Enumeration, Privacy, Security and the Law

There was a recent arrest of a 19 year old in Halifax for “hacking”  freedom-of-information releases from a government website. Alleging he is guilty of section 342.1 of the criminal code, which prohibits unauthorized uses of computers “with intent to commit an offence.”, maximum penalty 10 years jail. I have seen a lot of confusion about what he actually did, the actual news story can be best read about here at the Global News here and the CBC here, and a few legal precedents are covered by Troy Hunt (an expert in the field) here. But what did he actually do? I’ll try to explain, let’s say I publish a list of pages for you to view:

https://300m.com/page_1.html
https://300m.com/page_2.html
https://300m.com/page_4.html
https://300m.com/page_5.html

You might notice a gap, you might think I forgot to provide the link, you might assume the link is somewhere else, maybe the 3rd page just does not exist, checking if it does or what it contains by editing the website address in the browsers address bar, changing this:

into this:

that is the crime this kid has been accused of.

But he automated these requests, I would guess he used the tool wget to enumerate the public pages, maybe he was just lazy, that’s why I do this everyday to grab long lists of web pages, I use cURL, specifically to grab a list of pages and their content. Using something similar to this in my Terminal:

$ for i in {1..5}; do curl https://300m.com/page_${i}.html -s | grep page; done

and I’ll get something like this, the contents of 4 pages in one go:

You might notice, that /page_5.html, even though I provided a link above, but you were blocked, but I authorize you to read that page, just you of course, using the passcode: 3Q3l9rVuNtOqgM.

So someone visiting that page from either a link, or through such a method as the enumeration above, can see this is a blocked resource, trying to access that resource without being legitimately provided a passcode, that would clearly be criminal. Enumeration of publicly available resources using such tools, with no malicious intent, as I and anyone else in technical support, system management or cyber security do daily, just as this kid did, could never be criminal. The second you use any publicly available resource for a crime, you are a criminal.

What I would consider should be investigated in this case though, is the leaving of potentially harmful (by the local authorities own admission) personal private data wide open on publicly accessible web pages, security through obscurity (not linking to in this case) never works, is not real security, and is in the security industry always considered bad practice. There should have been some authentication, such as my passcode, at a bare minimum.

And another thing, if you tried to crawl my site in this way (using cURL or wget) too aggressively, say anything more than 50 requests, the automated IDS (intrusion detection system) would fully block you, that’s just good practice, 7000? I guess it’s lucky for them the tax payer pays for their resources. There is nothing wrong requesting a large amount of data using tools such as this, it is done all the time, if a site owner does not like that behaviour, the burden is on them to limit it.

My personal guess would be here, on the information provided, that staff are desperately trying to deflect attention from their own incompetence in managing IT security.

Update from the GoFundme page 7th May 2018
Posted by Dragos Ruiu
This has ended in the best of all possible results. The charges have been dropped. My thanks to all that donated and the police investigation that concluded in a just manner. Awaiting final determination of the legal billing, but I am still recommending that any of the generosity that you folks have shown left over as a remainder be applied to a tuition scholarship for this young man’s continuing education.

Governments are always wanting to break encryption

Everytime governments try to break encryption on social media, and they are doing it a lot these days, they hold up an example such as in this case “Sex Traffickers” so if you dare question them, you are exposed as supporting Sex Trafficking, of course this is nonsense, there will always be alternative secure method that the bad guys will use, and law abiding public will be left exposed.

Hard to tell if they just don’t want the law abiding to be secure for their own purposes, Governments have been known to want to spy on their general population. But the better alternative is that they just want to be seen to be doing something about all that bad stuff on the internet. Maybe it’s a mix of both.
Details here: https://act.eff.org/action/don-t-let-congress-censor-the-internet

We could be doing more

There is a mostly unreported and unrecognised ongoing attack on our research institutes, commerce and infrastructure, massively damaging our successes in the western world.

UC Cert, the United States Computer Emergency Team released an update (TA17-117A) last week from the The (US) National Cybersecurity and Communications Integration Center (NCCIC) “Intrusions Affecting Multiple Victims Across Multiple Sectors“, this recent one details an ongoing sophisticated attack on wide ranging industries. These attacks do not end in the male enhancement spamming campaigns, website sites defaced with ads for fake designer goods or stolen credit cards that all become apparent soon after the attack.

They are silent, deeply embedded thefts of intellectual property, of which the victims are unaware for maybe years if at all.

They do not identify the likely bad actors in the TA17-117A, which they rate as “Medium Risk”, but I would hazard a guess that they all have the same source as this attack that devastated the National Research Council a few years ago, the repercussions are still ongoing. I don’t know the reliability of Newt Gingrich figure of the losses being $360 Billion per annum last year, Trump alluded to the threat from China during his campaign, but the rhetoric has always been more about political controls, “we’ll send Governor Branstad over to tell them to stop”.

The summary of the TA17-117A update could simply be, they are deeply embedded in your networks, it’s very difficult to identify how and where, even more difficult to remove them. And some broad recommendations on how to prevent reinfection.
Unfortunately while TA17-117A gives detailed advice on what to look for, they do not give much advice on how to look for it, which I believe the majority of network and server administrators on the frontline would need guidance on, there are a large number of suites of computer forensics would be useful. But none as simple and complete as Microsoft COFEE (I would provide an official link, but there isn’t one), this is only available to law enforcement “from NW3C at www.nw3c.org or by contacting INTERPOL at COFEE@interpol.int”. Like WikiLeaks I am not to happy about this withholding of such a useful tool, It would probably be very simple to write further tools that could analyze the data collected by COFEE to flag any intrusion related to this and other advisories.

While the advisories themselves are great, in many cases they will be too little too late, it would be great if network and server admins had access to better tools without having to get as far as needing to report a crime.

Actually blocking these attacks, the advisory points you in the right direction, and methods will differ vastly depending on the environment, costs associated with risk would have to be taken into account so would also vary what controls can be put in place, but at a time when we are still having trouble getting users to encrypt their data and devices, and to use a password manager, we could all be doing more with general cyber security education, the potential damage to our economies from these attacks are really astronomic. $360bn p/a is just the cost to the US economy, that’s 60 times the amount of the funding provided to the National Cancer Institute, which fit the typical profile of the targets of these attacks, or half the amount spent by the US military as a whole annually.

Others have told me that the greatest risk to business today is ransomware, while the effects are horrid (seen it too many times) if you are unprotected, they are generally quite limited in the damage that they cause, and very easy to mitigate by never clicking on unknown links, having a script blocker, and keeping regular backups.

 

CISSP PMP