It’s been an interesting experience and trial by fire for my first time ever being involved in a Google Summer of Code project. The first few weeks were spent answering innumerable questions from prospective students either clarifying the project requirements or requesting feedback on their proposals. Now that the submission deadline has past, things have quieted down a bit, but I fear it’s only the quiet before the storm. Once students are selected on April 25th, and with any luck I’ll be paired with my requested student, I expect that we’ll hit the ground running to start architecting and designing an Android static analysis tool that the student can complete by the end of the Summer.

I may post some updates on the project here from time to time, and I’m sure there will be regular status updates by myself and the student on an official google code site. Stay tuned for results, and with any luck we’ll have a functional static analysis tools with an IDA-like UI by the end of the Summer.

We’re proud to announce our first meeting on March 2nd with Matt Tesauro presenting the latest release of the OWASP Live CD, which he has renamed the Web Testing Environment (WTE), because it’s so much more than a liveCD.

In Matt’s own words:

There have been over 5 releases since I took over the project but I have to say, except for the first release, this this has to be the one I am most excited about. I call it OWASP WTE or Web Testing Environment and it is so much more then just a Live CD.

Click here to read the whole blog with release details…

Please click below to get all the details for our next meeting on March 2nd from EventBright, and we kindly ask you to RSVP (it’s free, and easy) so we can get an accurate headcount for lunch.

I hope to see you there, please help us spread the word even if you can’t make it by visiting EventBright and click the social media links at the top to spread the word.

The full body scanner amounts to a a strip search, and despite TSA’s objections, it has the potential to cause the same psychological effects on many of it’s victims as a strip search.  For someone that’s committed no crime and just wants to travel to see their family, I would say that it crosses the line to have them remove their shoes, jacket, belt, anything from their pockets, then ask them to step into a machine to raise their arms and keep their legs apart while some person in another room examines a detailed image of their body through their clothes.  The experience of being inspected, patted or rubbed down, and your belongings searched through in front of your family, friends is extremely degrading in my opinion and has the potential for very real psychological impact.  This psychological impact is intentional in the prison system, but in a place where upstanding citizens are merely traveling for work or to see their family, it’s gone beyond good security into a police state mindset.

I’ll close with this:  There’s a grass roots movement to stand up against this type of treatment called “Fly With Dignity” (http://flywithdignity.org/). And there you can sign the petition and send it to the Secretary of the Department of Homeland Security and TSA.  The following is the message I attached to my petition signature:

It is a sad day in American history when our leaders choose to use national security as a pretext for the forced relinquishment of God-given and unalienable rights.  This includes among other enumerated and unenumerated rights, the right as a citizen to be treated with decency, respect and trust, until we have given cause to have violated that trust by our own actions.  By allowing foreign and non-state terrorists to coerce our nation’s leaders into continually increasing the invasiveness of inspections and law enforcement of law-abiding citizens who have done no wrong, we are giving them the power to permanently shape our government in an extremely negative and detrimental way.  I have traveled many times in the past ten years, and have never been in fear of a terrorist attack on my flight, but I have always been afraid without exception when I enter the TSA screening area, not because I have something to hide, but because I am consistently treated with disrespect as if I’ve already committed a crime and must prove myself innocent while being verbally and physically degraded in front of my peers.  But more than fear, I feel sadness because I can see where this is heading and if we don’t change course soon, it will be a very sad future indeed.

It is important to note that this was not some new vulnerability that was recently discovered, it’s a very well-known and industry accepted flaw. The fundamental flaw is that many “secure” personal applications only encrypt traffic to the login page, securing your username and password, then resume unencrypted traffic. Not only does this give “curious” users on the same unencrypted wireless network access to your potentially sensitive data accessed inside the application (email, name, address, contacts, etc.), but it also gives them access to your session ID, typically stored in a cookie that is sent across the unencrypted link with every page request. This session ID is how the website controls access to your account after you’ve given your username and password, and once compromised can be used to gain full access to your account. This has been well discussed at length many times before, but the industry line has been that the performance costs and requirements associated with encrypting all traffic to their applications make it cost prohibitive.

It appears that Firesheep has rocked the boat significantly, with more than 600,000 downloads, and making this particular type of attack “so easy a caveman could do it” with point and click simplicity. Microsoft has announced this week that Hotmail will allow full session encryption as an option for users. While it was mentioned in late September that this announcement would be made later this Fall, one can’t help but think it was hastened after the flurry of firesheep media coverage. It should also be noted to Hotmail users, that this is just an option, not by default as Gmail has done since early this year, so it will require the user to be aware and enable encryption manually which is unlikely for the majority of the general population.

For those in the information security industry, it’s no surprise that actions speak louder than words. For better or for worse, this is approach that many independent vulnerability researchers have taken for years, because the industry and the general public tend to ignore “bugs” unless a proof of concept exploit is created to prove the security impact. There will always be the tar pit of ethical dilemmas surrounding responsible disclosure of both the vulnerability and the PoC exploit, and opponents will claim that by releasing the code you are enable and encouraging people to use it for malicious purpose. I would argue that knowledge and tools have always been a double edged sword, but the alternative is concentration of knowledge and power by the few and powerful who make decisions for a general public left in the dark. This is the antithesis of a truly democratic society that relies on an informed public to apply the appropriate pressure to industry and political representatives in order to create socially beneficial progress.

Firesheep provides a mechanism for someone as technically challenged as my parents to visually recognize the threat this vulnerability poses to their information security and to become aware enough to ask the simple question, “Why don’t they fix this?” My hope is that this sentiment will quickly turn to, “They must fix this!” and large application developers will no longer be able to sweep gaping security holes under the rug due to the ignorance of the general public. It is discouraging to consider that we may never achieve a fully proactive security policy in the software industry, but as long as there are companies that drag their feet in implementing best practices there will be proof of concept tools to bring their vulnerabilities to light.

In 2004 a group of mostly academics, including myself and another student from The University of Texas, and representatives from West Point met in San Antonio to discuss the feasibility of an intercollegiate cyber defense exercise. Out of this, members from The University of Texas – San Antonio, The University of Texas – Austin, and Texas A&M met together to lay the foundations of the Collegiate Cyber Defense Competition (CCDC) hosted by The University of Texas – San Antonio. The first competition was held in 2005, and consisted of only 5 teams. Since then it has grown considerably, the competition held held in 2009 consisted of over 40 teams competing in 8 regional competitions all over the US, with the top team from each region moving on to nationals in San Antonio. This competition is a bit different than the military CDX, in that the teams are given a network on the first day and they only have 1 hour to analyze it and secure it before the red team starts attacking. I had the great joy this year of competing on the red team for the northeast region held at RIT. As a participant in the first annual CCDC, I can safely say that it is far more fun and less stressful to be on the red team than the blue team.

It should be noted that both of these competitions have the students focus on defense and defense alone. There are other competitions that do focus on offense as well as defense, notably DEFCON’s CTF and Giovanni Vigna’s iCTF. Understandably, academics and other officials have been shy when it comes to teaching students the offensive side of computer and network security, but with more and more public talk about the need for more offense coming from on high, I think this will change sooner rather than later. Sun Tzu wrote many years ago that you must not only know yourself, but know your enemy as well. If one is to truly defend themselves against a motivated and skilled attacker, they must first know their enemy’s tools, techniques, and motivations.

These types of fast-paced, enhanced real life scenarios are critical for preparing the next generation of cyber defenders for either industry or military positions, and the military academies’ CDX has certainly set the bar high.

The National Academies Have just released a report titled “Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities” at 1pm EST April 29, 2009. The short description from their site is:

“Cyberattack refers to deliberate actions to alter, disrupt, deceive, degrade, or destroy computer systems or networks or the information and/or programs resident in or transiting these systems or networks. This report focuses on the use of cyberattack as an instrument of U.S. national policy.”

Essentially this is a guidance document for policy makers on the area of computer network attack (CNA) as a means of offensive capabilities.

I have heard several high level officials recently stating that we need to develop our offensive capabilities since cyber warfare is asymmetric, which by definition means that the offensive side is favored. I’ve also heard a lot of nuclear analogies like mutually assured destruction, deterrence, first strike, and proliferation, which can be hit or miss. This report is the most comprehensive policy report that I’ve seen to date on this topic, weighing in at a stout 300+ pages. Of particular interest to me is the inclusion of a legal and ethical perspective. I’m going to a presentation tomorrow night at the Harvard Belfer Center titled “Cyberattacks Through the Lens of International Law” that will discuss this topic at length.

I expect that I’ll have much more to say about this when I read it more thoroughly. At first glance the key findings are inline with what I’ve heard in various places, although it seems to be much more comprehensive and substantiated than others I’ve seen.

I’m not saying that this view is wrong, but it will take quite a bit of evidence to the contrary to get me to change my opinion. In my opinion botnets aren’t going to go away, but they will certainly evolve. No longer will they be used for simple denial of service (although that probably won’t go away entirely), but they’ll also be used for financial gain, distributed computing, distributed storage, and wide scale subversion. We saw the beginnings of this many years ago when an underground credit card ring was caught by The Honeynet Project. The bottom line is, people will never cease to find new ways to use thousands or millions of computers under their illicit control, and botnets provide them that ability.

That said, botnets of today will wane as the technology progresses, becoming the toys of the script kiddies. New botnets will have better command and control structure, will have diverse methods of propagation, will themselves be more secure (see: Conficker), and will be less detectible. So long as there are large numbers of vulnerable computers, botnets won’t die, they’ll evolve.