Friday, 29 April 2016

Misgivings about the Internet of Things and hyper-interconnectedness

Last night I heard a lecture delivered by a chap from HPE - HP Enterprise for those of you who forget about their big breakup. He is in charge of innovation in the Asia Pacific region and he spoke a lot about the Internet of Things (IoT), drones, driverless cars etc. Sure, we really are moving towards a world where human interaction becomes far less of a factor when driving, delivering packages or even turning on the lights at home...

It really got me thinking about the impact to humanity and whether the pros will outweigh the cons. The hyper-interconnectedness of the world has it's upside but I think it's darker downside needs light shone on it. If your whole house is wired with sensors, motors and control units, then is it a stretch to muse on when the first house is compromised? If an attacker took control of your home just what could he do with it? Annoy you with the lights going on or off, tracking your movements throughout the place, knowing when you're asleep and therefore vulnerable or good old fashioned voyeurism. These options just popped into my head in the last 30 seconds and I'm a reasonable good, respectful and law abiding person. Imagine if I was a naughty ne'er do well?!

Quite apart from the issues inherent in being completely trackable and giving away any semblance of privacy is the issue that arises when the power goes out. Can one still open the doors, the blinds or the windows if it's all automated? And I have concerns over what might happen when the power comes back on and the house receives a power surge that damages the systems controlling all these components. There is a level of complexity to a house with IoT than there ever was before and the delicacy of these systems is not to be underrated.

Moving away from IoT to driverless cars and drones. The HPE chap (Roger something...) spoke at length about these too. While I've watched the whole notion of autonomous vehicles with some interest over time, I quite like driving and I'm not really prepared to give that up. I completely understand why some people hate it, why it would be a great thing for the elderly for example or infirm to help them get around, but I heard some absurd claims about reduction in parking spaces or some other nonsense. Autonomous vehicles still have to stop somewhere while you go and do stuff. How do you reduce the number of carparks exactly? I can also foresee more of these vehicles on the road than now, with more traffic as people who haven't got licenses or who can no longer drive take advantage of a car that will drive them anywhere. The limiting factors on road users will change, and some of these that move people off the roads (rightly or wrongly) will potentially disappear. Thinking about this from the transport and logistics perspective it's possibly an awesome thing to have trucks that can drive endlessly in a non-stop cycle with none of the pesky driver considerations we have now... but I can't help but think of the cost to human jobs. I worked in transport for a while and there are guys who genuinely enjoy getting out and about in the trucks, driving line haul or pottering around town. These guys (mostly) have a great skill set and will not be required after the introduction of an autonomous trucks. On to the sidelines for you - and then we have killer trucks chasing us like in the movie "Fortress".

Drones are becoming a big thing and will continue to get bigger over time. With many companies hoping to use them for deliveries - especially medicine or aid into remote areas - I think they're great. The potential for help is enormous... as is the balanced potential for harm. Drones already kill a fair number of people day to day in war torn areas as the US or other countries deploy them to blow shit up. Spy drones are already about looking into things they shouldn't be so privacy is going to take yet another hit, and the risk of some idiot flying their stupid drone into a plane or helicopter - yeah that will happen. We have the guys flying their drones over fires and things - which is a great tool for seeing what's happening (don't get me wrong - they have some amazing uses that preserve human life) but also restrict what other aerial vehicles can do (because they are in the flight space).  We have had water bombers diverted from fires with real concerns about them hitting drones. I think the issue there is more of command and control than the actual drone being a problem - coordinating a fire response is no trivial issue and someone with a drone in the way is a problem.

The end result of all this extra computer stuff floating around is a far more cluttered Internet and let's be honest - security is a massive issue. Complex software in complex hardware = mucho issues with security. Anyone who has done some programming knows that as complexity goes up, so does risk of an issue arising in the code. The reliance on the Internets infrastructure will increase and although the 'net is a most distributed system there are definitely ways to greatly impact a country. Imagine for example if someone attacked the Internet systems of a country and took down it's ability to manage routing - all those data packets with nowhere to go. How would it affect daily human life? I can't get my IoT coffee machine to work or I can't get my medical aid system to work because both of them connect back to a central management system located either at home or somewhere else. Uh oh. Can we get the 'net back up? We've already seen hospitals compromised because of holes in code or heaven forefend - people have no clue and use shite passwords or it's set up in a way that might be more user friendly and is far less secure than it could be.

Before we as a civilisation dive head first into the pond of hyper-interconnectedness I really think we need to slow down and understand the ramifications of what is going to happen. Big companies are not going to care - they have to make money and look after their shareholders and screw anyone else. The government needs to be across this and understanding it with techno-geeks involved to get through the heavy nerd stuff and legislate to improve protections and procedures around the IoT and associated systems. For example - drones are great, until they kill someone through stupidity or neglect. So let's try to legislate it and get it out there what you can and can't do. Something is better than nothing and attempting to get something in place is better than sitting back saying "I'm not sure - it seems like techno-babble to me!".

I for one welcome our new robot overlords when they arrive. I'd prefer the future to be a mix of humanity assisted by robots and IoT and not this:

I tried but I really couldn't resist putting up one of these pics. Ah pop culture. I hope that in some small way I've opened your mind to some of the other side of the issues I've talked about. I'm very excited about all these new gizmos and things - I can't help it - I'm a geek too. I just have a pessimistic side that impels me to consider the impact of new technology.

Monday, 25 April 2016

More on Digital Forensics

So the SIFT workstation is up and running - almost. My slow internet connection is making the updating take a long time. Yesterday it ran almost all day to get SIFT on the machine. Lots of changes from stock Ubuntu - app installs, timezone changes, and the theme has been tarted up.

I looked at the digital images yesterday and thought about how to go about all of this. It's a little bit more complex than I thought. I know what I want, and I know what the output should be, its the pesky bits in the middle that are causing me some annoyance. Specifically the steganography output and how to carve the text files to get into what is clearly inside them. They are far too large for the text that they have.

I understand the methodology - it's quite clearly outlined in the text book, but there's a big difference between having your head around that and applying it. In order to write the report I have step through things fairly systematically - it's the way the old brain works and getting that system into some sort of operational semblance is the trick. There are some great cheatsheets on the desktop of a new SIFT install, for which I'm profoundly grateful. I'll read through these and have a good think.

There is a lot of info about forensic work out there. The glut of it makes it time consuming to go through, yet enjoyable at the same time. Once I've had a bit more time, I'll make known some of the posts that I've found interesting and relate my own experiences here!

Sunday, 24 April 2016

The Foray into Digital Forensics

As part of  my tertiary studies I'm now working on Digital Forensics. Our latest assignment includes some steganography, some bit shifting and writing a forensic report on a made-up or actual scenario that we find or invent.

I thought it might of use to write a bit about the experience I'm having getting into this. From the course we are supplied a variety of different tools with a variety of different capabilities. Being a Linux chap, I thought it would be cool to go into the open source tools. Running ElementaryOS on laptop has made this difficult and more than a little frustrating. Perhaps because I'm not big on what the best tools are, or the install methods - but I'm experiencing annoyance. I'm currently downloading Ubuntu 14.04 Desktop to put the SANS Investigative Forensic Toolkit (SIFT) version 3 on it. Details on SIFT can be found at http://digital-forensics.sans.org/community/downloads. I'll work this later - I'm still waiting on Ubuntu to download. It doesn't help living out in the bush.

The Windows tools I have played with thus far include:

  • ProDiscover Basic
  • Hex Workshop
  • OSForensics
  • WinHEX
I've also found Notepad++ to be quite useful. It's a very powerful notepad replacement I find useful for many applications of work - find it here: https://notepad-plus-plus.org

The textbook also seems pretty good - "Guide to Computer Forensics and Investigations" Nelson, Phillips and Steuart are the authors. Lots of good examples and methods for working through things. Annoyingly, but this is to be expected, it all has a US slant on it, including laws and rights. Translating them into Australian can be tricky at times. There are a lot of good resources on the Net - SANS as I've already mentioned, CERT and AusCERT aren't bad. Google is, as always, your friend.

I've spoken with some friends about this and they immediately assume its like CSI-Cyber and we use cyber to describe everything - it's a cybercrime, it's a cyberstalking, its a cyberpen I'm writing on this cyberpaper with etc. Of course it's not like that at all. Lots of painstaking attention to detail and writing a *lot* of notes. You can't blow through this stuff on a hunch - stupid TV shows seem to make it a lot easier than it is and people jump around with ideas and stuff all the time. What a bag of pish! At any rate it's fascinating stuff if you have the patience and technical background for it.

I'll update and add a post as I play with SIFT and with the particular case I'm investigating.

I have spent some time on the digital forensic reddit https://www.reddit.com/r/computerforensics/ which has some great info and great help for people. I thank the contributors for their time and effort. Was looking through a bit list of blogs and stuff about forensics. Sad that so many of them have fallen away. There's some gold in amongst it though. On to the SIFT install!

Saturday, 16 April 2016

The rise of ransomware and the devil that is Cryptolocker

Over time, with advancements in anti-virus and anti-spyware, the ne'er do wells would eventually evolve. Their cunning and understanding of human behaviour has resulted in the devil that is ransomware. An innocent email from Australia Post arrives or a letter from the Australian Federal Police turns up in your inbox - most people are curious, even excited by an unexpected package, or concerned about a letter from the AFP and so they click the link. Boom! All their data starts to be infected - encrypted with heavy encryption and a lovely letter to say pay us or never get your stuff back.

We've seen it live and in the field on at least 5 occasions and had one or two clients actually pay the ransom - buying their Bitcoins and getting their decryption key back. Sadly, we've had people try this only to find out the website they need to talk to has been closed down by the authorities and their data irretrievably lost - until we restore it from backups that is... but sometimes even this doesn't work if people haven't moved data to the servers for backup. It's not good.

It seems like it was inevitable that a new mode of making money from people would have to emerge. Stealing credit card details and personal information - while profitable - is also fraught with danger of being identified when you try to use them. An anonymous ransom - helpfully supported by an anonymous currency - means a relatively straightforward exchange - a key for your own data back. It's kind of elegant in a way. This doesn't mean I don't think these people should be prosecuted - I've seen and experienced the stress and pain of business owners as their data becomes inaccessible and I'd love to pass that back to the perpetrators.

There are ways and means of protecting yourself from this, but it comes down to being systematic about it - just like these thieving bastards have been. Consider your vectors of risk:

  • external influences
    • email
    • websites
  • physical influences
    • users
    • dodgy USB keys
  • active attacks
    • hack attempts
    • social engineering
There could be more.

Defending against these requires defence in depth. Some of these things are passive - they do the job all the time, with managed updates and some are active - people actually need to think about what's happening. Here are a few examples:-
  • email scanning (externally if possible)
  • strong firewall
  • internet scanning (if possible)
  • anti-virus and anti-spyware on the machines
  • Chrome instead of good old IE (or awful Edge)
  • user education - the single best form of protection and typically the one with the least amount of time and resources put into it. Honestly, it makes me experience sadness that people aren't trying to get their staff skilled up a bit on the computer. It doesn't take all that much!
  • backups
  • backups of backups offsite
  • restorable backups
Of course, this kind of systematic approach doesn't just cover the awfulness of ransomware, but could be helpful against many other risks - attacks, environmental (fire / flood / famine / Justin Bieber), malicious employee activity (still identified as the Number #1 risk by many security dudes) and other "out of the box" issues.

I haven't mentioned patching or updating your system although I know this is critical. Updates are a beast of a thing, and anyone caught with a SharePoint update that means a database rebuild will feel where I'm coming from with this - security updates can cause more pain than if the damn thing was hacked or compromised in some way. Understanding the impact of an update on key infrastructure is very important and it isn't a passive security mechanism like some of the other things I've mentioned.

Reporting is also a tricky thing - yes it's great to have all this stuff going on, but who wants to plough through 20 or 30 system generated emails in a morning? I have for the last 12 years and it's bollocks. I don't care for it at all, and to be honest - it becomes so rote and routine that I miss things (sometimes very important things) because I'm just skimming. I urge you to consider some sort of consolidation report or webpage with information colour coded according to rules so that things going wrong are immediately obvious. We only have a limited attention time (and I think I've written about this elsewhere) and so we need to make sure that time is being carefully put to use and not wasted on stuff that's all OK and we don't care about. Likewise, with Nagios or other monitoring software I'm using, the thresholds for things going wrong is quite high - i.e. tell me when something is really going to be in trouble, not that it's just experiencing some sadness now. 

This post has diverged somewhat from cryptolocker, but the principles in keeping that piece of garbage out of your network are similar across a wide range of threats. 

Thursday, 7 April 2016

XenServer 6.5 and Windows Server 2012 Slowness

Recently at more than one site we've been experiencing slowness with file transfers, and general 2012 behaviour. It's maddening because task manager, the performance monitor and XenCentre show very little to no load across the servers. Having reviewed it more thoroughly and turned off Windows file security and made no progress, we've started looking into the hardware that makes up our XenServers.

It's a bit of a mis-mash of gear - an IBM x3650 and a generic sort of a server make up the two physical hosts. They don't have a huge amount of power under the hood, but run a couple of VMs quite well. The 2012 server runs appalling though and I think I've figure it out.

The x3650 has a Broadcom chipset on the network cards and this doesn't play well with others. The other generic beast of a machine has an Intel chipset on it's network cards and it runs fine. Yesterday I installed an Intel network adaptor into the x3650 and lo and behold, it's running better than it has been - significantly better. A click on the start button could take 20 - 30 seconds to get the menu to pop up in 2012 server, now it's almost instantaneous. My guys using this server for stuff are much happier.

In earlier iterations of XenServer I haven't noticed this so much, but in this most recent one I certainly have. XenServer 6.2 didn't seem to have this issue, so I wonder what has changed in the driver management to have caused this issue.

If you have servers running with odd slowness, definitely check this out - we have a much larger site with 2012 servers running on hardware with Broadcom chipsets and we are about to install new Intel cards to see if that fixes the problem. Stay tuned - this could be a real head scratcher if you come across it, and if the fix is a couple of $500 NICs then it could save you a huge amount of time and effort.