Shutting down, isolating, or disabling Command and Control (C&C) servers is an ineffective approach. Others have pointed out that shutting down a part of the C&C server network will likely only result in the next update push including a new C&C server list. Even if you succeed in shutting down the entire C&C server network, the botnet operator can simply point one of the C&C server hostnames to a new server, on a new provider, and push a new server list. You can jail the perpetrator, and the network continues to operate - probably under the control of one of the previous botnet operator's associates. You can pull all of his domain names, and he will still probably have a few C&C servers that are addressed by IP address. You can completely stop all traffic to these servers, yank his domain names, and throw him in jail - and what you now have is a "sleeper" botnet, that comes to life as soon as someone figures out that it's there, registers one of the domain names, and sets up a C&C server on the appropriate hostname - and don't think for a second that someone won't try it. The news story serves as an advertisement for a free, in-place botnet, looking for an operator. Being the suspicious sort, I'd expect some shadowy governmental entity from some shadowy nation, to absorb such a resource, perhaps for later use in some sort of cyberwarfare. Or maybe one of these shadowy "security intelligence firms" that someone mentioned...:)
The only effective way to make a real dent in a botnet, is to shut down, disable, or isolate the bots themselves. And the solution requires some permanence. I like the cluster-bomb idea, but I suspect that the collateral damage might serve as a deterrent to that sort of action. Perhaps a better approach would have been to take control of the botnet, and then instruct it to remove itself. If not that, then perhaps a C&C server list update, containing no servers? A directive to stop trying to contact servers, or to make a contact attempt only once every hundred years?
Law enforcement would probably be prohibited from such action, on the premise that it is invasive in the same manner as the original intrusion, and might therefore constitute a violation of law. But a nice shadowy "security intelligence firm" is probably under no such constraints...:)
Interesting factoid... NSA Wally and I recently visited an FAA remote air traffic monitoring location which was secured by an ancient cylinder lock and alarm system with a poorly hidden override switch.
Once inside the facility, network access was frame-relay, and traffic interception appeared trivial. Authentication controls were antiquated and simplistic, and firewall/IDS countermeasures were useless when physical security was that lax, and most facilities were unmanned.
One hopes that the systems involved are non-essential - and not connected to essential systems or accessed using the same authentication credentials. It is disturbing enough to know that many facilities use the same physical keys and hidden alarm override mechanisms, for the convenience of the maintenance and repair staff.
Seriously - if I were a terrorist looking to disable FAA air traffic control or communications systems, it would be much too easy to collect intelligence from these facilities, and then use that intelligence to disable them at key locations and times. So easy, in fact, as to appear almost intentionally so.
I think that true.com ought to have to run credit checks. I don't want some asshole telling my daughter he's a millionaire, and have her falling for him, only to find out that he's penniless.
And this woman I'm dating; I can't tell whether or not she's a gold-digger. She rides the bus to her job as a cashier, but she only dates guys who drive $30,000+ cars. And she is always putting her hands in my pants, but instead of pulling out my penis, she keeps going for my wallet...
Honestly. Sure, there are lots of things we'd like to know about a dating partner before we get involved - and lots of things we'd rather not reveal, until after our dating partner is involved enough that we won't lose them over it. Worse, there are dozens of self-perceptions that would be horribly thrown awry, if we had to face the truth of our own dating scorecards. You ain't all that. You can't get all that, based upon thinking that you're all that. Get over it, and try learning to love someone for who they are - good and bad - and not who you want them to be. Because you can bet that even if you genuinely believe that you're who they want you to be - you ain't. The things you think make you a stud are entirely likely to mean nothing at all, to your dating partner - and the things that they love you for, you are equally likely to be completely oblivious to, about yourself.
BofA can cry 'victim' all they like, but there is a HUGE difference between allowing your own stuff to get stolen, and allowing other people's stuff to be stolen. People who bank with BofA have a reasonable expectation that BofA will take reasonable steps to ensure that data will be protected. Among these reasonable expectations, is the expectation that data which is stored or transported will be ciphered when the bank does so. If cryptography is the rule for data transport on the Internet, then it should also be the rule for data transport through the airports. If the only reason that they cipher data online, is so that the public has the perception of safety, then it makes sense that they would not cipher data on terminals, across internal data networks, or on tapes that are being transported. If they genuinely cared about the confidentiality and integrity of that data, however, then they would apply cryptographic controls any time that this data is in transit or storage. That they don't, is a reflection of the fact that the loss of this data does not hurt the bank!
Standing upon my soapbox, again... Information security policies are designed to protect the organization which creates/implements them - not the customers, vendors, employees, or affiliates of these organizations, and not the public at large!
Until these organizations are held directly financially accountable for losses as assessed by the victims (and in this case, I do not include BofA as a victim, since this was the result of their own gross negligence), these organizations will not take steps to protect this data, because it is not cost-justified to do so. They don't protect you out of love for you, or because they care about your feelings, no matter how hard they push that line of bull in their commercials. They do it because the bottom-line cost of not doing it, exceeds the cost of doing it - and that's all there is to it. When it's cheaper to be incautious, because people say "well, it's not their fault - they were the victims, here!" - that lets the bank off the hook, for failing to implement simple cryptographic safeguards, and you can bet that they won't start doing so, as long as they are let off the hook about it. In fact, if you are a customer, that's exactly the bet that you are making.
But wait! There's more...
If you write checks to BofA customers, and BofA procedures fail to protect your check images, then YOU TOO are at risk! YOU TOO can enjoy the benefits of having all the information required to pull check drafts out of your account, given away by a commercial entity that you not only don't do business with, but that you are not a customer of, and who therefore is not beholden to you in any way! How much would you pay for this, NOW?!
But there is still MORE!!!
If you recieve checks from BofA customers, then the bank also maintains a record of YOUR transactions! How much are you willing to pay NOW???
I keep saying this, and apparently I'm speaking some sort of martian language... The ONLY way that we are EVER going to reliably get control over the exposure of personal and financial data, is to hold the organizations with retain and disclose it, directly, personally, financially responsible for the damage done by unauthorized disclosures, as assessed by the victim/s. It should go several steps further, in fact; there should be punitives damages, to cover the losses incurred by cases that are not disclosed to the victims, and there needs to be an aggressive system of consumer oversight and auditing, to ensure that these systems are rigoriously tested and that compromises of data are consistently reported to the victims, so that they can take such corrective action as is possible, and such recuperative and punitive action as they should be entitled to.
If you loan your car to your freind, and he parks it in a dan
If it is gone without a trace, then you can't prove that it ever existed. Wanna bet $5 that Microsoft demands a bunch of compelling evidence of the problem, before the shell out on it?
Actually, this makes identity theft WAY easier. If all of that information is stored in the fraud-detection or credit reporting database, then all I need to do is compromise one database, to get ALL of your identity keys. Right now, you can just cancel that credit card account, when the number gets compromised - but what if the attacker knew everything needed to apply for a bevy of new cards, in your name - cards that you don't even know exist?
Nope - even authentication is not a complete answer. The people that maintain these databases will simply store your authentication keys in them, for fraud-detection and identity verification, and phishers will start phishing for the authentication keys, as well. We need to hold the people who store this sort of information accountable for disclosures, when they occur, and they need to be accountable for damages as assessed by the victim - not as assessed by the organization whose negligence resulted in the disclosure.
Nothing less than accountability to the vitims will deter these organizations from treating your personal information as a commodity!
Fraud detection and monitoring services are cheap and inadequate. My personal data is worth a lot more to me than the fraud that can be committed with it.
I don't want strangers to be in possession of my Social Security Number, because I'm stuck with that number for the rest of my life - and a couple of years of someone watching my credit report for me, does not make up for the damage that the disclosure might do decades from now - or even after my death. (Defrauding the estate of a dead person is unsportingly easy, since no one but the dead guy really knows what his financial obligations were.)
If my personal information is disclosed, then things like my home address and annual income are revealed - telling potential burglars who has the expensive stuff, and where to steal it from. Credit report monitoring and fraud detection do not cover my risks or losses, here, either. If the number of people in my family is released, then they know how many kids I have - perhaps even their ages - and they now know who to kidnap and hold for ransom - or just sell into slavery or the child pornography trade. None of these things are covered by a couple of hundred bucks spent on watching my credit report for abnormalities.
The core of the problem, here, is (and I said this in the GMail thread, but apparently no one listened) that information security policies are designed to protect the companies that create them - not the customers of those companies, nor their employees, nor the public at-large. As long as these companies can place nice low values on the losses that they experience, when they disclose information that YOU value much more highly than they apparently do, they will continue to protect this information inadequately, by the standards of the victims.
Frankly, if they had to be accountable for damages as assessed by the victim, they would almost certainly do one of the following:
take extreme caution with the handling of this sort of data;
stop collecting and or retaining it, or;
fail to report when it is compromised.
To guarantee the we do not experience the latter option, we really need to make credit and information-reporting agencies pay a tax for the right to run such services, and use the money to fund a consumer-oversight agency, that audits them relentlessly, and often. Assuming, of course, that we can trust such an agency not to be influenced by the organizations that it oversees. That's not a given; the FCC and various state Public Utility Commisions are a prime example of this type of failure.
In any event; my personal information is a great deal more valuable than the cost of a fraud detection or credit monitoring service. Having them pay only that much, for revealing it, is not good enough!
:) Eh. I know how to file bankruptcy. Frankly, at this stage of the game, the only thing keeping me from doing so, is that I have no assets to protect.
The point is well-made, however, and I'd be likely to take it more seriously if I were not already an excellent candidate to go insane with a high-powered rifle in a bell tower, somewhere...;-P
That, however, is part of the point of psuedonymity - it makes the rich fellow's job at least slightly more difficult, and the lack of reward, at the end, makes the effort essentially pointless. Better to pursue me for criminal action, as so frequently is the case when a vulnerability is publicly reported. Even that, though, just gets me three hots and a cot, and all the luvin' I can't handle...:-P
Never forget; death ends the pain. And the man who believes that he has nothing left to lose, is the most dangerous of all.
Hopefully, it doesn't come to that, and the tiny bit of rope that still has me connected to my sanity, will hold.
Seriously, though - I didn't even think this would make Slashdot headlines, much less result in a job. Sure, that'd be great, but get serious! I was just screwing around with a document that I didn't think anyone would ever see, for the benefit of NSA Wally, since he was prodding me to do it. Hubris? Please... I never expected YOU to be reading this, much less Google...;-P
And for the record, yes, I did try to report it to Google, but to no avail. If they got my report, I got only an anonymous autoresponder, and saw no further indication that the problem was ever going to get human attention.
I'm frankly becoming sorry that we reported it, at all - there seem to be more people down on us for saying something, than there are people up about the fact that Google responded (appropriately) by solving the problem. Honestly, I didn't even expect THAT to happen...
The probable practical application for the bug would have been to sniff for passwords being emailed to users, from PayPal, eBay, E*Trade, vendors who retain financial information for 'customer convenience', domain name registrars, and/or banks. Compromises of these accounts, on an opportunistic basis, would be possible - with enough raw data collected.
No, it's not a way to 'hack' GMail accounts. I'd have been a lot more aggressive about reporting a bug of that nature, had I run across one...;-P
It's not as though I weren't professionally credentialled, myself. I do have a CISSP and Cisco credentials - I just don't wave them around like badges of honor. I worked as a network programmer for guys like Inktomi (now Yahoo) and WebTV (now MSNBC) for several years, after starting two of my own very successful telecommunications service companies. That things went south for me, during the crash of the Internet economy, does not mean that you are somehow superior - just that you were lucky. Or perhaps young.
To demonstrate system complexity; I worked for the US Air Force, writing code to perform gamma spectral analysis in a nuclear chemistry laboratory, at one time. As for qualifications; I have worked for two organizations on high-capacity email systems; WebTV (now MSNBC) is one of them. I have ten years of college, 20 years of professional experience in various information technology roles, and a wealth of paper credentials.
I *do* have the experience and intelligence to both assess and correct the problem, and I was fairly certain that GMail would be capable of correcting the problem in sort order, if/when they chose to do so. And while I'd love to work there; no, I don't seriously expect this report to get me hired. There is a little more to the interview process than that, I suspect...;-P
It *is* possible that the person who sees that you're bleeding - he just *might* be a surgeon.
You are guilty of the same assumptions that you accuse us of. You have assumed that we are a couple of ignorant fools who stumbled onto something, and you are degrading us for having the arrogance to publicly report on it. You further assume that we did not attempt to privately report on it.
The fact is that we tried. We could not find a reporting channel that elicited an apparent response, and so (with much needling and pushing from NSA Wally) we reported on it, somewhat more publicly. I frankly did not think that anyone but NSA Wally and I would even give a damn. And indeed, no one would have, except that we provided a detailed roadmap to the vulnerability. In fact, I seriously doubt that we would have gotten anywhere with the article, if NSA Wally had not happened to run across a username/password pair, in one of the messages that he intercepted.
And while I realize that our use of handles gives rise to the immediate assumption that we are '3v1l h4x0r5', the fact is that we like our privacy, and the psuedonyms serve to help us maintain it. You'll have to ask NSA Wally why he needled me into writing the article, or why has the name that he does. I think the latter has something to do with a bunch of people accusing him of being a member of federal law enforcement. I think that he did not want to argue the case. The former, I could not even speculate - but I'm not fond of arguing, either, and the article did not require much effort to write.
I seriously doubt that we were the first people to find the problem - more probably, we were just the first to bring attention to it. GMail accounts may have been being compromised in this way, for who knows how long - and this information used to compromise eBay/PayPal accounts, Amazon.com accounts (and the financial data that they retain for customer 'convenience'), and who knows what else. It is a fundamental fact of information security policy development, that such policies are designed to protect the organization that creates them - not necessarily the users, vendors, employees, or affiliates of the organization. If you publicly report on these issues, when you find them, then yes, there will be some abuse by the script-kiddies who hear about it. But the issue also suddenly becomes important, and resolution is usually rapidly forthcoming, because the problem is now high-profile. If you don't report on it, it may remain unknown to the folks who fix these things, or it may remain low-priority, because it does not represent a risk to the organization responsible for fix
NSA Wally makes slightly more than $300 per month working for his uncle, and I make about $450 per month putting cans of beets on grocery store shelves.
Take it all! Start with our crushing personal debts, and then you can have this flu that I have neither been able to shake, nor do I have medical coverage to get help with.
Yes, sue. Take us for all we're worth. That should amount to slightly less than nothing...;-P
Yes, I'm that same MrYowler...:) Of course, that says nothing about my many professional information technology and information security credentials, but if you've already made up your mind that I'm an idiot, then there isn't much point in me trying to change your opinion. Remember, though, that your opinion says a great deal more about you than it does about me...;-)
In fact, the 'report a bug' link did not appear, in my GMail account. I had to use one of NSA Wally's other accounts, just to find out what the link was.
And yes - they do have some very sharp folks working there. My ascerbic comments are mostly borne of the fact that I'm not one of them, and my place in life is just slightly higher than your average illegal immigrant...;-P Call it a bit of jealousy, if you like.
That was my fault. As I have indicated in several other replies, I was the 'editor' in our little research team (I used to teach English to ESL students, some 20 years ago), but I honestly did not think that this would ever see a reader.
Sorry for the minor boo-boo. I'll try to be more grammatically correct, in the future...;-P
Feh. I have reported issues like this many times, and the nearly universal result is that:
my accounts get cancelled
I become the target of blame for any compromises that they cannot otherwise easily explain away
the bug does not get fixed, and
I continue, despite significant credentials, to be employable only as a stockboy at a grocery store.
Forgive me my smarmy twitness, but the article has been up on SlashDot - much to my surprise - for about seven hours, and I could not read it because I was engaged in the important business of putting ice cream out where small children could insert their fingers into it.
I did not seriously think that the article would get printed, much less that any action would be taken on it, and I certainly do not seriously expect to ever get a job out of it. I have spent years licking the tail ends of suit-wearing twits while they tell me how little I know about this or that - or, conversely, while they tell me how overqualified I am to make a living. Professionalism and courtesy will buy you a kick in the ass, if it gets you anything at all. I still do it, most of the time, despite the worthlessness of the effort, because rudeness doesn't change anything, either. But you know, there is more than one way to be a twit. Thanks for condescending to us. We were very probably not the first people to discover the problem - the rest simply chose not to tell anyone about it. Which would you prefer - the reported discovery, or the exploited one?
I'll also point out that while you label me as a darker shade of grey, the darker circles label me a browner shade of white, for having spread the information around. It's an interesting change, in the industry, to see us moving away from the ethical imperative that 'information wants to be free' - on both the black and white sides of the fence. Where would the people who are making this move, be, if that imperative had never been in play? Do you also blame SlashDot for printing the information? Do you not realize that it is only because people were interested, that it appeared?
Simply put, there are thousands of systems which are vulnerable to memory deallocation/recallocation data exposures. I run across these things on a daily basis, and this one happens to be in a high-profile system.
NSA Wally (I cannot be held responsible for his choice in handles!) is the one who thought that this was important enough to make SlashDot - I discovered it last month, and could not be bothered to do a writeup about it. He and I discussed it, and he was fairly excited about the discovery, but my experiences tell me that I am quite possibly the only person who cares. He talked with a few folks from the https://www.hbx.us/HBX Networks IRC channel, and they sort of blew it off. It was NSA Wally that poked and prodded me into doing a writeup - in fact, he did one initially, which I then edited. Apparently, I still missed a few grammatical things, but seriously; I did not think that it would ever see the light of day. Until today, I did not even have a SlashDot account!
The actual cure for this problem, would probably be a wrapper for the malloc() and/or free() functions, that would clear the contents of memory as it is allocated (or deallocated). This would prevent these types of data exposures on shared systems of all sorts - whether the sharing occurs at the process or user level. Even the BSD jail() mechanism does not adequately partition memory, to prevent this sort of exposure. It could be done in the memory manager, in the function library, or in the application - but nobody seems to do any of these things, and the result is that systems often run with their zippers down. I see it so much, and so few people give a damn when I point it out, that I've stopped pointing it out...;-P
I'm not suggesting that the folks at Google are a gaggle of monkeys with keyboards - much to the contrary; they are an exceedingly well-run organization, that has their priorities in the right places. I really do wish that I worked there. Unfortunately, like most such entities, it is nearly impossible to draw interest or attention to problems, when you find them, and security staff give the appearance of purposely distancing themselves from their users. I don't even have the 'report a bug' link in my account; it was NSA Wally that had the link, to be able to include it in our suggested solutions to the problem. So... when you find an issue of this nature, that really deserves a fix at the operating system level, and nobody even knows who you are - what do you do to get some attention to the issue? Why, publish it on SlashDot, of course!:-P
I dunno... NSA Wally came up with the idea to publish, and chose the forum. Me, I'm a stockboy at a grocery store, with Cisco and CISSP credentials. Ability and training have carried me to the exalted rank of "peon", in life, and nobody listens to a peon. I'm amazed that the article even got published...:)
Slashdot Mirror
Shutting down, isolating, or disabling Command and Control (C&C) servers is an ineffective approach. Others have pointed out that shutting down a part of the C&C server network will likely only result in the next update push including a new C&C server list. Even if you succeed in shutting down the entire C&C server network, the botnet operator can simply point one of the C&C server hostnames to a new server, on a new provider, and push a new server list. You can jail the perpetrator, and the network continues to operate - probably under the control of one of the previous botnet operator's associates. You can pull all of his domain names, and he will still probably have a few C&C servers that are addressed by IP address. You can completely stop all traffic to these servers, yank his domain names, and throw him in jail - and what you now have is a "sleeper" botnet, that comes to life as soon as someone figures out that it's there, registers one of the domain names, and sets up a C&C server on the appropriate hostname - and don't think for a second that someone won't try it. The news story serves as an advertisement for a free, in-place botnet, looking for an operator. Being the suspicious sort, I'd expect some shadowy governmental entity from some shadowy nation, to absorb such a resource, perhaps for later use in some sort of cyberwarfare. Or maybe one of these shadowy "security intelligence firms" that someone mentioned... :)
The only effective way to make a real dent in a botnet, is to shut down, disable, or isolate the bots themselves. And the solution requires some permanence. I like the cluster-bomb idea, but I suspect that the collateral damage might serve as a deterrent to that sort of action. Perhaps a better approach would have been to take control of the botnet, and then instruct it to remove itself. If not that, then perhaps a C&C server list update, containing no servers? A directive to stop trying to contact servers, or to make a contact attempt only once every hundred years?
Law enforcement would probably be prohibited from such action, on the premise that it is invasive in the same manner as the original intrusion, and might therefore constitute a violation of law. But a nice shadowy "security intelligence firm" is probably under no such constraints... :)
Interesting factoid... NSA Wally and I recently visited an FAA remote air traffic monitoring location which was secured by an ancient cylinder lock and alarm system with a poorly hidden override switch.
Once inside the facility, network access was frame-relay, and traffic interception appeared trivial. Authentication controls were antiquated and simplistic, and firewall/IDS countermeasures were useless when physical security was that lax, and most facilities were unmanned.
One hopes that the systems involved are non-essential - and not connected to essential systems or accessed using the same authentication credentials. It is disturbing enough to know that many facilities use the same physical keys and hidden alarm override mechanisms, for the convenience of the maintenance and repair staff.
Seriously - if I were a terrorist looking to disable FAA air traffic control or communications systems, it would be much too easy to collect intelligence from these facilities, and then use that intelligence to disable them at key locations and times. So easy, in fact, as to appear almost intentionally so.
I think that true.com ought to have to run credit checks. I don't want some asshole telling my daughter he's a millionaire, and have her falling for him, only to find out that he's penniless.
And this woman I'm dating; I can't tell whether or not she's a gold-digger. She rides the bus to her job as a cashier, but she only dates guys who drive $30,000+ cars. And she is always putting her hands in my pants, but instead of pulling out my penis, she keeps going for my wallet...
Honestly. Sure, there are lots of things we'd like to know about a dating partner before we get involved - and lots of things we'd rather not reveal, until after our dating partner is involved enough that we won't lose them over it. Worse, there are dozens of self-perceptions that would be horribly thrown awry, if we had to face the truth of our own dating scorecards. You ain't all that. You can't get all that, based upon thinking that you're all that. Get over it, and try learning to love someone for who they are - good and bad - and not who you want them to be. Because you can bet that even if you genuinely believe that you're who they want you to be - you ain't. The things you think make you a stud are entirely likely to mean nothing at all, to your dating partner - and the things that they love you for, you are equally likely to be completely oblivious to, about yourself.
The Wiley CyberKitty
You don't understand... On the basis of the success of this kind of dating, these people just might breed...
The Wiley CyberKitty
BofA can cry 'victim' all they like, but there is a HUGE difference between allowing your own stuff to get stolen, and allowing other people's stuff to be stolen. People who bank with BofA have a reasonable expectation that BofA will take reasonable steps to ensure that data will be protected. Among these reasonable expectations, is the expectation that data which is stored or transported will be ciphered when the bank does so. If cryptography is the rule for data transport on the Internet, then it should also be the rule for data transport through the airports. If the only reason that they cipher data online, is so that the public has the perception of safety, then it makes sense that they would not cipher data on terminals, across internal data networks, or on tapes that are being transported. If they genuinely cared about the confidentiality and integrity of that data, however, then they would apply cryptographic controls any time that this data is in transit or storage. That they don't, is a reflection of the fact that the loss of this data does not hurt the bank!
Standing upon my soapbox, again... Information security policies are designed to protect the organization which creates/implements them - not the customers, vendors, employees, or affiliates of these organizations, and not the public at large!
Until these organizations are held directly financially accountable for losses as assessed by the victims (and in this case, I do not include BofA as a victim, since this was the result of their own gross negligence), these organizations will not take steps to protect this data, because it is not cost-justified to do so. They don't protect you out of love for you, or because they care about your feelings, no matter how hard they push that line of bull in their commercials. They do it because the bottom-line cost of not doing it, exceeds the cost of doing it - and that's all there is to it. When it's cheaper to be incautious, because people say "well, it's not their fault - they were the victims, here!" - that lets the bank off the hook, for failing to implement simple cryptographic safeguards, and you can bet that they won't start doing so, as long as they are let off the hook about it. In fact, if you are a customer, that's exactly the bet that you are making.
But wait! There's more...
If you write checks to BofA customers, and BofA procedures fail to protect your check images, then YOU TOO are at risk! YOU TOO can enjoy the benefits of having all the information required to pull check drafts out of your account, given away by a commercial entity that you not only don't do business with, but that you are not a customer of, and who therefore is not beholden to you in any way! How much would you pay for this, NOW?!
But there is still MORE!!!
If you recieve checks from BofA customers, then the bank also maintains a record of YOUR transactions! How much are you willing to pay NOW ???
I keep saying this, and apparently I'm speaking some sort of martian language... The ONLY way that we are EVER going to reliably get control over the exposure of personal and financial data, is to hold the organizations with retain and disclose it, directly, personally, financially responsible for the damage done by unauthorized disclosures, as assessed by the victim/s. It should go several steps further, in fact; there should be punitives damages, to cover the losses incurred by cases that are not disclosed to the victims, and there needs to be an aggressive system of consumer oversight and auditing, to ensure that these systems are rigoriously tested and that compromises of data are consistently reported to the victims, so that they can take such corrective action as is possible, and such recuperative and punitive action as they should be entitled to.
If you loan your car to your freind, and he parks it in a dan
If it is gone without a trace, then you can't prove that it ever existed. Wanna bet $5 that Microsoft demands a bunch of compelling evidence of the problem, before the shell out on it?
The Wiley CyberKitty
Actually, this makes identity theft WAY easier. If all of that information is stored in the fraud-detection or credit reporting database, then all I need to do is compromise one database, to get ALL of your identity keys. Right now, you can just cancel that credit card account, when the number gets compromised - but what if the attacker knew everything needed to apply for a bevy of new cards, in your name - cards that you don't even know exist?
Nope - even authentication is not a complete answer. The people that maintain these databases will simply store your authentication keys in them, for fraud-detection and identity verification, and phishers will start phishing for the authentication keys, as well. We need to hold the people who store this sort of information accountable for disclosures, when they occur, and they need to be accountable for damages as assessed by the victim - not as assessed by the organization whose negligence resulted in the disclosure.
Nothing less than accountability to the vitims will deter these organizations from treating your personal information as a commodity!
Not good enough!
Fraud detection and monitoring services are cheap and inadequate. My personal data is worth a lot more to me than the fraud that can be committed with it.
I don't want strangers to be in possession of my Social Security Number, because I'm stuck with that number for the rest of my life - and a couple of years of someone watching my credit report for me, does not make up for the damage that the disclosure might do decades from now - or even after my death. (Defrauding the estate of a dead person is unsportingly easy, since no one but the dead guy really knows what his financial obligations were.)
If my personal information is disclosed, then things like my home address and annual income are revealed - telling potential burglars who has the expensive stuff, and where to steal it from. Credit report monitoring and fraud detection do not cover my risks or losses, here, either. If the number of people in my family is released, then they know how many kids I have - perhaps even their ages - and they now know who to kidnap and hold for ransom - or just sell into slavery or the child pornography trade. None of these things are covered by a couple of hundred bucks spent on watching my credit report for abnormalities.
The core of the problem, here, is (and I said this in the GMail thread, but apparently no one listened) that information security policies are designed to protect the companies that create them - not the customers of those companies, nor their employees, nor the public at-large. As long as these companies can place nice low values on the losses that they experience, when they disclose information that YOU value much more highly than they apparently do, they will continue to protect this information inadequately, by the standards of the victims.
Frankly, if they had to be accountable for damages as assessed by the victim, they would almost certainly do one of the following:
To guarantee the we do not experience the latter option, we really need to make credit and information-reporting agencies pay a tax for the right to run such services, and use the money to fund a consumer-oversight agency, that audits them relentlessly, and often. Assuming, of course, that we can trust such an agency not to be influenced by the organizations that it oversees. That's not a given; the FCC and various state Public Utility Commisions are a prime example of this type of failure.
In any event; my personal information is a great deal more valuable than the cost of a fraud detection or credit monitoring service. Having them pay only that much, for revealing it, is not good enough!
The Wiley CyberKitty
:) Eh. I know how to file bankruptcy. Frankly, at this stage of the game, the only thing keeping me from doing so, is that I have no assets to protect.
The point is well-made, however, and I'd be likely to take it more seriously if I were not already an excellent candidate to go insane with a high-powered rifle in a bell tower, somewhere... ;-P
That, however, is part of the point of psuedonymity - it makes the rich fellow's job at least slightly more difficult, and the lack of reward, at the end, makes the effort essentially pointless. Better to pursue me for criminal action, as so frequently is the case when a vulnerability is publicly reported. Even that, though, just gets me three hots and a cot, and all the luvin' I can't handle... :-P
Never forget; death ends the pain. And the man who believes that he has nothing left to lose, is the most dangerous of all.
Hopefully, it doesn't come to that, and the tiny bit of rope that still has me connected to my sanity, will hold.
Hey, at least we were looking for our bug... ;-P
Seriously, though - I didn't even think this would make Slashdot headlines, much less result in a job. Sure, that'd be great, but get serious! I was just screwing around with a document that I didn't think anyone would ever see, for the benefit of NSA Wally, since he was prodding me to do it. Hubris? Please... I never expected YOU to be reading this, much less Google... ;-P
And for the record, yes, I did try to report it to Google, but to no avail. If they got my report, I got only an anonymous autoresponder, and saw no further indication that the problem was ever going to get human attention.
I'm frankly becoming sorry that we reported it, at all - there seem to be more people down on us for saying something, than there are people up about the fact that Google responded (appropriately) by solving the problem. Honestly, I didn't even expect THAT to happen...
The probable practical application for the bug would have been to sniff for passwords being emailed to users, from PayPal, eBay, E*Trade, vendors who retain financial information for 'customer convenience', domain name registrars, and/or banks. Compromises of these accounts, on an opportunistic basis, would be possible - with enough raw data collected.
No, it's not a way to 'hack' GMail accounts. I'd have been a lot more aggressive about reporting a bug of that nature, had I run across one... ;-P
Yaknow...
It's not as though I weren't professionally credentialled, myself. I do have a CISSP and Cisco credentials - I just don't wave them around like badges of honor. I worked as a network programmer for guys like Inktomi (now Yahoo) and WebTV (now MSNBC) for several years, after starting two of my own very successful telecommunications service companies. That things went south for me, during the crash of the Internet economy, does not mean that you are somehow superior - just that you were lucky. Or perhaps young.
To demonstrate system complexity; I worked for the US Air Force, writing code to perform gamma spectral analysis in a nuclear chemistry laboratory, at one time. As for qualifications; I have worked for two organizations on high-capacity email systems; WebTV (now MSNBC) is one of them. I have ten years of college, 20 years of professional experience in various information technology roles, and a wealth of paper credentials.
I *do* have the experience and intelligence to both assess and correct the problem, and I was fairly certain that GMail would be capable of correcting the problem in sort order, if/when they chose to do so. And while I'd love to work there; no, I don't seriously expect this report to get me hired. There is a little more to the interview process than that, I suspect... ;-P
It *is* possible that the person who sees that you're bleeding - he just *might* be a surgeon.
You are guilty of the same assumptions that you accuse us of. You have assumed that we are a couple of ignorant fools who stumbled onto something, and you are degrading us for having the arrogance to publicly report on it. You further assume that we did not attempt to privately report on it.
The fact is that we tried. We could not find a reporting channel that elicited an apparent response, and so (with much needling and pushing from NSA Wally) we reported on it, somewhat more publicly. I frankly did not think that anyone but NSA Wally and I would even give a damn. And indeed, no one would have, except that we provided a detailed roadmap to the vulnerability. In fact, I seriously doubt that we would have gotten anywhere with the article, if NSA Wally had not happened to run across a username/password pair, in one of the messages that he intercepted.
And while I realize that our use of handles gives rise to the immediate assumption that we are '3v1l h4x0r5', the fact is that we like our privacy, and the psuedonyms serve to help us maintain it. You'll have to ask NSA Wally why he needled me into writing the article, or why has the name that he does. I think the latter has something to do with a bunch of people accusing him of being a member of federal law enforcement. I think that he did not want to argue the case. The former, I could not even speculate - but I'm not fond of arguing, either, and the article did not require much effort to write.
I seriously doubt that we were the first people to find the problem - more probably, we were just the first to bring attention to it. GMail accounts may have been being compromised in this way, for who knows how long - and this information used to compromise eBay/PayPal accounts, Amazon.com accounts (and the financial data that they retain for customer 'convenience'), and who knows what else. It is a fundamental fact of information security policy development, that such policies are designed to protect the organization that creates them - not necessarily the users, vendors, employees, or affiliates of the organization. If you publicly report on these issues, when you find them, then yes, there will be some abuse by the script-kiddies who hear about it. But the issue also suddenly becomes important, and resolution is usually rapidly forthcoming, because the problem is now high-profile. If you don't report on it, it may remain unknown to the folks who fix these things, or it may remain low-priority, because it does not represent a risk to the organization responsible for fix
Oh yes. Sue.
NSA Wally makes slightly more than $300 per month working for his uncle, and I make about $450 per month putting cans of beets on grocery store shelves.
Take it all! Start with our crushing personal debts, and then you can have this flu that I have neither been able to shake, nor do I have medical coverage to get help with.
Yes, sue. Take us for all we're worth. That should amount to slightly less than nothing... ;-P
CyberArmy? Who said that?!
Yes, I'm that same MrYowler... :) Of course, that says nothing about my many professional information technology and information security credentials, but if you've already made up your mind that I'm an idiot, then there isn't much point in me trying to change your opinion. Remember, though, that your opinion says a great deal more about you than it does about me... ;-)
Yep. We did.
In fact, the 'report a bug' link did not appear, in my GMail account. I had to use one of NSA Wally's other accounts, just to find out what the link was.
It seems that they did... :)
And yes - they do have some very sharp folks working there. My ascerbic comments are mostly borne of the fact that I'm not one of them, and my place in life is just slightly higher than your average illegal immigrant... ;-P Call it a bit of jealousy, if you like.
If only it had been so easy to reach them, in the first place... ;-P
I'd have loved to have been able to report it quietly, and just seen it fixed...
That was my fault. As I have indicated in several other replies, I was the 'editor' in our little research team (I used to teach English to ESL students, some 20 years ago), but I honestly did not think that this would ever see a reader.
Sorry for the minor boo-boo. I'll try to be more grammatically correct, in the future... ;-P
Feh. I have reported issues like this many times, and the nearly universal result is that:
my accounts get cancelled
I become the target of blame for any compromises that they cannot otherwise easily explain away
the bug does not get fixed, and
I continue, despite significant credentials, to be employable only as a stockboy at a grocery store.
Forgive me my smarmy twitness, but the article has been up on SlashDot - much to my surprise - for about seven hours, and I could not read it because I was engaged in the important business of putting ice cream out where small children could insert their fingers into it.
I did not seriously think that the article would get printed, much less that any action would be taken on it, and I certainly do not seriously expect to ever get a job out of it. I have spent years licking the tail ends of suit-wearing twits while they tell me how little I know about this or that - or, conversely, while they tell me how overqualified I am to make a living. Professionalism and courtesy will buy you a kick in the ass, if it gets you anything at all. I still do it, most of the time, despite the worthlessness of the effort, because rudeness doesn't change anything, either. But you know, there is more than one way to be a twit. Thanks for condescending to us. We were very probably not the first people to discover the problem - the rest simply chose not to tell anyone about it. Which would you prefer - the reported discovery, or the exploited one?
I'll also point out that while you label me as a darker shade of grey, the darker circles label me a browner shade of white, for having spread the information around. It's an interesting change, in the industry, to see us moving away from the ethical imperative that 'information wants to be free' - on both the black and white sides of the fence. Where would the people who are making this move, be, if that imperative had never been in play? Do you also blame SlashDot for printing the information? Do you not realize that it is only because people were interested, that it appeared?
Simply put, there are thousands of systems which are vulnerable to memory deallocation/recallocation data exposures. I run across these things on a daily basis, and this one happens to be in a high-profile system.
NSA Wally (I cannot be held responsible for his choice in handles!) is the one who thought that this was important enough to make SlashDot - I discovered it last month, and could not be bothered to do a writeup about it. He and I discussed it, and he was fairly excited about the discovery, but my experiences tell me that I am quite possibly the only person who cares. He talked with a few folks from the https://www.hbx.us/HBX Networks IRC channel, and they sort of blew it off. It was NSA Wally that poked and prodded me into doing a writeup - in fact, he did one initially, which I then edited. Apparently, I still missed a few grammatical things, but seriously; I did not think that it would ever see the light of day. Until today, I did not even have a SlashDot account!
The actual cure for this problem, would probably be a wrapper for the malloc() and/or free() functions, that would clear the contents of memory as it is allocated (or deallocated). This would prevent these types of data exposures on shared systems of all sorts - whether the sharing occurs at the process or user level. Even the BSD jail() mechanism does not adequately partition memory, to prevent this sort of exposure. It could be done in the memory manager, in the function library, or in the application - but nobody seems to do any of these things, and the result is that systems often run with their zippers down. I see it so much, and so few people give a damn when I point it out, that I've stopped pointing it out... ;-P
I'm not suggesting that the folks at Google are a gaggle of monkeys with keyboards - much to the contrary; they are an exceedingly well-run organization, that has their priorities in the right places. I really do wish that I worked there. Unfortunately, like most such entities, it is nearly impossible to draw interest or attention to problems, when you find them, and security staff give the appearance of purposely distancing themselves from their users. I don't even have the 'report a bug' link in my account; it was NSA Wally that had the link, to be able to include it in our suggested solutions to the problem. So... when you find an issue of this nature, that really deserves a fix at the operating system level, and nobody even knows who you are - what do you do to get some attention to the issue? Why, publish it on SlashDot, of course! :-P
I dunno... NSA Wally came up with the idea to publish, and chose the forum. Me, I'm a stockboy at a grocery store, with Cisco and CISSP credentials. Ability and training have carried me to the exalted rank of "peon", in life, and nobody listens to a peon. I'm amazed that the article even got published... :)