Friday, 29 April 2016

Misgivings about the Internet of Things and hyper-interconnectedness

Last night I heard a lecture delivered by a chap from HPE - HP Enterprise for those of you who forget about their big breakup. He is in charge of innovation in the Asia Pacific region and he spoke a lot about the Internet of Things (IoT), drones, driverless cars etc. Sure, we really are moving towards a world where human interaction becomes far less of a factor when driving, delivering packages or even turning on the lights at home...

It really got me thinking about the impact to humanity and whether the pros will outweigh the cons. The hyper-interconnectedness of the world has it's upside but I think it's darker downside needs light shone on it. If your whole house is wired with sensors, motors and control units, then is it a stretch to muse on when the first house is compromised? If an attacker took control of your home just what could he do with it? Annoy you with the lights going on or off, tracking your movements throughout the place, knowing when you're asleep and therefore vulnerable or good old fashioned voyeurism. These options just popped into my head in the last 30 seconds and I'm a reasonable good, respectful and law abiding person. Imagine if I was a naughty ne'er do well?!

Quite apart from the issues inherent in being completely trackable and giving away any semblance of privacy is the issue that arises when the power goes out. Can one still open the doors, the blinds or the windows if it's all automated? And I have concerns over what might happen when the power comes back on and the house receives a power surge that damages the systems controlling all these components. There is a level of complexity to a house with IoT than there ever was before and the delicacy of these systems is not to be underrated.

Moving away from IoT to driverless cars and drones. The HPE chap (Roger something...) spoke at length about these too. While I've watched the whole notion of autonomous vehicles with some interest over time, I quite like driving and I'm not really prepared to give that up. I completely understand why some people hate it, why it would be a great thing for the elderly for example or infirm to help them get around, but I heard some absurd claims about reduction in parking spaces or some other nonsense. Autonomous vehicles still have to stop somewhere while you go and do stuff. How do you reduce the number of carparks exactly? I can also foresee more of these vehicles on the road than now, with more traffic as people who haven't got licenses or who can no longer drive take advantage of a car that will drive them anywhere. The limiting factors on road users will change, and some of these that move people off the roads (rightly or wrongly) will potentially disappear. Thinking about this from the transport and logistics perspective it's possibly an awesome thing to have trucks that can drive endlessly in a non-stop cycle with none of the pesky driver considerations we have now... but I can't help but think of the cost to human jobs. I worked in transport for a while and there are guys who genuinely enjoy getting out and about in the trucks, driving line haul or pottering around town. These guys (mostly) have a great skill set and will not be required after the introduction of an autonomous trucks. On to the sidelines for you - and then we have killer trucks chasing us like in the movie "Fortress".

Drones are becoming a big thing and will continue to get bigger over time. With many companies hoping to use them for deliveries - especially medicine or aid into remote areas - I think they're great. The potential for help is enormous... as is the balanced potential for harm. Drones already kill a fair number of people day to day in war torn areas as the US or other countries deploy them to blow shit up. Spy drones are already about looking into things they shouldn't be so privacy is going to take yet another hit, and the risk of some idiot flying their stupid drone into a plane or helicopter - yeah that will happen. We have the guys flying their drones over fires and things - which is a great tool for seeing what's happening (don't get me wrong - they have some amazing uses that preserve human life) but also restrict what other aerial vehicles can do (because they are in the flight space).  We have had water bombers diverted from fires with real concerns about them hitting drones. I think the issue there is more of command and control than the actual drone being a problem - coordinating a fire response is no trivial issue and someone with a drone in the way is a problem.

The end result of all this extra computer stuff floating around is a far more cluttered Internet and let's be honest - security is a massive issue. Complex software in complex hardware = mucho issues with security. Anyone who has done some programming knows that as complexity goes up, so does risk of an issue arising in the code. The reliance on the Internets infrastructure will increase and although the 'net is a most distributed system there are definitely ways to greatly impact a country. Imagine for example if someone attacked the Internet systems of a country and took down it's ability to manage routing - all those data packets with nowhere to go. How would it affect daily human life? I can't get my IoT coffee machine to work or I can't get my medical aid system to work because both of them connect back to a central management system located either at home or somewhere else. Uh oh. Can we get the 'net back up? We've already seen hospitals compromised because of holes in code or heaven forefend - people have no clue and use shite passwords or it's set up in a way that might be more user friendly and is far less secure than it could be.

Before we as a civilisation dive head first into the pond of hyper-interconnectedness I really think we need to slow down and understand the ramifications of what is going to happen. Big companies are not going to care - they have to make money and look after their shareholders and screw anyone else. The government needs to be across this and understanding it with techno-geeks involved to get through the heavy nerd stuff and legislate to improve protections and procedures around the IoT and associated systems. For example - drones are great, until they kill someone through stupidity or neglect. So let's try to legislate it and get it out there what you can and can't do. Something is better than nothing and attempting to get something in place is better than sitting back saying "I'm not sure - it seems like techno-babble to me!".

I for one welcome our new robot overlords when they arrive. I'd prefer the future to be a mix of humanity assisted by robots and IoT and not this:

I tried but I really couldn't resist putting up one of these pics. Ah pop culture. I hope that in some small way I've opened your mind to some of the other side of the issues I've talked about. I'm very excited about all these new gizmos and things - I can't help it - I'm a geek too. I just have a pessimistic side that impels me to consider the impact of new technology.

Monday, 25 April 2016

More on Digital Forensics

So the SIFT workstation is up and running - almost. My slow internet connection is making the updating take a long time. Yesterday it ran almost all day to get SIFT on the machine. Lots of changes from stock Ubuntu - app installs, timezone changes, and the theme has been tarted up.

I looked at the digital images yesterday and thought about how to go about all of this. It's a little bit more complex than I thought. I know what I want, and I know what the output should be, its the pesky bits in the middle that are causing me some annoyance. Specifically the steganography output and how to carve the text files to get into what is clearly inside them. They are far too large for the text that they have.

I understand the methodology - it's quite clearly outlined in the text book, but there's a big difference between having your head around that and applying it. In order to write the report I have step through things fairly systematically - it's the way the old brain works and getting that system into some sort of operational semblance is the trick. There are some great cheatsheets on the desktop of a new SIFT install, for which I'm profoundly grateful. I'll read through these and have a good think.

There is a lot of info about forensic work out there. The glut of it makes it time consuming to go through, yet enjoyable at the same time. Once I've had a bit more time, I'll make known some of the posts that I've found interesting and relate my own experiences here!

Sunday, 24 April 2016

The Foray into Digital Forensics

As part of  my tertiary studies I'm now working on Digital Forensics. Our latest assignment includes some steganography, some bit shifting and writing a forensic report on a made-up or actual scenario that we find or invent.

I thought it might of use to write a bit about the experience I'm having getting into this. From the course we are supplied a variety of different tools with a variety of different capabilities. Being a Linux chap, I thought it would be cool to go into the open source tools. Running ElementaryOS on laptop has made this difficult and more than a little frustrating. Perhaps because I'm not big on what the best tools are, or the install methods - but I'm experiencing annoyance. I'm currently downloading Ubuntu 14.04 Desktop to put the SANS Investigative Forensic Toolkit (SIFT) version 3 on it. Details on SIFT can be found at I'll work this later - I'm still waiting on Ubuntu to download. It doesn't help living out in the bush.

The Windows tools I have played with thus far include:

  • ProDiscover Basic
  • Hex Workshop
  • OSForensics
  • WinHEX
I've also found Notepad++ to be quite useful. It's a very powerful notepad replacement I find useful for many applications of work - find it here:

The textbook also seems pretty good - "Guide to Computer Forensics and Investigations" Nelson, Phillips and Steuart are the authors. Lots of good examples and methods for working through things. Annoyingly, but this is to be expected, it all has a US slant on it, including laws and rights. Translating them into Australian can be tricky at times. There are a lot of good resources on the Net - SANS as I've already mentioned, CERT and AusCERT aren't bad. Google is, as always, your friend.

I've spoken with some friends about this and they immediately assume its like CSI-Cyber and we use cyber to describe everything - it's a cybercrime, it's a cyberstalking, its a cyberpen I'm writing on this cyberpaper with etc. Of course it's not like that at all. Lots of painstaking attention to detail and writing a *lot* of notes. You can't blow through this stuff on a hunch - stupid TV shows seem to make it a lot easier than it is and people jump around with ideas and stuff all the time. What a bag of pish! At any rate it's fascinating stuff if you have the patience and technical background for it.

I'll update and add a post as I play with SIFT and with the particular case I'm investigating.

I have spent some time on the digital forensic reddit which has some great info and great help for people. I thank the contributors for their time and effort. Was looking through a bit list of blogs and stuff about forensics. Sad that so many of them have fallen away. There's some gold in amongst it though. On to the SIFT install!

Saturday, 16 April 2016

The rise of ransomware and the devil that is Cryptolocker

Over time, with advancements in anti-virus and anti-spyware, the ne'er do wells would eventually evolve. Their cunning and understanding of human behaviour has resulted in the devil that is ransomware. An innocent email from Australia Post arrives or a letter from the Australian Federal Police turns up in your inbox - most people are curious, even excited by an unexpected package, or concerned about a letter from the AFP and so they click the link. Boom! All their data starts to be infected - encrypted with heavy encryption and a lovely letter to say pay us or never get your stuff back.

We've seen it live and in the field on at least 5 occasions and had one or two clients actually pay the ransom - buying their Bitcoins and getting their decryption key back. Sadly, we've had people try this only to find out the website they need to talk to has been closed down by the authorities and their data irretrievably lost - until we restore it from backups that is... but sometimes even this doesn't work if people haven't moved data to the servers for backup. It's not good.

It seems like it was inevitable that a new mode of making money from people would have to emerge. Stealing credit card details and personal information - while profitable - is also fraught with danger of being identified when you try to use them. An anonymous ransom - helpfully supported by an anonymous currency - means a relatively straightforward exchange - a key for your own data back. It's kind of elegant in a way. This doesn't mean I don't think these people should be prosecuted - I've seen and experienced the stress and pain of business owners as their data becomes inaccessible and I'd love to pass that back to the perpetrators.

There are ways and means of protecting yourself from this, but it comes down to being systematic about it - just like these thieving bastards have been. Consider your vectors of risk:

  • external influences
    • email
    • websites
  • physical influences
    • users
    • dodgy USB keys
  • active attacks
    • hack attempts
    • social engineering
There could be more.

Defending against these requires defence in depth. Some of these things are passive - they do the job all the time, with managed updates and some are active - people actually need to think about what's happening. Here are a few examples:-
  • email scanning (externally if possible)
  • strong firewall
  • internet scanning (if possible)
  • anti-virus and anti-spyware on the machines
  • Chrome instead of good old IE (or awful Edge)
  • user education - the single best form of protection and typically the one with the least amount of time and resources put into it. Honestly, it makes me experience sadness that people aren't trying to get their staff skilled up a bit on the computer. It doesn't take all that much!
  • backups
  • backups of backups offsite
  • restorable backups
Of course, this kind of systematic approach doesn't just cover the awfulness of ransomware, but could be helpful against many other risks - attacks, environmental (fire / flood / famine / Justin Bieber), malicious employee activity (still identified as the Number #1 risk by many security dudes) and other "out of the box" issues.

I haven't mentioned patching or updating your system although I know this is critical. Updates are a beast of a thing, and anyone caught with a SharePoint update that means a database rebuild will feel where I'm coming from with this - security updates can cause more pain than if the damn thing was hacked or compromised in some way. Understanding the impact of an update on key infrastructure is very important and it isn't a passive security mechanism like some of the other things I've mentioned.

Reporting is also a tricky thing - yes it's great to have all this stuff going on, but who wants to plough through 20 or 30 system generated emails in a morning? I have for the last 12 years and it's bollocks. I don't care for it at all, and to be honest - it becomes so rote and routine that I miss things (sometimes very important things) because I'm just skimming. I urge you to consider some sort of consolidation report or webpage with information colour coded according to rules so that things going wrong are immediately obvious. We only have a limited attention time (and I think I've written about this elsewhere) and so we need to make sure that time is being carefully put to use and not wasted on stuff that's all OK and we don't care about. Likewise, with Nagios or other monitoring software I'm using, the thresholds for things going wrong is quite high - i.e. tell me when something is really going to be in trouble, not that it's just experiencing some sadness now. 

This post has diverged somewhat from cryptolocker, but the principles in keeping that piece of garbage out of your network are similar across a wide range of threats. 

Thursday, 7 April 2016

XenServer 6.5 and Windows Server 2012 Slowness

Recently at more than one site we've been experiencing slowness with file transfers, and general 2012 behaviour. It's maddening because task manager, the performance monitor and XenCentre show very little to no load across the servers. Having reviewed it more thoroughly and turned off Windows file security and made no progress, we've started looking into the hardware that makes up our XenServers.

It's a bit of a mis-mash of gear - an IBM x3650 and a generic sort of a server make up the two physical hosts. They don't have a huge amount of power under the hood, but run a couple of VMs quite well. The 2012 server runs appalling though and I think I've figure it out.

The x3650 has a Broadcom chipset on the network cards and this doesn't play well with others. The other generic beast of a machine has an Intel chipset on it's network cards and it runs fine. Yesterday I installed an Intel network adaptor into the x3650 and lo and behold, it's running better than it has been - significantly better. A click on the start button could take 20 - 30 seconds to get the menu to pop up in 2012 server, now it's almost instantaneous. My guys using this server for stuff are much happier.

In earlier iterations of XenServer I haven't noticed this so much, but in this most recent one I certainly have. XenServer 6.2 didn't seem to have this issue, so I wonder what has changed in the driver management to have caused this issue.

If you have servers running with odd slowness, definitely check this out - we have a much larger site with 2012 servers running on hardware with Broadcom chipsets and we are about to install new Intel cards to see if that fixes the problem. Stay tuned - this could be a real head scratcher if you come across it, and if the fix is a couple of $500 NICs then it could save you a huge amount of time and effort.

Saturday, 5 March 2016

Cloud Computing Challenges in Regional Australia

Out here in the bush we have a fundamental problem with Cloud Computing. We can’t get to it! Our internet access is 3rd world at best and generally that’s being charitable. Recently I was at one of the incredibly rare Microsoft road shows in this area - we generally do not see any big companies come through here. Our regional population is around the 100,000 mark so we’re a small fish in a big ocean.

The key message being delivered by the Microsoft chaps was Cloud, cloud and more cloud. So the outlook for the presentation was cloudy. Azure, Office365 - all that good stuff. Great for Microsoft - everyone moves to a subscription model, doesn’t need onsite hardware and you pay - continuously - for ever! Some of the stats were interesting. 

Of those taking up a hosted Exchange, very few had taken up Office365. The presenter was surprised by this, but I don’t know why. We have a lot of clients using Office2010 or 2013 who have either purchased it very recently (in the case of 2013) or have specific applications or processes built around the way that Office works. They are not likely to change any time soon - the ROI on their purchase has not yet been achieved. And amazingly, some of these clients don’t want to pay for the software every month.

We have some clients, quite a few sadly, that have sub 10Mbps ADSL2+ connections who are absolutely staying away from cloud anything. All well and good to have their data in someone else’s server, but they can’t get to it! With such a crap internet connection, it’s almost impossible to upload data, let alone pull it back down. The pain for having to move to a different cloud provider - especially if the data has to come back to site first before leaving to the new hosting is going to be considerable. 

The question I didn’t get to ask the Microsoft lads was: “What is Microsoft doing to promote better internet connectivity so we can sell all your cloud stuff?” Such a large company, with fingers in so many pies - get us better internet! 

While it’s true we are Google Apps resellers, and Microsoft Partners and we do have quite a few hundred Office 365 and hosted Exchange subscribers out there, we are severely limited by the ability to provision these services.

Access is not the only challenge we have. Data sovereignty is a major issue for our clients too. They don’t believe that they maintain full control over data sitting on someone else’s servers and, quite understandably, some of our clients are not big fans of that. Truth be told, it’s a fair jump to make for someone. “Let’s put all our gold in someone else’s chest! Screw that!” - this was a message given to me by one of my clients. He viewed his data as gold and didn’t want anyone else to have control and to be fair, it’s the result of his life’s work. 

There have been lots of issues around someone else maintaining and holding client data - privacy, security, accessibility being the big three. Who is held accountable etc are all the questions we are asked many times. Microsoft have not helped their own cause with some of the stuff they’ve done over the years - anticompetitiveness and their major hate on for Linux to name two. Being a massive company that doesn’t pay it’s taxes in Australia and is US owned are more strikes against them for the purposes of this argument and in the minds of many rural business owners. These are hard things to overcome, especially when I’m asked about my own cloud usage.

I live on a farm. Can you guess how great my internet connection is? The pigeon delivering my USB of data each day is pretty fast, but nothing compared to an urban fibre connection. So by necessity my cloud interactions are controlled and largely minimal. There are plenty of business - who are in rural cities - that do not have internet connectivity as reliable or “fast” (I sniggered when I wrote that because its a 3.5Mbps connection on the best of days) as I do. No cloud for them!

Before you go hell for leather selling cloud services to clients, stop for just a moment and consider all the variables beyond what Microsoft is telling you. They want very much for you to be locked in with their model, using their servers and services for ever because then you have to pay for them every month for the rest of eternity. There are other ways and its important to keep those options alive for people. Onsite servers are not dead - not by a long shot. Let me reiterate the main point of this article - we have to provide data to our clients in a secure, reliable and accessible way. Doing so is the important part. How we deliver it is the challenge.

Saturday, 20 February 2016

Breaking the iPhone's encryption

For the last few days the internetz has been in an uproar. If you haven't heard then have a look at this:
Apple ordered to help the US government. For the TL;DR folks out there:

  • some terrorist killers in the USA used an iPhone 5C
  • the FBI want to know what was on the phone
  • the phone has that lock where 10 incorrect pins wipes it
  • a judge has ordered our old mates at Apple to disable the wipe function so the FBI can break in
  • Apple have told them to go away and refused to do it
So, gentle reader, why do we care about this? A bit of backstory might be useful...

The iPhone has quite solid built in encryption. Check out the Apple Privacy policy here for all the goods (PDF download) - lots of goodies in there. From iOS 8 onwards, the basic iPhone data was heavily encrypted, and Apple have always claimed they don't access passcodes or data. Here is their privacy policy if you'd like to have a read: Apple's Privacy Policy

Bottom line: Apple have long claimed that without the passcode an iPhone is basically inaccessible and now the FBI have a judge ordered Apple to disable this protection. This is a pretty full on hack. In his open letter, Tim Cook, the Apple CEO basically said we'll have to rewrite the code, install it on this iPhone and then let the FBI in. Oh and now that's out in the open, welcome thieves, pirates and governments who want access to iPhones! Prior to iOS 8, Apple had assisted law enforcement with access to iPhones in the past, but now they're saying we can't do this anymore. Tim Cook's letter is here: Apple Letter to our Customers and all the details are here. 

My analysis of what this means for us, the consumer, is that once again law enforcement and government have requested the capabilities to break through our privacy. At the moment, Apple users are reasonably confident of the privacy of their devices. If you lose it then best of luck to anyone try to break into it. Different to an Android device with an SD card in it - where you could pinch the SD card and get whatever you want, unless it's encrypted. The iPhone does this already. I was looking the other day at the security of Apple Notes. It's encrypted on the device, in iCloud (if you use it) and in transit between the two. I'm not sure it's encrypted on your Mac though - something to check. My point is that the security is pretty good out of the box. Not being a chap involved in dodgy behaviour I've never had a real need to have heavy protection on my iPhone but I was certainly pleased to see that I had decent encryption on the device. 

I think there's a parallel here between Pandora's Box and introducing a back door into iOS. When Pandora opened the box and let evil into the world the big corporations were born (yes I have a hate for them and yes I'm aware of the inherent irony of using Blogger to write this - a part of the biggest corporation Google!), in this instance, once the iPhone's security is broken to allow law enforcement  a backdoor in, that's a genie that doesn't go back into the bottle. From there, it's relatively easy to see how the police or feds get compromised and that backdoor gets into the wild. Voila! No security any more for people's devices and anything you put on them might as well be in the public domain. Apple have said they won't comply with the order and that it's technically very difficult. I believe them. Encryption is tricky at the best of times and getting it right is hard. Breaking back into it, once you've worked so hard to establish it isn't easy. 

This story has garnered a lot of press in the last few days and there are plenty of people talking about it which is important. The right to privacy, which I think is closely linked to the core desire for security of oneself is critical. I hope that Apple fight this one hard and/or make it incredibly difficult for the hack to be repeated. I understand law enforcement need access to stuff to prosecute etc. I do understand that. But with so much warrantless invasion of privacy I'm not inclined to be a huge supporter. In a small scale this probably seems callous - those poor people murdered by the crazies and I don't want to know the truth about it all! Shame on you ryv! But in the broader scope, this affects all iPhone user's security and I'm concerned about that too. 

I'll be keeping an eye on this issue as it develops - if you're an iPhone user, you should too.