Aetheric Research, Ltd.

Apologies for the mangled French title.  The BBC reports that several companies are challenging a French law insisting that they keep a record of users’ real names, telephone numbers, addresses, and–most damningly–passwords, to be turned over to police on demand.

In a proper, competent system, passwords themselves are never stored.  Instead, when an account (and associated password) is created, the password is passed through a complex mathematical function to produce what is called a ‘hash’–much like how reconstructing an order of ham hash into the original ham and potatoes is more difficult than anyone can reasonably be expected to accomplish, reconstructing a password from a hash is intended to be next to impossible.

When the user logs in, their password is passed through the mathematical function again, and the result compared with the entry in the password table.  Since the function is tuned to produce a complex but unique result from each input, if the hashes match then the password has been entered properly.

The recent high-profile crack at Gawker, where the password database was compromised, was only possible because their hashing algorithm was weak and most users’ passwords were also weak.  Indeed, the algorithm itself was not actually reversed–instead, a database known as a ‘rainbow table’ was used, which is the result of passing a dictionary of common passwords through a known hashing algorithm.

This French law completely ignores best-practices.  Besides the obvious privacy concerns, it requires that the companies make passwords available to the police–which means that, rather than a database of the hashes, the companies will be required to keep a database of the actual passwords.

This is an unnecessary and badly thought-out requirement, as it lays every single person in France who uses any of these services open to theft of their accounts should anyone be successful at exfiltrating the associated databases.  Worse, given that real names and addresses are associated with these accounts, it provides very nearly one-stop shopping for any French identity that an attacker could wish to have.  

In essence, no company that engages in anything resembling standard security practises can operate in France unless they irreperably damage standard procedures in order to engage in traffic with that country.

This law is badly thought-out and will irreperably damage France’s status in the EU and on the world stage.  Anyone who wishes for security in their dealings should avoid any companies that provide this data, as these databases will be inherently insecure.

If you’re unfortunate enough not to have someone in your family or circle of friends who builds computer systems, you may have had the unfortunate experience of buying a new computer at a retail store and, on unboxing and setting it up, being confronted with a significant amount of preinstalled nonsense that you neither want nor need.  Usually, this includes such things as “trial versions” of games, “trial” versions of antivirus programs, “helpful” extensions to the web browser, assorted other “previews” of software, generally some sort of “maintenance” console from the system manufacturer, links to one or more ISPs setup procedures, etc., that require several hours’ cleaning in order to be rid of them.

If you have the misfortune of buying a system from Samsung, however, you may have found a little something more.  NetworkWorld broke a story yesterday where a security professional found a clear instance of spyware being preinstalled by the manufacturer.

Spyware, as the name implies, is the term for software intended to covertly gather information from a system and report it back to some other party without the user’s knowledge or consent.  In this case, it was a kind of program known as a keylogger: it intercepted keyboard input and logged it for transmission back to, apparently, Samsung–meaning that any documents, usernames, passwords, credit card numbers, social security numbers, names, addresses, or what have you that are entered on the keyboard, regardless of the context or location of the entering, would be logged by the system for inspection by Samsung.

Systems have been compromised by malicious software before being shipped in the past–Seagate had an incident in 2007 where some of its home-user Maxtor drives shipped with an outdated virus due to contamination at the drive manufacturing plant–but in this case the action appears to have been purposeful, as Samsung has admitted to purposely installing the software on the systems.

This recalls the Sony rootkit debacle from ’06–Sony had purposely built onto CDs a data track designed to be run by user’s computers that would install software specifically for the purpose of restricting music copying.  In this case, not only was the rootkit largely ineffective, but Sony was brought up before the FTC and restricted to such an extent that business refactoring was necessary in order to continue to operate in the United States.

The FTC stated at that time that installing software that creates a security risk to the consumer without the user’s consent is forbidden.  This apparently did not stop Samsung from violating, clearly, the letter and the spirit of that decision in installing malicious (to the user) software on the system.

Fortunately, there is a–relatively–easy fix for all of the problems above.  Installing an operating system onto the computer other than the one the manufacturer provided is a sure way to prevent both the installation of bloated advertising programs and vendor-provided malicious software.  

It’s an unfortunate extra step, but so long as vendors continue to prove they cannot be trusted with consumers’ information, it’s a necessary step.

A word of caution: the Windows license key printed on the case will likely not work with a regular Windows installation disk; that key is keyed to what’s known as the OEM version of the operating system–that is, the one that is distributed on the computer.  You will either have to purchase (or obtain by some other means) a license for Windows from another source, or choose a Linux distribution (such as Ubuntu or Fedora) that can be obtained without cost.

A post on the best ways to bribe the local computer geek into setting this up for you will be written shortly.

EDIT:

Several sources (engadget and Ars Technica, specifically) are now reporting that the keylogger detected was likely a false positive.  The statement by the customer support supervisor was, in this case, likely due to a misunderstanding of the question being asked. 

That being said, it is still a good idea to either build your own system or wipe and install your own OS on a vendor-supplied system, if only to keep off unnecessary bloat.

Those in the field of computer security are often scrutinized with suspicion by both media and business.  Antivirus companies, for instance, have sometimes been suggested to create viruses themselves in order to maintain their business–high prices for software updates and ‘professional’ versions of their scanning products may give some people the image of a mafia ‘protection’ racket.  That some companies have, in the past, hired high-profile ‘hackers’ to their company certainly does not help matters; while the so-called ‘hackers’ do tend to be talented, the fact that they have done actual harm causes them to be viewed with suspicion–the leopard cannot change his spots.

So to couple with the news that HBGary was involved in a conspiracy to discredit reporters and that they were run by someone completely incompetent with basic security tenets, news has now come out that they were attempting to modify the recently widely-publicized Stuxnet worm for their own purposes.

It is perhaps fitting that someone who thought that data mining social media was a new and different idea would think that repurposing a worm known to have caused millions of dollars’ worth of damage–real-world damage, too, not just lost productivity–was somehow not ethically repugnant.  

There is no ethical reason for a “cybersecurity” company to deploy malware.  Even in the context of “cyberwarfare,” there is no reason why private companies should be involved in developing or deploying malware; warfare is the province of the Department of Defense.  

Further, it wouldn’t work.  Stuxnet has been addressed fully by all AV vendors; its method of propogation is known, the viral signature is known, and the countermeasures to remove it are known.  In fact, it was useless in the western world at the time it was originally released–the payload, the disruption of the industrial control systems, relied on a vulnerability that was patched by Seimens years ago.  The only reason why it had an effect in Iran is due to their lax security and their lack of access to software updates.

Beyond that, there has been extensive analysis of the Stuxnet worm (as befits the celebrity status of being the first notable instance of malware being used specifically to cause targeted damage to a specific system) that has noted the very amateurish techniques behind its construction.  True, the sabotage of the ICS was well carried out–it did its job well–but the viral payload that enabled the infection of the systems was like something out of a “malware for beginners” manual.  Besides the use of multiple zero-day exploits, the polymorphism and rootkit installation are very well-known techniques that AV vendors have been very successful in mitigating.  

Using Stuxnet for any purpose other than that specific ICS sabotage is useless:  that would involve removing the competent part and retaining the incompetent part.  It would be quickly detected and its infuence mitigated by AV software, and it would become just one more variant of the same thing out in the wild, clogging up spam filters and unpatched systems–more needless work for the competent, ethical administrators without resulting in any reward for these incompetents.

HBGary Federal is to be condemned for this breach of ethics, and no ethical company or person ought to do business with them–though their utter lack of competency with basic security for a so-called ‘security’ firm ought to have given a warning sign that hiring them for any purpose other than wasting money would be a mistake.

In other, related news, Palantir Technologies, implicated during the last breach as being in collusion with HBGary to smear opponents of BoA, has made statements to distance themselves from HBGary.  While their hands are certainly far from clean in this matter, it appears that HBGary Federal has become the designated scapegoat for this particular incident.

Over Super Bowl Sunday, some interesting news came out–HB Gary Federal, a purveyor of “cybersecurity” services for the FBI, got themselves cracked by Anonymous.  Much like the recent Gawker crack, the reason that this was accomplished was entirely due to the hubris of the person in charge.

The adage says that a chain is only as strong as its weakest link–and this is very much true for organizational security.  When the lynchpin in the center of the chain–the top administrative accounts–is weakened by improper separation of duties, the whole thing falls apart.

In both the Gawker and the HBGary cases, the leader of the organization made the same key mistakes:  they reused the same password for multiple accounts across different security levels, they had too much access to critical administrative areas, and they deliberately invited the interest of blackhats.  These all point to the same problem at both organizations: leadership that does not take security seriously.

The password reuse is the first critical error.  In both cases, the organization beneath the compromised executive doubtless had knowledge of proper password policy.  In the case of Gawker, the Lifehacker affiliate site had a widely-publicized article providing base guidelines for password use and reuse–giving standards for strength and entropy, and cautioning against reusing a password in multiple places.  Given that HBGary’s whole business is based on security, there’s no excuse for them not to be familiar with these standards; the leaders of both organizations have shown deep and pervasive incompetence in their actions.  

The lack of proper separation of duties is the second error.  While Gawker has some small excuse for this, given that the head of the company was apparently involved in code review and the like, there is absolutely zero excuse for HBGary’s president to have any level of access above the basic user level to the organization’s mailserver.  This cannot be emphasized enough: any executive who demands administrative access to critical administrative areas in a company with an actual IT department is incompetent and dangerous.  If the executive needs to access employee emails, then they can set up a policy to do so as part of the acceptable use policy, and coordinate with the IT department to do so.  If the executive cannot trust his IT department and his lawyers to do this effectively, then he has made a poor choice of employees.  The doctrine of separation of duties exists for a reason: to prevent just this sort of compromise, where a single account can be leveraged to access unrelated resources.  That this form of attack worked in both organization indicates the same endemic organizational failure:  a micromanaging, hubristic leadership without sufficient checks on their executive powers to prevent abuses.  Neither of these organizations would be suitable for a competent professional’s employment.

Third, the absolutely baffling hubris of calling out a specific group to attack them indicates a complete lack of ability in senior leadership.  Granted, the Anonymim who carried out the attacks are, in their own right, comitting criminal actions, but when a known hazard from a known vector exists, there is zero excuse to specifically invite action from that hazard.  The most baffling of the various incompetencies listed, the leadership of HBGary and Gawker did not apparently conduct any security audits or ensure that measures were in place to prevent or counter intrusion by outside forces before issuing their declarations–taunting an enemy into attacking is a valid strategy, but only if you have some means of responding to it.  To use a colloquialism, both HB Federal and Gawker were asking for it–literally.  

These are just the overt failures that are common to both organizations–and they’re quite enough to label both HBGary Federal and Gawker as completely incompetent.  The most troubling aspect of this whole business is, I think, that HBGary Federal provides services to the United States Government:  I would urge any agency that has contact with this company to seek immediate separation from their services and to perform a full and complete security audit to ensure that none of the compromise of their leadership has led to compromise of the Government resources that they had access to.  

The lessons here are obvious:  Do not reuse passwords.  Enforce password policies.  Do not allow senior leadership administrative access to administrative accounts.  Apply IT security policies to everybody in the organization, including senior leadership–ESPECIALLY senior leadership, given that they are the highest priority targets in any compromise attempt.  Do not invite trouble unless you have specifically prepared for it–one might argue even if you have specifically prepared for it.  

Sadly, neither HBGary nor Gawker are unique; there is a constant stream of anecdotes in the IT world about micromanaging senior leadership that demands access to administrative functions without the competency required to use this access wisely.  The question is not if, but when, this sort of compromise will happen again–and, like as not, it will be obvious who the next target is; they’ll likely announce themselves.