The Morris Worm, the first Internet worm, was released by Cornell grad student Robert Morris back in November 1988 that infected maybe 10% of Internet-connected machines. It exploited a vulnerability in Sendmail and fingerd to propagate itself.

The worm didn’t do anything intentionally malicious, but it spread itself with great vigor and chewed up system resources. It’s lasting effect was to open the eyes of the computing industry regarding network security, application vulnerabilities, and the value of having an incident response process (the effects of the worm was made worse by system administrators knee-jerk response of shutting down their Sendmail daemons).

Another result was creation of the U.S. Computer Emergency Response Team CERT, Forum of Incident Response and Security Teams (FIRST) and many other national and private incident response groups.

No related posts.

Previously, anyone could download and use the ISO for free, which lead to wide adoption… for example, the SANS forensic course uses it, and it was the tool of choice at a Canadian lead security agency where I used it to examine compromised workstations.

The best alternative right now seems to be the relatively new Live CD CAINE.

If your only goal is to obtain a valid disk image, Raptor from Forward Discovery is still free. There are also multiple other live CDs that include The Sleuth Kit and other collections of forensic tools.

(A side note: CAINE, Raptor and most other forensic toolkits still do not sign their downloads with GPG or PGP. The CAINE and Raptor download pages, for example, only provide MD5 checksums to validate integrity of the files. That’s great for verifying that your download worked, but provides zero assurance that the image on the web server you downloaded form was not tampered with.

Yes, I’ve ranted about this before, but it’s especially relevant for forensic toolkits where a major goal to preserve evidence for legal use. That’s not easy when you can’t prove the tools you used to image and examine a drive were not tampered with themselves.)

No related posts.

Yesterday Vint Cerf and other pioneers were quoted in an article by the BBC saying that 150 million of the 600 million machines are bots and the situation is an epidemic. No kidding. Botnets have been growing right along with the adoption of broadband Internet access. This is not news, of course. In 2003 when Microsoft worms were at their peak it was easy to see from server and firewall logs that most sources were broadband home computers. On the servers we manage we still see home computers sending Nimda attacks, even today in 2007. That means those machine have been compromised and performing non-stop probing of every Internet IP 24 hours a day since that worm first made headlines in 2001, and in all that time neither the computer’s owners and their ISP have noticed. Or perhaps they’ve noticed and just don’t care enough to clean off the worm.

As the money that can be gained from botnets increases, so will competition among the black hats and the lengths to which they will go to compromise boxes. Right now all the low hanging fruit are owned… all Windows 9x, 2000 and XP boxes running without a firewall, antivirus or limited accounts have been compromised… some multiple times by competing botnet herders. Now that a new version of Windows is out, expect turf wars as criminals fight to regain access to PCs home users are replacing so they can run Vista.

The discussion to be had is what to do about this mess? Home users will not clean up their machines. As anyone running an ISP knows, telling a home user their machine is compromised usually results in no action. Even if you tell them they may have keyloggers sniffing their banking passwords. Cut the user off until they take action and they just switch (or threaten to switch) to another ISP who won’t bother them.

I agree with Bruce Schneier’s recent assessment: software liability is really the only way out of this mess. Crappy software is not the only reason why information security is such a massive problem, but it is the main reason by far. Software quality simply will not improve until there is a financial incentive for software producers to do so.

Where possible it’s best to leave such pressure to the market, but to date the marketplace has failed to demand better quality. People will buy Vista not because of its alleged security improvements, but because it’s The New Cool-looking Windows and is pre-installed on the PC they’ve been waiting to buy since Christmas. Sadly, without consumer demand that leaves legislation to provide the profit motive to producers: civil liability for damages (regardless of what the EULA says), fines, even jail time when willful negligence can be proved. When the survival time of Windows XP is just 16 minutes, I think a case for negligence can be made.

Unfortunately, software liability will probably take a while. It took decades of deaths before automobile seatbelts were made mandatory in the 1960s. It took thousand being killed in building, bridge and dam collapses around the world before construction standards were developed, enforced and engineers were required to be training and licensed. Bad software security causes billions in financial loss every year, but it doesn’t kill many people. Sadly it usually takes deaths before anyone takes a risk seriously enough to act.

History is repeating itself… you can find many parallels between current software "engineering" and the early days of civil engineering. For example, this engineering disasters page references a study where the four leading causes of engineering failures are

• Insufficient knowledge: 36%
• Underestimation of influence: 16%
• Ignorance, carelessness, negligence: 14%
• Forgetfulness, error: 13%

Wow… sounds just like a breakdown of the bugs in the typical software development project, doesn’t it?

Related posts:

• Free antivirus – what’s available now
• Free host intrusion prevention for Windows
• Cleaning up after rootkits

According to the press release, under this new law "the minister of Justice must be notified if there is a foreign demand for disclosure of any personal information of Nova Scotians". Penalties for disobeying are up to $2,000 for government and private sector employees and up to $500,000 for companies.

The problem is that the U.S. Patriot Act specifically forbids notifying anyone. For example section 215 makes these  amendments to the Foreign Intelligence Surveillance Act:

‘‘(d) No person shall disclose to any other person (other than those persons necessary to produce the tangible things under this section) that the Federal Bureau of Investigation has sought or obtained tangible things under this section.

‘‘(e) A person who, in good faith, produces tangible things under an order pursuant to this section shall not be liable to any other person for such production. Such production shall not be deemed to constitute a waiver of any privilege in any other proceeding or context.

Any U.S. company handling personal information of Nova Scotians (or of any other persons) cannot reveal that a request has been made or that records have been handed over to the FBI. This contradicts Nova Scotia’s new law, but that provides even more incentive to stay quiet about disclosure: notify the Nova Scotia minister of Justice and your company faces a half-million dollar fine, plus you may go to prison in the U.S. for violating the terms of the Patriot Act.

Warrants and probable cause are not required to make a demand under the Patriot Act. Any local FBI office can demand whatever it wants to see from any person or organization. A strict reading of section 215 implies that you can’t even discuss a demand with your lawyer.

The terms of the Patriot Act provide ample fuel for almost any paranoid theory. For example, remember the Total Information Awareness program? It sparked outrage and was supposedly killed but it seems it was really just renamed and classified. Perhaps records from every U.S. financial institution, Internet Service Provider, search engine and retailer are being vacuumed up via Patriot Act requests to feed TIA. Who knows? It’s illegal to tell anyone.

Paranoia aside, if you’re outside the U.S. and responsible for the security of your organization’s data the only safeguard against a breach via the Patriot Act is to keep it away from U.S.-controlled entities. It’s a threat to data confidentiality that no firewall or non-disclosure agreement can prevent.

Last week, the CBC reported how Canadian universities are starting to stay away from U.S.-based reference databases. The fear is that records of scholarly searches for "terrorism related" bibliographic data will wind up in U.S. government hands, perhaps getting you listed on the infamous "no fly" list or worse. The Globe and Mail also picked up the story over the weekend.

Concern over the Patriot Act is certainly not new, especially inside the U.S. Over on the other coast of Canada, the privacy commissioner for British Columbia investigated its impact back in 2004. The conclusions and recommendations in that report are interesting reading. For one, he concluded that even data residing outside the U.S. could be requested if it’s held by a U.S.-controlled entity.

However, unlike Canadian Universities the BC privacy commissioner concluded that "a ban on outsourcing [to U.S. companies] would not be a practical or effective way of ensuring the protection of personal information". I disagree and think that is exactly what is happening around the world… organization are keeping data out of U.S. hands because of the Patriot Act.

Pretty Good Privacy (PGP) celebrated it’s 15th anniversary this week. The author Phil Zimmermann fought for years against  laws that equated cryptography with military weapons. Export of any crypto software better than ROT13 could land a U.S. citizen in prison. The policy was ineffective and turned the U.S. into a bit of a crypto backwater: other nations had strong crypto and foreign companies were making money because they were free to use it. In 1999 the policy was repealed, in part because of the money being lost by U.S. businesses who wanted to compete globally.

Perhaps something similar will happen when enough international customers stop using U.S. businesses.

Related posts:

• Protecting laptop data with TrueCrypt
• Breach notification laws now!
• Are regulators finally aware of the Internet?

No kidding. As I discussed previously, such a suspension would result in a massive flood of spam around the world. On the mail servers we manage, we use the sbl-xbl.spamhaus.org blocklist and it accounts for rejecting about 40% of all spam received. It’s one of the most effective blocklists available, with very few false positives.

Related posts:

• ICANN speaks up on Spamhaus litigation
• A simple tool to track and control spammers

If you haven’t been following this case, it’s yet another attempt by a hardcore spammer to use the legal system against an anti-spam organization. Spamhaus provides popular anti-spam real-time blocklists that mail administrators can use to automatically block messages from IP addresses known to send spam. Just about everyone running an Internet mail server use the spamhaus blocklists, among others, to reduce the flood of junk e-mail… blocklists are controversial for some people, but for most mail administrators they are a necessary first layer of defense.

One spammer in Illinois managed to get a court to order Spamhaus to remove the IP addresses he uses to send spam. Spamhaus, based in the UK, is outside the jurisdiction of the court and so ignored the order (their view of events is here). Now the court is apparently considering an order to ICANN to remove the DNS records of Spamhaus. If that happened, mail servers around the world would be inundated with billions of messages from every spammer worldwide.

It would be like using a guillotine to cure dandruff. Internet users world-wide would be affected… not just those in this one court’s jurisdiction. It also would only have a short term effect… a few hours at most until replacement blocklists using other domains were made available. Each individual mail administrator is also free to block IP addresses at their firewalls… it would be fun to see the spammer try to sue each of the resulting hundreds of thousands of organizations around the world who individually blocked his IP addresses.

Anyway, it looks like it won’t happen. ICANN is claiming they don’t have the technical ability to block individual DNS records. The domain is registered through Tucows, who is the only entity able to change the DNS records. Fortunately Tucows is located in Canada and not subject to the orders of a foreign court.

Part of the reason ICANN issued a statement on this issue is because it understands how precarious it’s authority is. Though based in the U.S. ICANN is an international organization created to serve the needs of the global Internet. If they had to start monkeying with DNS based on orders from local courts or local politicians, they’d find themselves replaced very quickly. There is no technical reason preventing administrators around the world from using other root DNS servers. During it’s short existence ICANN has generated enough ill-will around the world that many organizations would actually enjoy dumping them. An event like this proposed court order could be the catalyst for just such a revolt.

By the way, Spamhaus is not blameless in this affair. Apparently they originally participated in the case then ignored it when the case was actually heard… Securiteam has an interesting write-up about the legal aspects here.

Related posts:

• Court declines to suspend Spamhaus domain
• A simple tool to track and control spammers
• DNS root zone getting DNSSEC