Friday, July 29, 2005

BLACK HAT SPAT

f

By Elaine Meinel Supkis

For several days I have wanted to write about the recent Black Hat convention. But the news kept morphing the subject matter and I kept waiting to see the outcome so it could be hooked somehow into other aspects of our mutal reality. You see, one of my sisters is famous for her battles with hackers. One day, she gave them a really big challenge. This was back when I posted daily in a rather large hunk of the politics folder in the New York Times forums, about seven years ago.

The hackers went nuts and decided to destroy her. This meant, when I turned on my computer that morning, the NYT web page was devoted to a hacked screen rant about my sister. Then it all bled into my cyberworld as the name connection became visible and my son was rather gloomy. "Don't you do this, too, mom," he warned me.

Well, my son's friends in school hacked and one got a visit from the FBI, even. When my son worked for an online company, he and the others had to patrol for hackers. They made the news periodically and they had the usual hack attacks. My son was endlessly astonished by his older bosses, how naive they were and how open they were and how little they did to protect themselves from hack attacks.

Meanwhile, he and his fellow generation at the job deftly juggled equally young hackers even using my old ploy: pretending they knew who the hackers were and threatening to go fetch them.

In sum, we don't think hackers are something to brush off.

So...Black Hat holds seminars about all this. This year's had a very hot topic that blew up hugely, on the geeky side of the net. From PCP news:
The truth will out, and according to F-Secure's Mikko Hypponen, copies of Michael Lynn's controversial presentation on hacking Cisco's IOS platform are now floating about the Internet, despite Cisco's legal moves to block the researcher revealing any further information.
At this year's Black Hat conference in Las Vegas, Lynn jacked in his job with Internet Security Systems in order to give a presentation on hacking Cisco's Internetwork Operating System via a flaw. Although the hole had been patched since April, the technique was suspected to have worked using other vulnerabilities.
The cat is out of the bag. Even I got a hold of the cat as it padded past my work site. From Infowarrior;
The Holy Grail, Cisco IOS Shellcode and Exploitation Techniques by Michael Lynn (I waited until the site was taken down before publishing this piece!)
It had everything, namely, the code for the flaws in the router systems that Mr. Lynn detected when he was hired to find flaws which Cisco Systems "patched" only the patch was not entirely effective so Mr. Lynn decided to talk about this in public...to blow the whistle.

Since my entire existence that really interests me these days is the internet and this is why I will always love Gore, he helped make this system possible, legally speaking, since it was a government monopoly confined to research universities (where I had access but not from home)...the integrity and safe use of this system is vital to me. I really am interested in the inner workings of this thing which is a huge beast now, I watched it grow even as I lived life for many years.

The cyberworld has always ultimately been 01s in various configurations that now are reconfigured as "commands" so we don't have to punch in all those annoying 0's and 1's. But this ease of command opens it to hackers who can learn the methodology of this new "language." Watching my son and daughter use this language which they grew up handling is utterly foreign to me despite my considerable interfacing with computers. It doesn't come naturally like it does with them.

The young hackers are like that. Instead of fearfully looking at lines of code and having the eyes glaze over, they are like a pride of lions stalking zebra and gnu. From PC World:
ISS had originally replaced the presentation, entitled "The Holy Grail: Cisco IOS Shellcode and Remote Execution," with a different one and had ensured the presentation materials were torn out of a book that was part of the materials given out at the Black Hat show.

But Lynn, a research analyst at ISS, quit his job at ISS and gave the presentation anyway.

"The information that Mr. Lynn disclosed at the conference, we believe was illegally obtained, and included Cisco intellectual property," says Cisco spokesperson John Noh.

Lynn described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, and demonstrated a buffer-overflow attack in which he took control of a router. Although Cisco was informed of the flaw by ISS, and patched its firmware in April, users running older versions of the company's software are at risk, he said.

Among other things, the injunction issued Thursday blocks Lynn from disclosing or disseminating any part of the presentation, disseminating any video recording of the presentation, or disassembling or reverse engineering Cisco code in the future.

Cisco had sought the injunction "to stop continued irresponsible public disclosure of illegally obtained proprietary information," it says in a statement.
The big guys in the front office stepped on a cow pie over this. The subject of the Holy Grail presentation is important. Like the entire "open source" movement to keep Microsoft at bay and to make code a mutual effort, there are many in the cyberworld who want complete information, not companies holding cards close to the chest, divulging information as if they are the Soviet Union, only if everyone is screaming from some awful crash, they might issue some strange statements designed to hide as much as possible. Ie, we don't trust them and can't trust them.
"Cisco's actions with Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure. It is Cisco's opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet," the company says in its statement.

By pointing out the possibility of a worm attack on Cisco's routers, Lynn has performed a valuable service, says Black Hat attendee James Pearl, a consultant with Booz Allen Hamilton.

He did not have kind words for Cisco, and says the networking giant's attitude toward security might ultimately be bad for Cisco's business. "Security through obscurity doesn't work. You can stick your head in the sand but your butt's in the air," he says. "Do I really want to go with a company like Cisco that had to hide their problems?"

But Lynn's former employer, ISS, came out "the real loser in this," he says. "They've lost somebody really good, and everybody's saying, 'You didn't stand up for your guy.'"
All corporate entities keep their asses in the air and heads in the ground. The guys running these joints are paid a fortune for doing this.

Like the hackers, Mr. Lynn is now on the outside. Probably, no corporate entity will hire him. On the other hand, when the inevitable happens and the wild tribe of hackers who are now aiming to mess with this part of the system, attacks, all the corporate figureheads will be begging Lynn for advice...too late, as usual.

The Inforwarriors website no longer has the Holy Grail presentation. There is now a legal notice there. I was expecting this. Of course, it is all way too little and much too late. As I said before, any web denizen who tracks this sort of stuff already saw it or downloaded it or whatever. The horse is long out of the barn. It won't be tamed and brought to heel with lawyer's injuctions.

This information is now a hot commodity. All I can say is, I hope no one uses it to mess with the web! The last thing I want is the web, a huge and fragile if very animated entity, were to suffer at the inner workings, so to speak, the nerve ganglia. I wish it were always utterly secure. My tenuous online existence depends upon a hackproof environment.

Richard Forno, who runs Infowarrior, is an interesting person. He is highly connected and deeply involved in antihacking work, now he is under inditement, too! The splash this presentation, the Holy Grail, is making ripples throughout the cyber/hacker community. It really is growing right under my eyes tonight which is why I hesitated to write about it.

He lectures at places like Association of Internet Researchers and this site carries articles of interes not only to me but I suspect, readers of this blog.

From Online Security:An article by Forno, concerning terrorism online (not freepers posting obnoxious profanities at my web site or calling me on the phone)
Let’s play devil’s advocate for a moment and see what the real consequences of a cyber-terror attack would be. Could someone shut down part of a power grid or water system via a remote dial-up connection? Perhaps, but the same could be accomplished if someone managed to gain physical access to such facilities to throw a few switches and turn a few knobs. Besides, we’ve proven during countless natural weather disasters that we can live without electricity for short periods of time. Should critical networks be compromised, we can still pay for groceries with cash.

Even if any of these scenarios were realized, life might be a bit inconvenient or slower than normal at times, but we will still be alive, and buildings won’t have toppled. Life will continue to go on, and soon return to normal, likely more quickly than if recovering from a physical type of terror attack. A potential compromise of the air traffic control system doesn’t necessarily mean that planes will start falling from the sky: airplanes have arcane backup systems known as “pilots” and “co-pilots” who can fly and land them safely.
He sounds rather reasonable. Logical. Yet tonight, he is in legal trouble just like Mr. Lynn.
Defacing a Web site, releasing a virus, or shutting down Amazon.Com for a day is not terrorism. As one government IT security consultant told me recently, “a DDOS attack can ruin your day, but a pound of C4 explosive in your NOC can do much more long-lasting damage.”

People are afraid of cyber-attacks and cyberterrorism because they don’t understand them. Like voodoo, cyber-attacks are a mysterious and invisible concept, and therefore must be more dangerous than something tangible like dynamite or aviation fuel if used by an adversary. After all, how many people really understand how their computers work? It’s human nature to be afraid of what we don’t understand. In the case of our elderly Congress, I’d wager they’re plenty afraid.
The fear of the unknown but also the fear of knowing as we see tonight. They want us to feel vulnerable but they don't want us to know where our Achille's heels are located.
Much of what constitutes the "cyberterror threat" comes down to the poor management of systems critical to the security and viability of the United States. In other words, traditional computer security vulnerabilities, not legions of phantom ‘cyber-terrorists.’ Networked computer systems have the potential to be remotely compromised by unauthorized persons for any number of malicious purposes. Remedying these security problems is a function of information security professionals, not ‘counter-cyberterror’ experts.
Um, this older article certainly is hitting quite a few nails on the head, isn't it?

I happen to feel the only way to fix any system is to do so, openly. I grew up in the world of secrets. My own parents hold many secrets and this habit made it impossible for us to have a family relationship which has infected my life to this day. We just can't talk about hardly anything and the silence grows and grows.

I decided many years ago to be open. Just let it all hang out. This has put me at odds with those who want security and not freedom. This is the very heart of what is falling apart for us all. Secrecy doesn't equal safety. No one is more secretive than the North Koreans or the Soviets. Who wants that!

Not I. The last word will go to Mr. Forno:
Of course, such a response requires a rational understanding of the real threats. It requires that systems administrators and their executive management be given the resources to properly ensure the security of their systems. It requires that end users are educated about the information security threats and how to protect against them.

It does not require political appointees wringing their hands proclaiming “The sky is falling!” and demanding more money and more power. Nor does it require focusing on vague, shadowy threats instead of addressing the pressing needs and realities of information security today.
Amen, brother.

To return to homepage click here
|

Links to this post:

Create a Link

<< Home