Microsoft Notifies Cloud Customers of Breach

This ain’t gonna make anyone feel better about cloud services. Microsoft had to admit to users of one if its cloud services that due to a configuration error, their data was exposed for some two to three hours.

Not to worry, they said, “only a limited number of improper downloads took place.” Yes, and only a limited number of sperm get to the egg, too, but the consequences show up, sooner or later. See this Eweek article, but don’t show it to your boss if you’ve been talking cloud lately:

http://www.eweek.com/c/a/Security/Microsoft-Notifies-BPOS-Cloud-Customers-of-Breach-374778/?kc=rss

PsTools

Have you heard of them? If not, I suggest you download the suite and start enjoying the benefits that they can bring you (white or black hat).

PSTools are a suite of tools put together by Mark Russinovich. This 1.60MB download includes tools that will allow you to do things such as executing processes remotely, display the SID of a computer or user, kill processes by name or process ID, list detailed information about processes and much more. These tools are available for free from the Microsoft TechNet website and run on Windows XP and higher and Windows Server 2003 and higher. I must warn you, upon execution of some tools your anti-virus software may kick back a false positive. The reasoning behind this is, in the past viruses have used these tools for malicious purposes and as a result some anti-virus vendors have included them in their definition files as a virus.

Here is a list of the tools and a description of their functions that I have obtained from the Microsoft TechNet site:

PsExec – execute processes remotely

PsFile – shows files opened remotely

PsGetSid – display the SID of a computer or a user

PsInfo – list information about a system

PsKill – kill processes by name or process ID

PsList – list detailed information about processes

PsLoggedOn – see who’s logged on locally and via resource sharing (full source is included)

PsLogList – dump event log records

PsPasswd – changes account passwords

PsService – view and control services

PsShutdown – shuts down and optionally reboots a computer

PsSuspend – suspends processes

PsUptime – shows you how long a system has been running since its last reboot (PsUptime’s functionality has been incorporated into PsInfo)

Installation is a piece of cake and it does not require anything special. The download includes a help file with instructions on how to use each of these. If you get more enjoyment out of the command line, you can CD into the directory that contains the tools, and add the “-?” option to the end of the command (tool) that you are interested in running.

For more information and the download, visit http://technet.microsoft.com/en-us/sysinternals/bb896649

Netcat

Think about the cool things you can do in a shell: directly create, modify and delete files; perform loops, iterations, and logical comparisons; directly access standard input, output and error streams; it’s quite a list. Bet there’s one class of utilities you haven’t taken advantage of: socket tools.

Netcat is one of these, originally developed as nc for Unix, and given the sincerest form of flattery by rewrites like GNU netcat and OpenBSD netcat. See the Wikipedia page for a list of variants and links to them.

The long and short of it is: netcat lets you establish connections using UDP or TCP, on any port you choose, between two or more hosts. It does the magical: opens a connection and then simply relays input and output between the participants. That means you could open a shell and execute “arbitrary” commands (ahem), or set up a man-in-the-middle session, or even just run a little server (say, on port 80) that drops some convenient little file on the unsuspecting visitor.

It’s such a low-level utility that it doesn’t even get a place on the Backtrack menus. But just learning about what it does, and how it works, will give you a world of insight into how exploits are created. Like everything in Unix, it’s a building block that lets you construct elaborate structures. If you’ve got netcat on your Linux distro, it’s probably the rewrite provided by the nmap package, which means it has SSL support, IPv6 and all kinds of fancy stuff like connection brokering. They have a very nice users guide at http://nmap.org/ncat/guide/index.html, and some nice examples at http://nmap.org/book/ncat-man-examples.html.

Here’s a nice little TechRepublic article on using netcat to run a “server” and exectute  a command upon connection, as well as using it to set up a nice little backdoor into a remote machine:
http://articles.techrepublic.com.com/5100-10878_11-5689982.html.

G-Loaded Journal has more examples of whole partition transfer, SSH tunneling, and port scanning at
http://www.g-loaded.eu/2006/11/06/netcat-a-couple-of-useful-examples/.

Google Streetview squeaks by the FTC, but runs afoul of the FCC

Heard of Google Streetview? Have you ever zoomed in to a Google Map, and seen exactly the building you’re looking for? Cool, isn’t it?

They did that by sending crews to drive around with cameras mounted to the roof, literally all over the US, or at least where it’s paved. No sweat, huh? Some people got upset by being caught and immortalized in those ugly shorts they only wear while gardening, but for the most part Google was nice about removing things that raised a protest.

The down side is this: they were also capturing wireless network communication. They were kind of snide about the issue when it was discovered, essentially saying that if your network revealed anything that was your own damn fault. The Federal Trade Commission recently wrapped up an investigation, since some of that captured data was both financial and confidential. Google lucked out with them.

Not so much the Federal Communications Commission.

For all you wanna-be hackers and pen testers out there, be familiar with this:

The Electronic Communications Privacy Act, Title 18, Crimes and Criminal Procedure, Part I: Crimes, Chapter 119, Wire and Electronic Communications Interception and Interception of Oral Communications, Sec. 2510: Definitions and Sec. 2511: Interception and disclosure of wire, oral, or electronic communications. (Start digging at http://www.fcc.gov/telecom.html.)

To make it simple: unless you have specific permission, and personally I insist on WRITTEN permission, it is strictly illegal to scan and capture data this way. Google tried to argue the harmlessness of the captured data, but has since had to admit it contains things like user logins and session cookies. There’s one good, brief article at http://www.infosecurity-us.com/view/13946/fcc-to-investigate-google-street-view-data-capture/.

It’s more than just a little bit of a shame that Google blindly ignored an issue any responsible hacker textbook pounds into the reader within the first chapter: you can’t wander around capturing people’s data. Not legally, that is.

Wall Scrubbing and Super-Logoff on Facebook

Is Facebook secure? Are you out of your mind? Do I use Facebook? Am I out of my mind?

Bruce Schneier posted up a link on his blog (http://www.schneier.com) to an interesting article at http://www.zephoria.org/thoughts/archives/2010/11/08/risk-reduction-strategies-on-facebook.html, relating how two young Facebook users create at least a little more security for themselves. The first technique, dubbed “super-logoff,” involves deactivating your account when you log off. That way no one can post to your wall, do messaging with you or view your content. When you’re logged back in and your account is re-activated, people can “see” and “talk to” you again.

The second technique involves what sounds to me like a labor-intensive process of un-posting everything you post, and un-liking everything you like, after an interval of your choosing. One teen’s reason: “Too much drama.”

Should we all be covering our tracks? Do all those “Likes” matter? It depends on how you view security. If you’ve seen The Minority Report, you’ve seen what I fear: advertising, persistent and noisy and inescapable, dousing every inch of the landscape around me. Maybe I should be covering my tracks….

 

Clearing the air on Net Neutrality

There has been a lot of smoke blown recently about “net neutrality,” which has not done much to clear the air on this critical issue. Perhaps the biggest problem is defining the term itself.

Net neutrality is neither a political system nor a federal plot. It is, simply put, the idea that network carriers have an obligation to carry all traffic, without discriminating against any individual web site, search engine, social network or video-sharing site. It is, as Loris Taylor of Native Public Media called it, “essentially the First Amendment of the Internet.”

The opposite of net neutrality, the goal the large carriers seek, is the “walled garden.” Imagine you are using Comcast cable Internet, for example. You are paying for your data connection; the web sites you visit have also paid for their data connection. How would you feel if Comcast decided to slow YouTube’s traffic to a crawl, because some other video site had paid it a fee to favor their service? How about if Comcast decided NetFlix traffic should be slowed down because they want to promote their own service? You might not be too happy that your provider, already paid twice, wants to be paid a third time.

Guess what. This scenario is already real. Read the Associated Press article at http://tinyurl.com/2cqxnc8.

Do I pick on Comcast unfairly? No, because they’ve been under either complaint or censure since 2007 for throttling specific applications, including BitTorrent and Lotus Notes, despite advertising “unlimited Internet.” And it’s not just BitTorrent and not just Comcast; Google “Madison River Vonage” and take your pick of articles about the efforts of Madison River (a carrier) to block Vonage VoIP telephone service, and the deep fines they incurred.

In the Albuquerque Journal, Rick Carnes (who is President of the Songwriters Guild of American, and thus has a financial interest on one side of this issue) argues that net neutrality is “an unprecedented federal expansion over the web.”

Recall that the Internet was originally developed by the Department of Defense at the public’s expense. It operates over a federally- and state-subsidized carrier network. That network itself is a provisional monopoly governed for the good of all citizens, not of individual corporations. It is already a federally regulated system.

You, the public, have already paid for this network through tax incentives and subsidies, or by paying $1000 per pole to run power and telephone to your rural home. The telecom carriers are simply providing a service. Now they want to change dramatically the terms of that service, to degrade the service you receive, and to improve their profits at your expense.

Like many people making his argument, Carnes says that the carriers don’t want net neutrality because it will interfere with “heal[ing] the Digital Divide,” since the carriers need more money to deploy broadband to remote areas. But that’s what Public Regulation Commissions are for: to evaluate utilities’ need for funding or rate increases for infrastructure. We can’t afford to be uncertain of this: net neutrality is a completely separate issue.

Carnes also suggests that keeping carriers from getting their way is “raising serious concerns about freedom of speech on the Internet since the censorship-friendly FCC would be doing the regulation.” Let’s be clear that the argument is about carriers charging websites more to speed up their traffic, nothing more. If there is any censorship to be feared, it’s the censorship the carriers will impose if we don’t lock in net neutrality now.

Randy Sanchez of the Albuquerque Hispano Chamber of Commerce argues that net neutrality somehow threatens deployment of high-speed Internet in rural areas, particularly for Hispanics. His argument that net neutrality is about infrastructure is off the point. To keep us on the point: net neutrality is about preventing carriers from throttling Internet traffic from sources that don’t pay extra for special access. Far from threatening rural people, net neutrality would ensure their fair access to any site or service.

Also, the $30,000-50,000 per-mile figure Sanchez cites when he discusses broadband deployment is for buried lines. Every rural dweller can tell you all about the existing network of utility poles, and the rarity of underground service, throughout the Southwest. Broadband deployment will be much cheaper than Sanchez suggests.

There is no federal takeover; the federal government (specifically the FCC) is having its hand forced by the attempts of large Internet providers to pervert a system already paid for by the public (twice or three times, depending on how you count) so they can make more money from us. There’s no doubt that if we don’t lock in net neutrality now, individual providers will be free to discriminate against any traffic they want, and you won’t be able to do a thing about it.

It’s that simple. Don’t let anyone try to confuse you with fear, uncertainty and doubt; there is nothing complex about this issue. It’s about making telecom/internet carriers stick to the agreement they’ve been bound to since the beginning of the Internet: not to discriminate against anyone’s traffic, and particularly not to make your favorite services pay them – yet again.