Thursday, March 10, 2011

Hacker vs. Hacker

The hacking and public humiliation of cyber-security firm HBGary isn't just entertaining geek theater. It's a cautionary tale for businesses everywhere Greg Hoglund's nightmare began on Super Bowl Sunday. On Feb. 6 the high-tech entrepreneur was sitting in his home office, trying to get to the bottom of some unusual traffic he was seeing on the Internet. Two days earlier he'd noticed troubling activity hitting the website of HBGary Federal, the Sacramento startup he helped launch in 2009. He suspected some kind of hacker assault and had spent the weekend helping to shore up the company's systems. A few hours before Green Bay kicked off to Pittsburgh, Hoglund logged into his corporate account on Google (GOOG)—and confirmed his fears. He couldn't get in. Someone had changed the password and locked him out of his own e-mail system. Stolen passwords and hackers are facts of life in the Internet Age. Twitter, Facebook, MasterCard (MA), the Washington Post Co. (WPO), the New York Stock Exchange (NYSE), the U.S. State Dept., and countless other organizations large and small have had to deal with cyber-assaults. More often than not, the security hole is plugged and, if the victims are lucky, the plague abates. Not this time. HBGary Federal is a spinoff of Hoglund's HBGary Inc., a cyber-security firm that offers protection to corporations and governments from cyber-attack. Hoglund built his career on the business of hacker-proofing—getting hacked meant HBGary failed at the very thing it's paid to get right.

Hoglund called Google's corporate technical support to shut down the account, but a representative told him that doing so would take time. It didn't matter. Intruders were already helping themselves to tens of thousands of internal documents and e-mails, some of them personal exchanges between Hoglund and his wife, Penny Leavy, president of HBGary. Then the hackers—who turned out to be members of the anarchic cyber-guerrilla organization that calls itself Anonymous—triumphantly posted their electronic booty on an online file-sharing service for all the world to see. That's when Hoglund's real problems began, and the resulting controversy—involving a high-powered Washington (D.C.) law firm, the Justice Dept., and the whistle-blower site WikiLeaks—hasn't just been entertaining geek theater but a rare look into the esoteric realm of cyber-security. It's a world where only a select few understand the workings of the computers and networks we all use, where publicly antagonizing the wrong people can have disastrous consequences, and where some participants tend toward self-aggrandizement and flexible differentiations between right and wrong.

The HBGary Federal documents—to Hoglund's surprise, he says—revealed unethical and potentially criminal plans to build a digital-espionage-for-hire business. "They really showed how bad things are getting," says Bruce Schneier, a renowned computer security expert. "Blackmail, espionage, data theft. These are things that were proposed as reasonable things to do. And no one said, 'Are you crazy?' " The plans were conceived in part by HBGary Federal's top executive, a former U.S. Navy cryptologist named Aaron Barr. Barr was working in conjunction with two other security companies. In a bit of cloak-and-dagger grandiosity, the firms dubbed their collaboration Team Themis, after a titan of Greek mythology who embodied natural law. (Forsaking Themis brings on Nemesis.) Team Themis proposed to electronically infiltrate grass-roots organizations opposed to the U.S. Chamber of Commerce, the powerful Washington lobbying organization. In a separate and even more legally dubious proposal intended for Bank of America (BAC), the group laid out a plan to infiltrate WikiLeaks and intimidate its supporters.

Team Themis's machinations were exposed before they got past the proposal stage. But the schemes the security firms came up with were Nixonian in scope and Keystone Kops-like in execution. In a 12-page PDF sent to Hunton & Williams, the Washington law firm representing the U.S. Chamber, Team Themis suggested creating dummy documents and online personae, and scouring social networks such as Facebook for intelligence on their prospective client's most vocal critics. In the proposal for Bank of America, the security firms suggested hacking WikiLeaks itself to expose its sources. For Hoglund and his 30-person company, the fallout from the revelations continues to grow. Employees of HBGary and their families have been besieged with hostile phone calls and e-mails, including some death threats, and the company canceled its presentations at the annual RSA cyber-security conference in February. News sites that cover computer security have plumbed the document dump, turning HBGary and Barr into objects of ridicule. Barr resigned on Mar. 1 and declines to speak publicly about the ordeal. All of it makes Greg Hoglund furious. "These individuals are not hacktivists, they are criminals," he tells Bloomberg Businessweek, referring to his Anonymous adversaries. "If you let a gang of cyber-thugs hack into systems with impunity and get away with it, what kind of precedent does that set for cyber-security?"

Hoglund, 38, is widely respected in the computer security world for his expertise with "rootkits," software that facilitates privileged access to a computer while evading detection. The HBGary chief executive officer never went to college and learned his trade on the fly, spending time with other hackers and writing his own security software. He co-founded HBGary in 2004, providing corporations with tools to detect, analyze, and combat sophisticated malware attacks from hostile foreign governments. (The firm's name is derived from Hoglund and his two original partners, Shawn Bracken and Jon Gary.) Among the companies HBGary has worked with are Morgan Stanley (MS), Sony (SNE), and Walt Disney (DIS).

Fifteen months ago, Hoglund decided to branch out into a new market and spun off HBGary Federal to perform classified work for the U.S. government. Employees of the subsidiary would have military experience and top security clearances. To run the operation, Hoglund tapped Barr, then an engineer in the Intelligence Systems Division of military contractor Northrop Grumman (NOC). "Aaron has a very high IQ. He's a very smart individual," says Hoglund. "He also has an incredibly good reputation, or he did at the time." In the year after he was hired, Barr had little success building HBGary Federal's business. The firm initially attempted to break into the "incident response" market, selling its spycraft to government agencies so they could shut down leaks and identify cyber-attackers. That field is competitive, and paying work sparse for startups. By October 2010, in the e-mails that later became public, Hoglund warned Barr that HBGary Federal was "out of money and none of the work you had planned has come in." In his reply, Barr agreed. Barr did have one possible lifeline. On Oct. 19, Palantir Technologies, a Palo Alto (Calif.) cyber-security company whose terrorism analysis software is used by the Pentagon and the CIA, reached out to HBGary Federal and another security firm, Virginia-based Berico Technologies, with a tempting offer. Palantir said it had been approached by Hunton & Williams, a century-old firm with ties to the Republican Party and the defense industry. The firm needed investigative services on behalf of a high-profile, deep-pocketed client.

Barr and representatives from the other companies discussed the project via e-mail and visited Hunton & Williams in November to meet with Richard Wyatt, co-head of the firm's litigation group. A person who was at the meeting says Wyatt wore suspenders, smoked a cigar, and propped up his cowboy boots on his desk—a cartoonish vision of a D.C. power broker. But the security professionals were impressed when they learned the identity of the prospective client: the U.S. Chamber of Commerce, which had just backed a wave of successful conservative candidates for Congress. The Chamber, it seemed, had a public-relations problem: Activist organizations such as U.S. ChamberWatch, Velvet Revolution, and Change to Win were accusing it of financial improprieties and using foreign donations for political purposes. The Chamber believed all these grass-roots organizations were working in concert with the surreptitious backing of major unions. According to the e-mails released by Anonymous, Hunton & Williams was already amassing reams of information, including union rosters, and needed expert help in digesting the data. The security firms' mission, should they choose to accept it: Infiltrate the activist groups and their leadership, compile dossiers, and help the law firm "truly understand and eliminate emerging threats that could cause harm to their clients," according to a Team Themis document.

The team's members spent much of November working up their proposal. They highlighted how they would funnel their gleanings through Palantir Technologies' military-grade terrorist-tracking software. "We need to blow these guys away with descriptions of our capabilities," wrote Matthew Steckman, an engineer at Palantir, in one of the e-mails in the published documents. "Make them think that we are Bond, Q, and money penny [sic] all packaged up with a bow." Then there was the matter of price. Such private online espionage was hardly common practice, and there was no industry-standard pay scale. Team Themis landed on $2 million. For that sum, the client would get a "daily intelligence summary," "link diagrams," and "target impact analysis," among other services. Hunton & Williams, on behalf of the Chamber, balked at the price, so the security companies agreed to do a pilot on spec. (The law firm has not commented on the matter.) Hunton & Williams clearly saw potential in Team Themis. On Dec. 2, in a message with the subject line "Urgent: Opportunity," a partner at the firm asked the group to come up with a new plan, this time to combat WikiLeaks on behalf of a different prospective client—Bank of America, which believed WikiLeaks was about to publish a cache of its documents. (The Justice Dept., the e-mails suggested, had recommended that Bank of America hire Hunton & Williams.)

Barr took the lead in crafting what would become an infamous 24-slide PowerPoint presentation that called for a cyber-campaign of disinformation against WikiLeaks. The document analyzes WikiLeaks' server infrastructure, talks about planting news stories about the exposure of its confidential informants, and proposes online attacks. Some of the language is comical, like a verbal version of an old Spy Vs. Spy cartoon from Mad magazine: "Speed is crucial!" blares one slide. "The threat demands a comprehensive analysis capability now." A person familiar with the creation of the presentation said it was the result of late-night brainstorming, and that the security firms knew Bank of America would likely reject the most aggressive tactics.

As with the Chamber of Commerce scheme, the WikiLeaks proposal never got a final hearing. While HBGary Federal and the other security firms awaited a formal go-ahead from Hunton & Williams and its clients, Barr decided to deploy his new research techniques on Anonymous.

Anonymous has had a busy winter. The group, which appears to be less a formal organization than a loose coalition of tech-savvy radicals, attacked government websites in Egypt and Tunisia. It launched denial-of-service attacks on (AMZN), PayPal, MasterCard, and Visa (V) after those companies declined to do business with WikiLeaks. Barrett Brown, an unofficial spokesman for the group, says its goal is "a perpetual revolution across the world that goes on until governments are basically overwhelmed and results in a freer system." Barr had come to believe that companies would have to defend themselves against this anarchic sensibility using the same tactics as the mischief makers. He also believed he had the skills and experience to join the battle. His principal weapon was a method he developed to associate the real identities found in social networks such as Facebook and LinkedIn with the anonymous profiles of hackers. So while Hunton & Williams weighed Team Themis's proposals, and with the ultimate fate of HBGary Federal hanging in the balance, Barr figured the time was right to demonstrate how social networks could yield an intelligence bonanza.

Barr began by hanging out in an online forum called Internet Relay Chat (IRC), using a fake identity. At the same time, on social networks, he "friended" people thought to be senior members of the Anonymous collective. Barr then compared the times that suspected hackers logged into IRC chat rooms anonymously and into their own identifiable social networking accounts. The exposed HBGary e-mails would later reveal that Barr's own employees thought he was overreaching and that they feared retribution from the vengeful Anonymous. But Barr plunged ahead. He proposed a talk at the RSA conference in San Francisco titled "Who Needs NSA when we have Social Media?" Then he promoted the talk by suggesting he would expose the identities of the primary members of the group. On Feb. 4, a Friday, Barr bragged to the Financial Times about his upcoming talk and claimed he had obtained the identities of the group's de facto leaders. Bad idea. As Stephen Colbert summed it up, lampooning the HBGary affair on his TV show, "Anonymous is a hornet's nest. And Barr said, 'I'm gonna stick my penis in that thing.' "
When hackers taunt, they often use the term "pwned"—as in, "I so pwned you, newbie." No one seems to agree where the word came from. Google it, and you'll find claims that it's a corruption of "owned," or that it's from a computer game, or maybe it's just a shortened form of the chess term "pawned." Whatever its origins, the term connotes humiliating domination by another person or group. That's roughly what happened next to Barr, Hoglund, and HBGary. Responding to Barr's public claims, the Anonymous hackers exploited a vulnerability in the software that ran HBGary Federal's website, obtained an encrypted list of the company's user names and passwords, and decoded them. Barr and some of his colleagues, Anonymous then discovered, had committed computer security's biggest sin: They used the same password on multiple accounts. The hackers commandeered Barr's Twitter and LinkedIn accounts, lacing both with obscenities. One of the passwords also opened the company's corporate Google account. Jackpot. In less than 48 hours after Barr's Financial Times interview appeared, the hackers had the keys to the kingdom. They immediately started downloading HBGary's e-mails. All told, Anonymous got hold of 60,000-plus—about 4.7 gigabytes worth, including attachments—and quickly put them all online in conveniently searchable form. The material details online security holes at HBGary clients and prospects such as Sony, Johnson & Johnson (JNJ), Disney, ConocoPhillips (COP), and dozens of others. The e-mails showed that DuPont (DD) was breached in 2009 (by the same hackers who hit Google) and again in late 2010. DuPont employees on a business trip to China even found that their laptops had been implanted with spyware while the hardware was supposedly locked inside a hotel safe.
In the ensuing days, Barr and Leavy, HBGary's president, took to IRC channels to plead with Anonymous for mercy. None was forthcoming. Members of the group and their supporters gleefully defaced and posted photos of Barr, published personal details about his family, tweeted his Social Security number, and generally gloated about pwning a professional adversary. They said the "ninja team" that hacked HBGary included a 16-year-old girl named Kayla. (Rumors online suggest that "Kayla" is actually a 26-year-old man living in New Jersey. Who's right? Not even Anonymous may know.) "We have no choice but to defend ourselves and defend WikiLeaks by these means," says Brown, the unofficial Anonymous spokesman. "This has just begun. We're absolutely at war now."

Meanwhile, the other members of Team Themis deny they wanted to push the operations as far as Barr did—despite the volumes of incriminating e-mails. Palantir Technologies CEO Alex Karp blames HBGary for conceiving the plot, decries any attempt to develop "offensive cyber capabilities," and has placed on leave Steckman, the engineer who coordinated with Team Themis. Palantir also issued a public apology to Glenn Greenwald, a journalist who was singled out in a Themis proposal as a WikiLeaks defender and thus a possible target. In a statement, Berico Technologies says it "does not condone or support any effort that proactively targets American firms, organizations, or individuals." At the same time, it cut ties with HBGary. The U.S. Chamber of Commerce said in a press release that it's "incredulous that anyone would attempt to associate such activities with the Chamber," adding that it had not seen the incendiary proposals before they were made public. Morgan Stanley dropped HBGary as a security contractor. Barr never delivered his speech and when he tendered his resignation three weeks after the Anonymous attack, he said he was confident HBGary would be able to "weather this storm." As for Hoglund, even his friends in the security industry wonder how long HBGary can survive amid the onslaught of negative publicity. But the CEO claims his company has undergone a rigorous security review and is back on track. He says the hackers "made a hole-in-one from 200 yards away" and that it will never happen again. "They are nowhere near as sophisticated and scary and large as they would like people to think they are," he says.

And while the lesson of the HBGary saga may be that it's not always easy to tell the black hats from the white hats in the ambiguous game of computer security, Hoglund has no doubt which is which. "It will get worse," he says. "This whole event has only emboldened them. I hope this isn't the way the Internet has to be. Right now it's a domain of lawlessness. This is bigger than HBGary, than my company. Right now, the pendulum has swung way over to the bad guys' side

Sourse Bloomberg

Wednesday, March 9, 2011

Julian Assange and ‘cypherpunk’ connection

source- robert manne

The world's best-known 'cypherpunk' has long been on a mission to stop governments watching our every move. It is said to be the key to understanding WikiLeaks. Although there are tens of thousands of articles on Julian Assange in the world's newspapers and magazines, no mainstream journalist so far has grasped the critical significance of the cypherpunks movement to Assange's intellectual development and the origin of WikiLeaks. The cypherpunks emerged from a meeting of minds in late 1992 in the Bay Area of San Francisco. Its founders were Eric Hughes, a brilliant Berkeley mathematician; Timothy C. May, an already wealthy former chief scientist at Intel who had retired at the age of 34; and John Gilmore, another already retired and wealthy computer scientist - once number five at Sun Microsystems - who had co-founded an organisation to advance the cause of cyberspace freedom, the Electronic Frontier Foundation. They created a small group, which met monthly in Gilmore's office.

At one of the early meetings of the group, an editor at Mondo 2000, Jude Milhon, jokingly called them cypherpunks, a play on cyberpunk, the "high-tech, low-life" science-fiction genre. The name stuck. It soon referred to a vibrant emailing list, created shortly after the first meeting. At the core of the cypherpunk philosophy was the belief that the great question of politics in the age of the internet was whether the state would strangle individual freedom and privacy through its capacity for electronic surveillance or whether autonomous individuals would eventually undermine and even destroy the state through their deployment of electronic weapons newly at hand. Many cypherpunks were optimistic that the individual would ultimately triumph. Their optimism was based on developments in intellectual history and computer software: the invention in the mid-1970s of public-key cryptography by Whitfield Diffie and Martin Hellman, and the creation by Phil Zimmerman in the early 1990s of a program known as PGP, "Pretty Good Privacy". PGP democratised their invention and provided individuals, free of cost, access to public-key cryptography - and thus the capacity to communicate with others in near-perfect privacy. At the time the cypherpunks formed, the US Government strongly opposed the free circulation of public-key cryptography. It feared making it available would strengthen the hands of the espionage agencies of America's enemies abroad and of terrorists, organised criminals, drug dealers and pornographers at home.

One of the key projects of the cypherpunks was "remailers", software that made it impossible for governments to trace the passage from sender to receiver. Another key project was "digital cash", a means of disguising financial transactions. Almost all cypherpunks were anarchists who regarded the state as the enemy. Most but not all were anarchists of the right, or in US parlance, libertarians, who supported laissez-faire capitalism. The most authoritative political voice among the majority libertarian cypherpunks was Tim May, who, in 1994, composed a vast, truly remarkable document, Cyphernomicon. May thought the state to be the source of evil in history. Assange joined the cypherpunks email list in late 1995. There were many reasons he was likely to be attracted to them. Even before his arrest (for alleged hacking) he had feared the intrusion into his life of the totalitarian surveillance state. Assange believed that he had been wrongly convicted of what he called a "victimless crime". The struggle against victimless crimes - the right to consume pornography, to communicate in cyberspace anonymously, to distribute cryptographic software freely - was at the centre of the cypherpunks' political agenda. Moreover the atmosphere of the list was freewheeling - racism, sexism, homophobia were common.
Cypherpunks saw themselves as Silicon Valley Masters of the Universe. It must have been more than a little gratifying for a self-educated antipodean computer hacker, who had not even completed high school, to converse on equal terms with professors of mathematics, whiz-kid businessmen and some of the leading computer code-writers in the world. Assange contributed to the cypherpunks list from December 1995 until June 2002. Almost all his interventions have been placed on the internet. On the basis of what historians call primary evidence, the mind and character of Assange can be seen at the time of his obscurity. The first thing that becomes clear is the brashness. Over a technical dispute, he writes: "Boy are you a dummy." When someone asks for assistance in compiling a public list of hackers with handles, names, email addresses, Assange responds: "Are you on this list of morons?"

In a dispute over religion and intolerance, one cypherpunk had written: "Because those being hatefully intolerant have the 'right' beliefs as to what the Bible says. Am I a racist if I don't also include an example from the Koran?" "No, just an illiterate," Assange replied.

If one thing is clear from the cypherpunks list, it is that the young Assange did not suffer those he regarded as fools gladly. Some posts reflect his faith in the theory of evolution. Assange forwarded an article about the role played by the CIA in supplying crack gangs in Los Angeles. A cypherpunk responded: "I wish they'd get back to the business, but add an overt poison to the product. Clean out the shit from the cities. Long live Darwinism." "Darwinism is working as well as it ever was. You may not like it but shit is being selected for," Assange shot back. Other posts reflect his recent life experiences. Assange had helped Victoria police break a paedophile ring in 1993. On the cypherpunks list, he defended the circulation of child pornography on the internet on the grounds that it would cut the need for new production and make it easier for police to capture paedophiles. In another post, he expressed deep anger at perceived injustice regarding those with whom he identifies - convicted hackers.
One, Tsutomu Shimamura, had not only played a role in the hunting down of a notorious American fellow-hacker, Kevin Mitnick, but had even co-authored a book about it, Takedown. "This makes me ill. Tsutomu, when Mitnick cracks, will you dig up his grave and rent his hands out as ashtrays?"
Assange also posted on the reports of violence against another hacker, Ed Cummings, also known as Bernie S, imprisoned in the US. "I was shocked. I've had some dealings with the SS ... Those that abuse their power and inflict grave violence on others must be held accountable and their crimes deplored and punished in the strongest manner. Failure to do so merely creates an environment where such behaviour becomes predominant."

Where did Assange stand with regard to the radical cypherpunks agenda of Tim May? Assange was, if anything, even more absolute and extreme. In September 1996, Esther Dyson, the chair of the lobby group for freedom in cyberspace, the Electronic Frontier Foundation, was quoted in the Los Angeles Times as being in favour of certain extremely limited restrictions on internet anonymity. On the cypherpunks list, a furious controversy, called "the Esther Dyson Fuss", broke out. Some cypherpunks defended Dyson, saying she had every right to argue a more nuanced position and it was healthy for individuals to speak their mind.
Assange went further. "Examining in detail Dyson's interests, it appears she maintains a sizeable and longstanding interest in East European technology companies. She is also very far to the right of the political spectrum (rampant capitalist would be putting it mildly). She also speaks Russian. "I'm not saying she's been working for the CIA for the past decade, but I would be very surprised if the CIA has not exerted quite significant pressure ... in order to bring her into their folds." "At least you don't accuse me of being a communist," Dyson responded. "I am not a tool of the CIA nor have they pressured me, but there's no reason for you to believe me." When Assange was in trouble last year, she wrote a piece on the Salon website arguing that even unpleasant characters need to be defended. From beginning to end Assange was, in short, a hardline member of the tendency among the cypherpunks that Tim May called the "rejectionists" - an enemy of those who displayed even the slightest tendency to compromise on the question of Big Brother and the surveillance state. On another question, however, Assange was at the opposite end of the cypherpunks spectrum from May. At no stage did Assange show sympathy for the anarcho-capitalism of the cypherpunks mainstream. In October 1996, a prominent cypherpunk, Duncan Frissell, claimed that in the previous fiscal year the US Government had seized more tax than any Government in history. Assange pointed out that, as the US was the world's largest economy and that its GDP had grown in the previous year, this was a ridiculous statement and deceptive.
In October 2001, Declan McCullagh expressed "surprise" when a "critique of laissez-faire capitalism" appeared on the cypherpunks list "of all places". Assange replied: "Declan, Declan. Put away your straw man ... Nobel economic laureates have been telling us for years to be careful about idealised market models This years [sic] Nobel for Economics won by George A. Akerlof, A. Michael Spence and Joseph E.Stiglitz 'for their analysis of markets with assymmetric [sic] information' is typical. "You don't need a Nobel to realise that the relationship between a large employer and employee is brutally assymmetric [sic] ... To counter this sort of assymetery. [sic] Employees naturally start trying to collectivise to increase their information processing and bargaining power. That's right. UNIONS Declan."
Assange was, then, an absolutist crypto-anarchist but one who leaned decidedly to the left. There is also evidence he was increasingly repelled by the corrosive cynicism common in cypherpunks ranks. From 1997 to 2002 Assange accompanied all his cypherpunks postings with this beautiful passage from Antoine de Saint-Exupery.

"If you want to build a ship, don't drum up people together to collect wood and don't assign them tasks and work, but rather teach them to long for the endless immensity of the sea." Another time, a cypherpunk suggested that in the great struggle for privacy and against censorship ordinary people could not give a damn. In what was one of his final cypherpunks postings, Assange responded: "The 95 per cent of the population which comprise the flock have never been my target and neither should they be yours; it's the 2.5 per cent at either end of the normal that I find in my sights, one to be cherished and the other to be destroyed."
Increasingly, Assange began to mock Tim May.

Many thought of May as an antisemite, with good reason. In November 2001, when May used a quote from a cypherpunk fellow traveller, David Friedman, Assange emailed: "Quoting Jews again, Tim?"

Assange was a regular contributor to the cypherpunks mailing list, particularly before its decline in late 1997 after a meltdown over the question of the possible moderation of the list - censorship! and the departure of John Gilmore. The cypherpunks list clearly mattered to him deeply. Shortly before his travels in 1998, Assange asked whether anyone could send him a complete archive of the list between 1992 and the present. While commentators have failed to see the significance of the cypherpunks in shaping the thought of Assange, this is something insiders to the movement understand. When Jeanne Whalen from the Wall Street Journal approached John Young, of Cryptome, in August last year, he advised her to read the Assange cypherpunk postings he had just placed on the internet, and also Tim May's Cyphernomicon. "This background has not been explored in the WikiLeaks saga. And WikiLeaks cannot be understood without it." Likewise, in his mordant online article on WikiLeaks and Assange, the influential cyberpunk novelist and author of The Hacker Crackdown, Bruce Sterling wrote: "At last - at long last - the homemade nitroglycerin in the old cypherpunks blast shack has gone off."

Fewer than 20 years ago Julian Assange was sleeping rough. Even a year ago hardly anyone knew his name. Today he is one of the best-known and most-respected human beings on earth. Assange was the overwhelming winner of the popular vote for Time magazine’s “Person of the Year” and Le Monde’s less politically correct “Man of the Year”. If Rupert Murdoch, who turns 80 this month, is the most influential Australian of the postwar era, Julian Assange, who will soon turn 40, is undoubtedly the most consequential Australian of the present time. julian asange,Murdoch’s importance rests in his responsibility for injecting, through Fox News, the poison of rabid populist conservatism into the political culture of the United States; Assange’s in the revolutionary threat his idea of publishing damaging documentary information sent by anonymous insiders to WikiLeaks poses to governments and corporations across the globe.

Tuesday, March 8, 2011

My experience at Null con

The recently concluded Null con seminar for hackers was my first experience and first ever hackers seminar I have attended. Before reaching there I had all sort of mixed thoughts in my mind. However, I was excited to meet all those loving and hating hacker friends on my Facebook and experience the vibes of their world.

I and my team entered the seminar hall and tried to locate any known face. And then, a thin, humble and cute guy named Murtuja noticing me came and shook hands with us. Since we were one of the sponsors of the event, I regularly interact with him online. Young guys all around and enthusiastic ambience made me feel that my visit was not worthless. One thing which kept my mind very busy was to understand the meaning of the event’s name Null con. Because if we go by dictionary, Null means illogical or worthless and CON meaning defraud, cheat etc… Thus, Null con would mean worthless defraud? This name was sulking me somewhere but finally I got the answer on their website…It said:

Long time ago the land of mortals was plagued with numerals. Men were grappling to get hold of the unknown, the void, the zilch. How does one quantify, measure something that doesn’t exist. The legend goes like this – A few good blokes meditating under a banyan tree further under the influence of some nourishing herbs, in a profound moment of awesomeness, it dawned on them to seek the eternal wisdom of ...nothing. And so was born what we call 0零nullnu . The rest, as they say, is history. Nullcon celebrates this quest for knowledge and desire to carry on this legacy. If you too share this passion for knowledge, if a core dump brings glimmer to your eyes, if you want to share your hack with others and you have an inquisitiveness to learn, then nullcon is the place for you. If meeting hackers/researchers/phreaks in a 2 days event packed conference and the sun-bathed beaches of the tropical paradise called Goa won’t get you off your bed, nothing ever will.

That’s true what they have said. The way they have explained is simple and appropriate. I must appreciate these young organizers Murtuja, Corrupt, Aseem Jakhad and few other chapters of nullcon for conducting such a well-organized seminar. Everything was taken care off; mind blowing arrangements outstanding choice of speakers was something worth watching. The dignitaries invited were quite high profiled people. Even though this was just their second seminar, it was really worth applauding…

I couldn’t attend many speakers on the first day of the seminar but whomever I attended, the best out of them was Hari Prasad. Having very good oratory skills and experience, his subject of speech was Security Analysis of India’s Electronic Voting Machines: Memoirs of a whistleblower. He was the one arrested and released. He was a very calm and down to earth speaker. Elections in India are conducted almost exclusively using electronic voting machines developed over the past two decades by a pair of government-owned companies. These devices, known in India as EVMs, have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized following widespread reports of election irregularities. Despite this criticism, many details of the machines’ design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine’s design and operation in detail, and we evaluate its security in light of relevant election procedures. We conclude that in spite of the machines’ simplicity and minimal software trusted computing base, they are vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using custom hardware, which could be carried out by dishonest election insiders or other criminals with only brief physical access to the machines. This case study carries important lessons for Indian elections and for electronic voting security more generally.

Unfortunately, I couldn’t attend Anurag Dhanda, Assaf Nativ , Sunil Kumar, Abhijeet Hatekar and Harsimran Walia’s speech but got very good feedback about their sessions.

Another pocket size power house was Rahul Sasi. Although he was lacking in communication skills and little shying by character, he was aggressively possessing command over his subject and had a composed personality. His presence made me remember the event of teacher’s day of my schooldays. Jokes apart… But, his command over Penetration Testing a Biometric System and the research work reveals the methodologies that could be aided in checking the security of a Finger Print Scanner, Remotely and Locally. The biometric system, almost all runs with a remote administration module in the MIPS, which would be connected to network via the same switch, Man in the Middle attacks is always possible and other attacks like: but the issue of identifying these devices as normal network scans would only detect these as a Linux System. So he had built an Nmap script which could spot such devices on the network. The script works on the basis of internal databases of [banner and services] used by Biometric Hardware vendors, current list populates most used devices [India only]. A video or if possible, a real scenario would be demonstrated. And usage of Nmap module was usp of his session.

I found him great because there were so many over rated speakers present for the event. These are considered to be demi gods and patriotic hackers of this country but when it came one to one in giving presentation, there were many flaws like poor communication skills and monotonous way of explaining. The feel was as good as attending some so called ethical hacking introductory seminars.

Saumil Shah, a witty, humorous and having very lively personality did his presentation in a very simple and sober manner. Simple expressions, good explanations and research were superb. It was quite a play way method of teaching and sharing. Even a noob like me could understand nicely. Attack techniques have undergone a paradigm shift. 2000 was the year of the “full frontal” attack, as he calls it, the first line of defence and the network perimeter. What I liked about this speaker was his easy go attitude, his interaction and communicative skills. His way of relating things and explaining made it for the audience to understand. His talk explores some innovative exploit delivery techniques arising out of broken standards, poor trust relationships and bloated desktop software. This talk ends with a discussion on exploit sophistication and the shape of things to come for 2011.

Yarochkin Fyodor, another sweetheart and a black hat hacker conveyed his message very smartly to whomever he wanted. His speech left me speechless…No bullshit on underground crime: traces, trends, attribution techniques and more. We’ve been analyzing underground crime scenes from eastern European block and China for past few years, on the top of it we’ve been working heavily on discovering malware outbreaks and other crime activities, His experience and findings were discussed brilliantly. In short he really took my heart away.

I must say Saumil, Hari Prasad and Fyodor were the show stoppers of the seminar.

long awaited but most disappointing presentation was of Alokji (NTRO). It was like the same old wine in new bottle. Same excuses, same narration and when it came to the time of interaction, he left his audience craving for digging graves of lapses in securities on GOVT front. As nullcon Dwitiya approached its end. Mr P.V. Kumar (Chairman, NTRO) the chief guest on the second day delivered his message in typical government officer’s style. Just as one of the formality but worth appreciating fact was he marked his presence there.

Whatever it is, I am glad that I could meet many people. Nullcon has really become a major security event in the Indian subcontinent. I am also sure they will attract the who's who in the security industry. The good bye session was little painful because second day was the day when everyone had started knowing each other better but ultimately that was last day of the seminar. I am sure that, there are many like me who left the venue eagerly waiting for another nullcon to happen with heavy heart and withdrawal symptoms...

One thing more which I would like to say is that there is no intention of mine to criticize or demoralise somebody. Whatever I said is completely based on my true thoughts and feelings as far without wrong motives or reasons.

keep it up guys…

Monday, March 7, 2011

Blocking out bloggers

The blocking of a blogging website, even if only for a short period, raises the disturbing question of curbs imposed on free speech in India through executive fiat. There is a clear pattern of Internet censorship that is inconsistent with constitutional guarantees on freedom of expression. It is also at odds with citizen aspirations in the age of new media. What is worrying is that the rules governing online publication are being tinkered with periodically to facilitate such filtering. This is done under the Information Technology Act, 2000. The Department of Information Technology recently published the draft Information Technology (Due diligence observed by intermediaries guidelines) Rules, 2011 that specifically mark bloggers for scrutiny, and require intermediaries such as service providers not to themselves host or publish any information. Evidently, this can be interpreted to cover blogs and other websites. What is worse, the rules propose to authorise the intermediaries to remove access to ‘infringing' material if they themselves have actual knowledge or are asked to do so by a mandated authority. These are retrogressive provisions that weaken constitutional freedoms and the parent law. As it stands, the IT Act merely requires the intermediary to exercise due diligence and does not talk of not hosting or publishing information. Ideally, the only criterion online publications should have to meet is compliance with the general laws of the land.

The emergence of the WikiLeaks phenomenon and the use of online tools in North Africa and West Asia to inform and organise people underscore the power of citizen publishing. This is a new reality governments must learn to live with. Conflicts are bound to arise if the rules for online publication are modified specifically to prevent such publication. For instance, draft rule 3(2)(a) for intermediaries requires the user not to publish or display information that belongs to another person. Potentially, secret documents ferreted out by investigative journalists or whistleblowers in the public interest may be interpreted to belong to a third party — and blocked from the public domain. It is inconceivable that such a restriction could be applied to traditional media, which have a robust record of exposing corruption in high places. What all this makes clear is the need for wide public debate on any move to impose restrictions on online publishing. It is unacceptable that access to some websites is blocked through executive orders issued by technical bodies such as the Indian Computer Emergency Response Team, with no explanation on why such action was taken

source Hindu

Sunday, March 6, 2011

Hackers are a great predictor of the future

Hacker5 got three precious awards in four months of its publication. Initially we were very much confused when we started this magazine. None of us were hacker, we were just new to this filed and the groups of hackers associated with it were newbees too and so they misused this platform. This magazine was started with an intention to provide platform to hackers and voice their opinion. But section of hackers in Hacker5 team had disputes over holding powers; finally they were evicted because management was not in a position to compromise with the reputation of this magazine.
Show must go on, no matter some come some go, every beginning has a hitch and that hiccup is the foot hold for further growth, r45c4l ( Gaurav Singh) came in and took charge as associate editor and things fell in place. Good writers started contributing. That's how we not only got settled but also gained popularity, readership and appreciations.
Now our Magazine is reaching almost every possible city. Apart from this we have 1,985 individual subscribers for the same. This month onwards we will be seen in Indian airlines flight too. We could also reach Nullcon by sponsoring hacker's seminar in Goa. Now, the magazine has reached to some level of standards and has its own committed reader.
If society, and life itself for that matter, always move towards that far unseen shore of discovery, then it is the process of extrapolation, that immeasurably small dance of creation, which propels it ever forward to the bigger breakthroughs. We now live, thankfully, in a world where innovative ideas, regardless of their origin, are rewarded instead of being suppressed as they were in the past. Here's a good illustration of what I'm talking about. Medieval notions quite often laid waste brilliant discoveries that were stated in haste, But the world is round one cried while in a heretics fire he fried,
For his theories were just not in good taste.
Those who enjoy experimenting with hacking explore software and hardware more than a security persona; the most important fact is that hackers work on new technologies for the sheer enjoyment of it. They have ability to exploit possible best technologies available in the market. Programmers who remixed data from different websites well before Web companies started offering similar applications and services, and the community wireless networks created long before Wi-Fi was a common feature in coffee shops and homes.
As for current activities that might make the mainstream in the future, money is on hardware hacking and collective intelligence. The projects like the Quake Catcher Network, which uses standard laptop sensors to detect earthquakes. This is a very different future in which all of these applications are being driven by sensors. We are moving out of the world in which people typing on keyboards will drive collective intelligence applications. It's high time we need to take a call to apply such technologies to the more serious problems facing the world, such as those presented by climate change. The Man Watching," which concludes, "Winning does not tempt that man.
Coming back to the point, I would like to again emphasize this magazine is platform for every hacker to display his skill, voice his opinion and fulfill his dreads as write.

Forensics in Cloud Computing

Nowadays almost every considerable proportion of our day to day business operations are conducted via computer, it is likely that you use a range of software, such as a word processor, email client, accounting package and client relationship management tool and endless things. There is usually a purchase cost involved in licensed software, and that extend to further costs and man hours associated with repairing, updating and upgrading the software as and when necessary. But since there could be hundreds, thousands or even millions of subscribers, it is possible for the application to be offered with no user-end maintenance required at a comparatively low cost. With cloud computing, the application is hosted on a central server, which means that updates and maintenance can be carried out by the provider, and the costs spread between all the users in the form of a subscription fee. 'Cloud computing' addresses this issue by moving away from 'software' applications installed on the client's computer and instead offering access to the applications via the internet, Proponents of the cloud ecosystem touts its "vastness, flexibility and scalability as advantages for the implementation of cloud services.

However, from a digital point of view this can be a veritable forensic challenge as we view the cloud in terms of its scope and diversity. Within the digital forensic process where there is a no one-size-fits-all solution for a digital forensic examination, all forensic evidence must follow the Forensic process of Collection - Examination - Analysis - Reporting.

Within the cloud computing ecosystem there may be a dilemma in terms of time stamps. A question for cloud vendors would be, with a distributed and "vast" infrastructure how will they ensure synchronized clocks across all their systems? Synchronized clocks across a distributed global system may not be a possibility, and if this supposition holds true, then what other solution will a cloud vendor provide in such an instance? Another challenge can be with that of reciprocity. Digital forensics within the cloud computing environment can have legal implications within an international jurisdiction which will require corporation from established relationships with legal entities in foreign countries and/or the establishment of new ones if possible.

As with any live forensic examination another challenge will be the establishing of snapshots of the system in operation. But in this case one can question if this is good enough for such a "vast" and possibly globally distributed ecosystem. Take the instance of malware injected into the kernel space of a system; it is possible that it may be programmed to modify data or functionality...or both, in a variety of ways upon detection of a probe, or simply set to shut-down, obfuscate evidence, or delete pertinent data residues within a set time frame. Can a forensic examiner be notified of this change, or more pertinent can a cloud service provider implement protocols, tools or processes to ensure that such an event can be mitigated in real time? At least, not for now.

However a solution of sorts to this dilemma can be gleaned from thesis suggested in a paper by Wolthusen states that: Data may be present or available in a given configuration for a limited time or be staged through different levels of storage hierarchies; it is hence important to place bounds on events in question so as to be able to capture events of interest completely.

In terms of the "vast" distributed environment that can comprise a cloud ecosystem under investigation; we have to be aware of the fact that within such an ecosystem, any forensic investigation can cause: parallel or unrelated services to be interrupted to completed halted, infringe on third party rights and cross jurisdictional boundaries and in the case of duplication require infeasible storage volumes. A key challenge to a digital investigator called to pursue an investigation with cloud resources as a subset will be to establish and map computational and storage structures that will fall within the realm of the investigation. Bear in mind that for any system (cloud or otherwise) security incidents will cross boundaries of responsibility and access. As increasing numbers of businesses move their operations into the cloud, computer crime investigators are not only presented with new benefits, but also problems. Computer forensic investigations involve the scientific analysis of computer equipment to recover legally admissible evidence. In an instance where the security of a firm's digital data has been compromised, computer forensics experts might be called in to analyse each computer terminal involved for evidence, the first stage of which is to carefully replicate the contents of each drive exactly so that original evidence cannot be contaminated.
This process can be very time consuming but if the information is all stored within the cloud, then a simple click of the mouse could potentially produce an exact image of the current state of the firm's data, allowing the investigation to progress much more quickly. However, there is also a downside to cloud computing. If an application is accessed via the cloud, registry entries (which record user activity) and other useful artifacts such as temporary files will be stored within the virtual environment and so lost when the user exits, making evidence traditionally stored on the hard drive potentially unrecoverable. In response to this, some commentators have suggested that the information could be provided by the application vendor on request from law enforcement officials, but this too poses problems. The recovery of computer-based evidence in the UK must follow a strict, auditable procedure as laid out by the Association of Chief Police Officers, so it may be that information extracted by non-experts could be unintentionally contaminated and thus rendered inadmissible in a court of law. In addition, while the confiscation of physical computer equipment following an arrest is relatively straightforward, the legal process required to gain access to private data held online is more complicated, so this could put a delay on investigations where the recovery of evidence is typically time critical.

At present, there is no foolproof, universal method for extracting evidence in an admissible fashion from cloud-based applications, and in some cases, very little evidence is available to extract. As such, cloud computing represents just one of the fast-paced technological developments that is presenting an ongoing challenge to legislators, law enforcement officials and computer forensic analysts think that cloud computing would add to the complexity of your computer forensics program? The resounding answer to this is no, by leveraging the inbuilt abilities of cloud computing, computer forensics becomes an “on demand” service. One of the very nice things about cloud computing is that you basically exist in an on demand system, so if you are served with a preservation letter, or other legal reasons to preserve an environment, you can easily backup your environment and put it onto the cloud for the investigators to use, while the normal course of business happens. This also means that all the data stores or other information that investigators will require also be cryptographically hashed much easier and much quicker using the on demand resources in the cloud.

The forensics tools can also be in their own off shoot of the environment allowing for very tight control over who has access to those tools and how they will be used. There are definite advantages to having a separate investigation environment for all the resources that are on the same cloud. Costs can be contained by making direct DVD copies from the investigation environment as needed or when needed making the process much more portable as well if information has to be turned over to the legal department or other investigators. This is the reason that cloud computing is compelling, a near instant backup of an environment with the ability to expand and contract at will rather than leaving resources in the data center unused waiting for something that might happen infrequently. This kind of on demand service also runs at the speed of the cloud making the process much quicker when doing a bit by bit copy. These realizable advantages to cloud computing security as a service will also make the business office happier because they are only paying for space they are using, and can allocate waiting resources for something else saving the company money in the longer run.