poorest among us. 

If you’re interested in contributing to an uber-awesome charity please check out: http://www.hackersforcharity.org

I am a network warrior, an ethical hacker and a cyber security researcher. It is time to apply Green Hat thinking to all of the issues that plague the cyber world. This blog is my attempt, as a Green Hat Ninja, of doing that.

According to The DeBono Hats system using Green Hat thinking is:

“…the hat of thinking new thoughts. It is based around the idea of provocation and thinking for the sake of identifying new possibilities… Because green hat thinking covers the full spectrum of creativity, it can take many forms.”