Research

As the silly season comes to a close with today’s election (at least for, like, a week or so) there’s a change to the political process I’ve been thinking about a lot. And it’s not e-voting, election fraud, or other issues we’ve occasionally discussed. On this site (and others) we’ve discussed the ongoing erosion of personal privacy. More of our personal information is publicly available, or stored in private databases unlocked with a $ shaped key, than society has ever experienced before. This combines with a phenomena I call “The Long Archive”- where every piece of data, of value or not, is essentially stored for eternity (unless, of course, you’re in a disaster recovery situation). Archived web pages, blog posts, emails, newsgroup posts, MySpace profiles, FaceBook pages, school papers, phone calls, calendar entries, credit card purchases, Amazon orders, Google searches, and … Think about it. If only 2% of our online lives actually survives indefinitely, the mass of data is astounding. What does this have to do with politics? The current election climate could be described as mass media shit-slinging. Our current crop of elected officials, of either party, survives mostly on their ability to find crap on their opponent while hiding their own stinkers. Historically, positive electioneering is a relative rarity in the American political system. We, as a voting public, seem to desire pristine Ken dolls we can relate to over issues-focused candidates. No, not all the time, but often enough that negative campaigning shows real returns. But the next generation of politicians are growing up online, with their entire lives stored on hard drives. From school papers, to medical records, to personal communications, to web activity, chat logs (kept by a “trusted” friend) and personal blogs filled with previously private musings. It’s all there. And no one knows for how long; not really. No one knows what will survive, what will fade, but all of it has the potential to be available for future opponent research. I’m a bit older, but there’s still an incredible archive of information out there on me, including some old newsgroup posts I’m not all that proud of (nothing crazy, but I am a bit of a geek). Maybe even remnants of ugly breakups with ex-girlfriends or rants never meant for public daylight. Never mind my financial records (missed taxes one year, but did make up for it) and such. In short, there’s no way I could run for any significant office without an incredibly thick skin. Anyone who started high school after, say, 1997 is probably in an even more compromising position. Anyone in the MySpace/FaceBook groups are even worse off. With so much information, on so many people, there’s no way it won’t change politics. I see three main options: We continue to look for “clean” candidates- thus those with limited to no online records. Only those who have disengaged from modern society, and are thus probably not fit for public leadership, will run for public office. The “Barbie and Ken” option. We, as society, accept that everyone has skeletons, everyone makes mistakes, and begin to judge candidates on their progression through those mistakes or ability to spin them in the media of the day. We still judge on personality over issues. The “Oprah/Dr. Phil” option. We focus on candidate’s articulations of the issues, and place less of an emphasis on a perfect past or personality. The “Issues-oriented” option. We weigh all the crap on two big scales. Whoever comes out slightly lighter, perhaps with a sprinkling of issues, wins. The “Scales of Shit” option. Realistically we’ll see a combination of all the above, but my biggest concern is how will this affect the quality of candidates? We, as a society, already complain over a lack of good options. We’re limited to those with either a drive for power, or a desire for public good, so strong that they’re willing to peel open their lives in a public vivisection every election cycle. When every purchase you’re ever made, email, IM or SMS, blog post, blog comment, social bookmark, WhateverSpace page, public record, and medical record becomes open season, who will be willing to undergo such embarrassing scrutiny? Will anyone run for office for anything other than raw greed? Or will we, as a society, change the standards by which we judge our elected officials. I don’t know. But I do know society, and politics, will experience a painful transition as we truly enter the information society. Share:

An unpatched vulnerability being exploited in the wild. When I’m on a Windows system (I run it virtualized on my Mac for work) I tend to use multiple browsers since even Firefox has issues at times. I even do this on my Mac- running Firefox and Safari, switching between the two depending on where I’m going. But at this rate I’m going back to Lynx. (And if you go to “those” sites do yourself a favor and only browse from a virtual machine you reset after every use). Share:

After reviewing the materials I could find online I directly contacted Thierry Zoller and he was kind enough to respond with more details. In his words (with permission). Short version is the flaw is well patched, but the exploit is a new technique of getting a remote shell. No kernel bugs this time: Dear Rich Mogull, RM> Saw the ISC entry on your BT attacks. I’ve been writing a bit on this RM> issue and am wondering if you have any time for a couple quick RM> questions? RM> 1. Are currently patched Macs safe (OS X 10.4.8, 10.3.9)? Yes! The underflying flaw is patched since more than 1 year! I also mentioned and stressed this during my talk, that was the reason to to release the source code. HOWEVER and I also stressed this is the reason WHY this is marked as 0-day is that having a REMOTE SHELL over Bluetooth is something nobody knew and noticed, and yet it was feasable for over a year. RM> 2. Where’s the flaw- is this a device driver exploit that drops you RM> into kernel space? No, it’s a plain dumb directory traversal bug in the OBEX FTP server, Kevin used it to upload binaries/local root exploit to special directories. He then planted an Autostart using the INPUTMANAGER (a feature of MACos). Then after getting root through the local exploit (automated) he bound a RFCOMM shell to /etc/tty replacing the existing RFCOMM port 3 with an shell. And that’s it. No Kernel Space bugs demonstrated. – http://secdev.zoller.lu Thierry Zoller Fingerprint : 5D84 BFDC CD36 A951 2C45 2E57 28B3 75DD 0AC6 F1C7 Share:

In the comments of my last post, bkwatch reminds me that paper ballots are from from perfect. I totally agree. I’m also not against e-voting just on principle. Or against all e-voting. I’m just against insecure electronic voting. Which, based on what I’ve seen, is true of many, if not most, current implementations. Here’s what I said: Here”s why I don’t think the risk is overblown. First of all there are only a few manufacturers of voting machines. The problems we see are systemic to those manufacturers and systems. Thus the potential exits for a single attack to potentially work on a massive scale- maybe a number of states. Second, the attacks can be much harder to detect and not require as much collusion as attacks on paper systems. A single technician, programmer, or hacker (for networked systems) can succeed. The normal physical controls we have to reduce election fraud are less effective, or even worthless. There are also availability issues- paper is much more resilient to power outages and system crashes. It’s a lot easier to lose a single memore chip with thousands (or more) votes than a big ballot box with equivalent numbers (which, on occasion, also happens). Thus the scope and scale of the problems is dramatically different. I actually think smart e-voting can improve the electoral process and reduce voter fraud. I”m not against e-voting itself, just many of the current implementations. Electronic voting can be improved by: Requiring independent security lab certification. Not a weak certification like Common Criteria, but something more akin to the testing done on gambling machines. A voter verified paper trail- not something a voter takes home, but something they can visually certify and drop in a ballot box before walking out the door. Eliminating network connectivity. Except for maybe local networking over physical cabling, but even that might be too risky. These won’t eliminate fraud, but they’ll reduce it. The potential is even there to build a system more secure than paper. Share:

I’ll be updating the look and feel of the site slightly, and performing some other system updates. There shouldn’t be any outages, but if you do notice anything strange or some HTML/CSS issues please let me know Share:

I have no details, but am investigating. http://isc.sans.org/diary.php?storyid=1817 I know there are some Bluetooth 0days floating around for various platforms, but this one wasn’t on my list. This was presented at a conference in Europe. A copy of the presentation is here. In the presentation it looks like the flaw is patched, but I’m checking with the author to find out for sure. Right now nothing to panic about, but I do stand by my advice to start limiting wireless use in public areas. I still use my wireless, but I leave it off when I don’t need an active connection. Which you probably already do for battery life, right? Share:

I’m linking to Jim at DCS Security- he has the best SCADA background in the blog community and hopefully he’ll dig into this particular hack a little more: http://dcssec.blogspot.com/2006/11/more-on-water-system-hack.html The more we transition process control networks to the same tech we run the Internet on, and the same Windows and *nix systems we run our homes and businesses on, the more incidents like this we’ll see… (my original post on SCADA) Share:

I don’t know a single security expert that supports any current implementation of electronic voting. It’s too late for this election, but if we don’t take action before 2008, we might as well kiss what’s left of democracy in the United States goodbye. http://feeds.feedburner.com/~r/boingboing/iBag/~3/44064916/fl_evoting_machines_.html We’re not just disenfranchising a small segment of the population; we’re disenfranchising our entire society. Yes, I really think it’s that bad. At least it will be, if we don’t do something… …and yes- I plan on doing something, but after this election cycle when we can leverage a new Congress, not lame ducks. Share:

I don’t cover industry issues here, but this is just too good to pass up. Sanjay Kumar, former CEO of CA, is sentenced to 12 years and $8M in fines. U.S. District Judge Leo Glasser said though Kumar was not a violent criminal, he “did violence to the legitimate expectations of shareholders.” Prosecutor Eric Komitee said Kumar deserved severe punishment as the architect of an elaborate coverup that was “the most brazen in the modern era of corporate crime.” … After the FBI began investigating the company in 2002, Kumar orchestrated a cover-up that involved lying under oath about the “35-day month” and other frauds and trying to buy the silence of a potential witness, authorities said. Oops. Share:

Now there’s something I need to admit here. Hopefully it won’t scare you courageous readers away. You see, as much as I (and fortunately, my employer) consider myself a security expert it wasn’t exactly my major. Nope, wasn’t computer science either. History, you ask? With a bit of molecular biology? Yep, you got it. So when Pete Lindstrom reminds me that it’s not like voter fraud is new to US elections I have to admit he’s right, and I knew it. Heck, to this day rumors still float around that Joe Kennedy may have been a bit of a proactive campaigner for his son. Ballot stuffing and voter intimidation are fine American traditions with a long and- well respectable isn’t the right word, but a long and something- history. I doubt there’s been a single election in the United States, on any level, from kindergarden class president to the President, that’s escaped some degree of shenanigans. So I will admit that despite my FUD and hand waving, the country won’t come to an end nest Tuesday leaving us all in some whacked out version of Mad Max where we mount staple guns to our Saturns. (Actually, I drive a Ford Escape… hybrid. I did used to live in Boulder and all). The thing is, as cynical, pessimistic, and paranoid as I am after a lifetime of working security and rescue and seeing the worst in human behavior, I still cling to some shred of patriotic optimism that this country is something more. More than what? Just more. I grew up on 4th of July parades, Boy Scouts, and little American flags on our car antennas. I’ve been in some sort of continuous volunteer (or paid) service to this country since I was 16. I’m proud that, on occasion, I still get to wear a uniform (not military- rescue stuff). Thus the hyperbole of my previous post is only the result of a deep desire to see this country live up to its potential. If we all keep rolling over and accepting things like voter fraud, there really won’t be anything left but voter fraud. Fortunately there are plenty of indications that, in this case, we not only have a chance to mitigate the problem, but enough people are becoming aware that we have a problem to incite action. Us security experts do have an important role to play in exposing inherent flaws in current electronic voting systems. This is full disclosure at its very best. E-voting itself isn’t dangerous; just the way we’re doing it now. And all you non-security experts have the responsibility to ask questions and implement change. Kind of the whole democracy thing and all, since it really isn’t dead yet. Just resting. But I hope Pete was kidding and is also worried, because e-voting is different. As with all information technology, it supports a scope and scale of fraud far beyond ballot stuffing or registering dead Civil War veterans. One programming change or glitch can swing elections on entire systems in a nearly undetectable way. A few pre-programmed memory cards can disenfranchise entire districts. If someone is stupid enough to connect these things to the Internet, one good worm or hacker could hand the Presidency to a 19 year old Diebold technician. All those scenarios are very possible. It doesn’t take a conspiracy theory. Election fraud has always existed; now we’re enabling it on the scale of the Internet. But the Boy Scout in me truly believes it won’t happen. Well, more than once. At least not on a national scale. Hopefully. As long as we get off our asses. And yes, keep watching this space. On a separate but related note it looks like Diebold is turning into the Court Jester of voter fraud. According to Slashdot, Diebold is insisting HBO not air a documentary questioning the integrity of voting machines. I’m not the biggest fan of using ROI to justify security expenses, but Diebold probably has a great case that the cost of threatening, suing, and defending themselves from allegations of security flaws is greater than the cost of actually fixing their damn product. Seriously guys, a couple of good security engineers are probably cheaper than all your lawyers and PR flacks. I can refer a few if you want. I just saw the article and it looks like “Hacking Democracy” airs tonight. Knowing HBO it will run like, every hour, for a few months, so I’m off to set the TiVo… Share: