Daily Archives: April 1, 2018

Why the crypto-backdoor side is morally corrupt

Crypto-backdoors for law enforcement is a reasonable position, but the side that argues for it adds things that are either outright lies or morally corrupt. Every year, the amount of digital evidence law enforcement has to solve crimes increases, yet they outrageously lie, claiming they are "going dark", losing access to evidence. A weirder claim is that  those who oppose crypto-backdoors are nonetheless ethically required to make them work. This is morally corrupt.

That's the point of this Lawfare post, which claims:
What I am saying is that those arguing that we should reject third-party access out of hand haven’t carried their research burden. ... There are two reasons why I think there hasn’t been enough research to establish the no-third-party access position. First, research in this area is “taboo” among security researchers. ... the second reason why I believe more research needs to be done: the fact that prominent non-government experts are publicly willing to try to build secure third-party-access solutions should make the information-security community question the consensus view. 
This is nonsense. It's like claiming we haven't cured the common cold because researchers haven't spent enough effort at it. When researchers claim they've tried 10,000 ways to make something work, it's like insisting they haven't done enough because they haven't tried 10,001 times.

Certainly, half the community doesn't want to make such things work. Any solution for the "legitimate" law enforcement of the United States means a solution for illegitimate states like China and Russia which would use the feature to oppress their own people. Even if I believe it's a net benefit to the United States, I would never attempt such research because of China and Russia.

But computer scientists notoriously ignore ethics in pursuit of developing technology. That describes the other half of the crypto community who would gladly work on the problem. The reason they haven't come up with solutions is because the problem is hard, really hard.

The second reason the above argument is wrong: it says we should believe a solution is possible because some outsiders are willing to try. But as Yoda says, do or do not, there is no try. Our opinions on the difficulty of the problem don't change simply because people are trying. Our opinions change when people are succeeding. People are always trying the impossible, that's not evidence it's possible.

The paper cherry picks things, like Intel CPU features, to make it seem like they are making forward progress. No. Intel's SGX extensions are there for other reasons. Sure, it's a new development, and new developments may change our opinion on the feasibility of law enforcement backdoors. But nowhere in talking about this new development have they actually proposes a solution to the backdoor problem. New developments happen all the time, and the pro-backdoor side is going to seize upon each and every one to claim that this, finally, solves the backdoor problem, without showing exactly how it solves the problem.

The Lawfare post does make one good argument, that there is no such thing as "absolute security", and thus the argument is stupid that "crypto-backdoors would be less than absolute security". Too often in the cybersecurity community we reject solutions that don't provide "absolute security" while failing to acknowledge that "absolute security" is impossible.

But that's not really what's going on here. Cryptographers aren't certain we've achieved even "adequate security" with current crypto regimes like SSL/TLS/HTTPS. Every few years we find horrible flaws in the old versions and have to develop new versions. If you steal somebody's iPhone today, it's so secure you can't decrypt anything on it. But then if you hold it for 5 years, somebody will eventually figure out a hole and then you'll be able to decrypt it -- a hole that won't affect Apple's newer phones.

The reason we think we can't get crypto-backdoors correct is simply because we can't get crypto completely correct. It's implausible that we can get the backdoors working securely when we still have so much trouble getting encryption working correctly in the first place.

Thus, we aren't talking about "insignificantly less security", we are talking about going from "barely adequate security" to "inadequate security". Negotiating keys between you and a website is hard enough without simultaneously having to juggle keys with law enforcement organizations.

And finally, even if cryptographers do everything correctly law enforcement themselves haven't proven themselves reliable. The NSA exposed its exploits (like the infamous ETERNALBLUE), and OPM lost all its security clearance records. If they can't keep those secrets, it's unreasonable to believe they can hold onto backdoor secrets. One of the problems cryptographers are expected to solve is partly this, to make it work in a such way that makes it unlikely law enforcement will lose its secrets.

Summary

This argument by the pro-backdoor side, that we in the crypto-community should do more to solve backdoors, it simply wrong. We've spent a lot of effort at this already. Many continue to work on this problem -- the reason you haven't heard much from them is because they haven't had much success. It's like blaming doctors for not doing more to work on interrogation drugs (truth serums). Sure, a lot of doctors won't work on this because it's distasteful, but at the same time, there are many drug companies who would love to profit by them. The reason they don't exist is not because they aren't spending enough money researching them, it's because there is no plausible solution in sight.

Crypto-backdoors designed for law-enforcement will significantly harm your security. This may change in the future, but that's the state of crypto today. You should trust the crypto experts on this, not lawyers.

Risky Biz Soap Box: Network detection is dead! Long live network detection!

This Soap Box edition is brought to you by ICEBRG.

ICEBRG is in the business of network-based response and detection. In simple terms they drop a box on your network that strips network metadata and shunts it up to their cloud for analysis. This allows incident responders in particular to really, really speed up their investigations. We know that a lot of internet traffic is encrypted these days, and that’s made some people take their eye off the network ball. The focus and buzz these days is very much on endpoint detection and response. Our guest on this edition of Soap Box, ICEBRG’s VP of Strategic Partnerships Jason Rebholz, thinks we’ve wound up with a blind spot as a result.

It’s true that a lot of network security tech fell behind the times, but there are some fresh approaches emerging these days that are pretty bloody useful. ICEBRG started off as a product to accelerate incident response, an example use case is deploying it in 15 minutes when you’re starting an IR job; it gives you amazing visibility for the time invested. But, they’re broadening the product a bit these days. They’re not turning it in to an IDS, but they’re able to give clients some very, very high quality signalling. I think this is what you get when you get a bunch of ex-govvies and incident responders together and they develop a product. Their alerts are more along the lines of “you’re owned by this APT group” not so much “hmm, that’s some strange ICMP traffic hitting your mail server. Maybe some router in Azerbaijan needs a reboot, ."

So the thinking is definitely fresh, and I’m increasingly seeing companies play in the network security space again. Network detection is dead! Long live network detection!

Show notes

Hackers take 5 million payment cards from Saks, Lord & Taylor stores

The wave of large-scale retail data breaches isn't about to subside any time soon. Gemini Advisory has discovered that a JokerStash online crime syndicate, Fin7, is planning to sell over 5 million payment cards stolen from the databases of 83 Saks Fifth Avenue stores (including Off 5th) and the entire network of Lord & Taylor. The crooks are 'only' selling 125,000 of the cards on the Dark Web as of this writing, but the rest are expected to reach the black market in the months ahead. The breaches reportedly started in May 2017, but could be continuing to this day.

Source: Gemini Advisory, HBC

CVE-2018-9149 (ac3000_firmware)

The Zyxel Multy X (AC3000 Tri-Band WiFi System) device doesn't use a suitable mechanism to protect the UART. After an attacker dismantles the device and uses a USB-to-UART cable to connect the device, he can use the 1234 password for the root account to login to the system. Furthermore, an attacker can start the device's TELNET service as a backdoor.

CVE-2018-9157 (m1033-w_firmware)

** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality.

CVE-2018-9165 (libming)

The pushdup function in util/decompile.c in libming through 0.4.8 does not recognize the need for ActionPushDuplicate to perform a deep copy when a String is at the top of the stack, making the library vulnerable to a util/decompile.c getName NULL pointer dereference, which may allow attackers to cause a denial of service via a crafted SWF file.

CVE-2018-9158 (m1033-w_firmware)

An issue was discovered on AXIS M1033-W (IP camera) Firmware version 5.40.5.1 devices. They don't employ a suitable mechanism to prevent a DoS attack, which leads to a response time delay. An attacker can use the hping3 tool to perform an IPv4 flood attack, and the services are interrupted from attack start to end.

CVE-2018-9156 (p1354_firmware)

** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) Firmware version 5.90.1.1 devices. The upload web page doesn't verify the file type, and an attacker can upload a webshell by making a fileUpload.shtml request for a custom .shtml file, which is interpreted by the Apache HTTP Server mod_include module with "<!--#exec cmd=" support. The file needs to include a specific string to meet the internal system architecture. After the webshell upload, an attacker can use the webshell to perform remote code execution such as running a system command (ls, ping, cat /etc/passwd, etc.). NOTE: the vendor reportedly indicates that this is an intended feature or functionality.

Meet FORTUNE COOKIE

VirusTotal is always working to improve our users' experience and our partner ecosystem. We have a robust community of security professionals who research, study, and collaborate through VirusTotal's diverse tools and capabilities.

In our labs, our top engineers are working hard to develop new ways of understanding how samples relate to each other, to campaigns, and to the users who ultimately fall victim to them.

We're thrilled to share with you the brand new VirusTotal Free Object Randomized Tester Utilizing Nil Evaluative Code with Object Oriented K-means Inference Engine, or FORTUNE COOKIE for short.

FORTUNE COOKIE is a bleeding edge system that brings about a highly accurate randomized verdict for your entertainment and enjoyment. It knows very little about malware, reverse engineering, or file analysis, but could theoretically be capable of leveraging machine learning, blockchain, and/or random numbers to bring about an entirely new class of verdicts.

An example of its detection capabilities can be found below:


We think FORTUNE COOKIE will change the way you use VirusTotal, and due to the incredibly amazing power it offers, it will only be available for a short time.

Enjoy!

Bundle Up and Save Big This Month

Are you dreaming of becoming the ultimate penetration tester? Get to learn more practical skills on top of theoretical ones? Or you simply want to learn new tricks and get that promotion you deserve? Our bundles will allow you continuous growth, training after training, while saving big on registration fees. The current bundles will not be available anymore for new enrollments after April 30 2018, 11:59pm PDT. If you are already enrolled or still do so before that deadline, then you can, of course, enjoy whatever courses you are enrolled in.


With the ever-growing digital threat environment, increasing demand and job opportunities in the InfoSec fields, having the knowledge AND practical skills is a crucial point to your career’s growth. From “The Elite Pentester” and the “4-In-A-Box” to the “All Access Pass”, numerous students have seen their practical skills and theoretical knowledge rise.

Here is a recap’ and key points of each bundle we offer, and how they can benefit YOU:

The Elite Pentester Bundle

Become an Elite Penetration Tester with these two best selling online IT Security training courses bundled together:

  • PTP (Penetration Testing Professional): the most comprehensive and practical online course on Penetration Testing, and Network Pentesting. It takes you from the basics to a professional level.
  • WAPT (Web Application Penetration Testing): the most practical AND professionally oriented certification you can obtain in Web Application PenTesting.
Both Penetration Testing training courses are in Elite Edition and valued at $2,598.
Save $ 600 and get them now for $ 1,999.

The “4 In A Box” Bundle

Bundle any 4 out of our online IT Security training courses in the Elite Edition and get lifetime access to each of your four chosen courses, infinity exam vouchers and up to 120 usable hours per course in our industry-leading virtual labs for hands-on training. You’ll end up being an IT Security expert with up to 4 new certifications.

This bundle covers 4 training courses of your choice in Elite Edition and is valued up to $ 6,396. Save up to $ 1,750 and get it now for $ 4,599.

The All Access Pass

Get lifetime access to each of our training courses in the Elite Edition, including the hands-on lab hours, the exam voucher and unlimited access to the training materials. You can end up with 11 new certifications and become an expert in IT Security.

This bundle covers all of our current training courses in Elite Edition and is valued at $ 14,189. Save up to $ 6,100 and get it now for $ 7,999.

IN SHORT: Bundles are available for enrollment until April 30th 2018 after which they will no longer be available.

If you have any question regarding the bundles’, don’t hesitate to contact us on Social Media or wave over in the comments section. For more practical inquiries, please contact our support team at support(at)elearnsecurity.com.

Connect with us on social media Twitter Facebook LinkedIn Instagram 

Let your friends know the bundles are going away! Click here to share this blog on Twitter 🙂