In January the FBI & Fordham Univ. ICCS 2012 conference was held at Fordham Univ.  It was a great conference with more than 30 countries represented.  Most of the speakers were excellent.  This was truly a great collaboration between private industry and law enforcement from all over the world.

I was somewhat apprehensive about speaking on my topic, “Hacking Back In Self-Defense: Is It Legal; Should It Be?,” since I was not sure how it would be received, especially by law enforcement.  To my surprise the response was excellent.  First impression from many when they read the title is that all hack back is illegal, vigilantism, unethical; but, after the lecture numerous people to include many law enforcement personnel approached me to express their interest in the topic and were happy to see an attorney trying to push the envelope and move the discussion forward.

Let’s face it, here in the US the cyber laws have not kept pace with the technology and now we find ourselves inadequately prepared to defend our networks and information primarily due to our antiquated cyber laws.  I am a proponent of updating our laws but in doing so, finding the proper mix of privacy protection and enabling clear and robust defense.

Hacking-back, or aggressive cyber defense should be incorporated but with parameters and acknowledgement, by those seeking this alternative, that they are strictly liable for their actions and are prepared to make amends to innocent third parties caught in the crossfire.  Obviously this is a simplification of a mission or operation that must consider many many variables and factors, to include legal issues from a multitude of jurisdictions, numerous options regarding the particular options to pursue, evidence of a clear attempt to identify the attacker through various forms of traceback, a memo outlining all of the actions pursued or contemplated prior to seeking hackback along with an analysis of why those actions either failed or were not viable options, and a very robust risk assessment weighing all of the options and comparing the amount of  damage presently being sustained by the company because of the attacks with the potential for damage to others.  These and many more factors must be considered and analyzed when building a case for and a plan to implement hackback.

Here's some hopeful news from Bill Gates. Viral illness is in decline thanks to his focused attention and heaps of money spent on the reduction of suffering.

…the Microsoft founder has become the people’s plutocrat. Although some diseases, such as malaria, remain rife, his charitable foundation and his lobbying have borne results. In the past year, not a single citizen in India contracted polio.

“People think aid is abstract and thousands of miles away. I go there and see it. I’m intent on making sure that my money gets to people who need it, and I come back and say it’s working.”

Hey Bill, what about all those people using your operating system that need your help to reduce their viruses?

Unlike polio, it looks like users in India seem to have a problem with Microsoft Windows infections, according to the Microsoft Worldwide Threat Assessment.

What would he do if malware infections of Windows systems raised the cost of the distribution or management of anti-virus aid? Ironic, no?

Note the infection rate explosion in France, Russia and Italy over the first half of 2011.

The Crucial Security Forensics Blog lists reasons why the VMware Virtual Disk Development Kit (VDDK) might be useful for a forensics investigation that needs to mount and manipulate VMDK files.

Some scenarios might include master boot record infection such as the Stoned bootkit. The Stoned bootkit is a Windows bootkit, which attacks all Windows versions from 2000 up to 7. It is loaded before Windows starts and is memory resident.

Another scenario involves the malware inserting itself into all VMDK files on the system.

Thirdly, having offline access to the VMDK would be essential if the malware was able to steal essential files such as the system and software hives, SAM and/or private keys.

Fourth, if the virtualized disk were using full disk encryption, the analyst would be able to access the files via the VDDK API without decryption taking place.

Lastly, if the machine had other controls in place such as AV or host-based firewall protection on certain files, an analyst would have access to them and not require booting up the virtual disk.

Differences in interpretation of the EU's 1995 data protection rules may soon be resolved, according to a proposal by Viviane Reding, Vice-President of the EC in charge of Justice, Fundamental Rights and Citizenship

A single set of European rules on data protection valid everywhere across the European Union, so one rule for the 27 Member States and for the 500 millions people. One data protection authority for one company: a one stop shop and one authorisation for the whole European Union. This will reduce administrative burden and will save the businesses around 2.3 billions Euros a year.

The new rules carry some interesting concepts such as a new burden of proof for companies to retain personal information. Reding advocates for the ability of a person to request that their data be deleted ("right to be forgotten") unless a company can prove a "legitimate reason" for retention. She also has said companies will have to report a breach "as soon as possible," which has been suggested to mean 24 hours. Compliance is expected to be managed by a data-protection officer that will be required at all companies by more than 250 employees.

Seems like connecting to video cameras on the Internet has been a thing to do for about a decade now. The classic example was to use a search engine to identify the cameras by their URL:

• inurl:/view/index.shtml
• inurl:"viewerframe?mode=motion"

The next phase was to fingerprint the more network-aware cameras with FTP and web servers to take them over with exploits, stolen credentials or different forms of management software.

The basic story was so common that by 2006 even FOX news ran a story on "hacking" cameras (700K views):

The word hacking is usually a stretch, since you are just connecting to something without any security, but eventually came some interesting reverse attacks on cameras, fooling the camera controller with a bogus stream or device to steal credentials.

Now I see a story from the New York Times that confirms video conference systems still are being setup without authentication.

Strangely, however, the NYT mentions nothing of the long history and background to the problem. The NYT story then gets echoed as if this issue was only just discovered. Is anyone really surprised that cameras are still exposed in 2012?

Simply put, customers do not demand that vendors ship the product in a safe-mode. Vendors do not change because they say customers want easy, not secure. Some might see this as yet another "hot coffee" moment waiting to happen.

Perhaps we can hope a NYT version of the story will have some effect on market tolerance for silent yet weak defaults. The story probably will have more effect than years of warnings in forum discussions and local news videos. But until then, more cameras will be connected to the network while the ability to find, index and connect to them will stay trivial.

NIST has released as final their special publication 800-144 (SP800-144). Perhaps the single biggest takeaway from the guide is that risk management has not changed fundamentally from non-cloud environments, but the devil may be in the details.

It offers the following list of benefits from the transition to public cloud.

Benefits

• Staff specialization
• Platform strength
• Resource availability
• Backup and Recovery
• Mobile endpoints
• Data Concentration

You might read that list and want to ask "yes, but what about all the Amazon outages or the high-profile breaches like Dreamhost…," which is why they also wrote a "Security and Privacy Downside".

Risks

• System complexity
• Shared multi-tenant environment
• Internet-facing services
• Loss of control

o0o security research has posted a review of the SEC Consult Vulnerability Lab Security Advisory on Apache Struts2 along with a remote code execution exploit.

The problem, in brief, is that Struts2 fails to properly handle user input. A malicious user can elevate privileges by manipulating a design flaw in how HTTP parameter names are handled by Object-Graph Navigation Language (OGNL).

CVE-2011-3923 is the result of ParametersInterceptor allowing parentheses and thus allowing expression evaluation, which can be exploited as follows:

/myaction?foo=&(foo)('meh')=

and here's what happens:

1. Action attribute foo is set to the value of the foo HTTP parameter and will hold attacker's OGNL statement
2. Second HTTP parameter named (foo)('meh') will be evaluated as an expression evaluation OGNL statement and foo action attribute will be retrieved from the action (remember we control its value via HTTP parameter) and its value will be evaluated as another OGNL statement.

Since attacker's OGNL statement is in HTTP parameter value we bypass the regular expression and are allowed to use special symbols to modify OGNL context properties to allow method execution.