Linux commands hodgepodge (I)

This post is an unusual one. The reader will not find a line of thought in it but rather a collection of command lines and telegraphic recommendations for some configuration files in the Linux (more specifically, Ubuntu) Universe.

Happy command line experience!

- To open a X session via ssh
$ ssh -X -p xxxx usernameh@ipaddressorname

- Enable networking in Linux
# route add -net 192.168.x.y netmask gw 192.168.a.b dev eth0

- How to quickly install sshd
# apt-get install openssh-server

- Sshd to start at boot time in Debian flavours
# update-rc.d ssh defaults

- Sshd not to start at boot time in Debian flavours
# update-rc.d ssh remove

- Where to configure sshd?
# gedit (or vi) (or pico) /etc/ssh/sshd_config

- And there, some configuration settings are

X11Forwarding yes
Port xxxx
PermitRootLogin no

- How to start the sshd service
# service ssh start (or the old way /etc/init.d/ssh start)

- How to stop the ssh service
# service ssh stop (or the old way /etc/init.d/ssh stop)

- Networking to start at boot time in Debian flavours
# update-rc.d networking defaults

- Networking not to start at boot time in Debian flavours
# update-rc.d networking remove

- How to tunnel via ssh
$ ssh -p xxxx -L aaaa:localhost:bbbb username@ipaddressorname
bbbb is the local port
aaaa is the remote port

- How to disable the firestarter firewall at startup time
mv /init.d/firestarter /init.d/firestarter.old (to change the name)

- How to recover gnome GUI in the latest Ubuntu versions
# apt-get install gnome-session-fallback

- How to copy from a hard disk to an external memory storage
dd if=/dev/sda2 of=/media/externalstoragename/backupfilename.dd bs=64k conv=notrunc,noerror

- How to delete a USB memory storage
sudo dd if=/dev/zero of=/dev/sdb bs=64k

- How to install grub
# grub-install devicename

- In case there is a need to open a firewall in win7
netsh firewall set portopening protocol=TCP port=xxx name=ruleportxxx mode=ENABLE profile=All

- How to copy a file via ssh
$scp -P xxxx /source/file user@remotehost:/destination/file

- Copying files over ssh using dd (directories need to exist)
$ dd if=./yourlocalfiletocopy | ssh -p xxxx username@fqdn dd of=/path/filename

- Copying files over ssh using dd (directories need to exist) -alternative way
$ dd if=./filetotransfer | ssh username@fqdn dd "of=/destinationpath/filename"

- Copying files from the ssh server to local using dd via ssh (directories need to exist)
$ ssh -p xxxx username@fqdn 'dd if=/pathtofileinsshserver/filename' | dd of=./pathtolocaldestination/filename

- How to install 7z crypto compressing solution
# apt-get install p7zip

- How to compress a file or directory
$ 7z a destinationfile.7z ./folderorfiletocompress

- How to decompress (no full path)
$ 7z e compressedfile.7z

- How to decompress (full path)
$ 7z x compressedfile.7z

- How to compress a file or directory using a password and in volumes
$ 7z a -p -v1g destinationfile.7z ./folderorfiletocompress

- How to stop a machine via ssh (if you are using lightdm, shutdown will not power the machine off)
# poweroff --verbose

- How to reboot a machine via ssh
# reboot --verbose

- ssh login without a password
Good summary here

- How to see real time the iptables logs in linux
# /sbin/iptables -L

- How to see whether the firestarter FW is running
# /etc/init.d/firestarter status

- How to see whether iptables is running
$ lsmod | grep iptable

- How to lock the Ubuntu box using the keyboard
CTRL + Alt + L

- Where are authentication related logs in linux?
$ less (or pico) /var/log/auth.log

- If there is a need to check previous zipped logs
# gzip -d syslog.2.gz

- Executing a terminal server that is not linked to a user in Ubuntu
# x11vnc  -safer -localhost -nopw -once -auth /var/run/lightdm/root/:0 -noxrecord -bg -rfbport xxxx

- Executing a terminal server that is not linked to a user in Ubuntu (a more verbose one)
# /usr/bin/x11vnc -safer-auth /var/run/lightdm/root/:0 -noxrecord -noxfixes -noxdamage -forever (or once) -bg -rfbport xxxx -o /tmp/x11vnc.log

- Executing a terminal server that is linked to a user session
$ x11vnc -safer -localhost -nopw -once -display :0

- Typical rc.local file for paranoid ones
ifconfig eth0 netmask
route add default gw 192.168.y.y eth0
arp -s 192.168.y.y 00:router:mac:address
/etc/init.d/ddclient start
rfkill block bluetooth
rfkill block wifi
rfkill block wwan

- If you are encrypting the home drive and using keys in ssh to log in...
place the .authorised_keys file outside the crypto zone as you can read here
... in addition to that, add these 2 lines to the .profile file to speed up decryption at log-in time:
cd /home/username

- Who is in the system
$ who

- Who logged in last
$ last -a

Security site to bookmark: is an open Internet project by the Open Security Foundation with the aim to collect and publish security incidents related to loss and compromise of personal data. It dates back to 2008, when they agreed to maintain the database that the popular site started. Open Security Foundation is also known for its popular vulnerability database (

It is an easy to follow web site: it consists of two horizontal menu bars, a top text-based bar with links to 11 sections, and below this, a graph bar with a timelime. Its front page is broken down into two columns. We need to register to use all the services they offer. Registration requires only an email address and a username. The relevant sections of this site are:

- First, they introduce the site: Who they are and how they work. They seek and receive news about security incidents with compromised personal information. They add those pieces of news to their public database. They also announce it on their twitter "datalossdb" account and send them via a distribution list.

- Second, they offer the ability to search for incidents in their database according to different search criteria such as type, size or source. Although most available data come from the USA, this site is nevertheless valuable to justify security measures with actual data on real incidents.

- Third, they provide a form for the visitor to report incidents. It is not necessary to be registered to report an incident.

- Fourth, they provide access to collections of incidents from 16 primary information sources. These sources are authorities linked to personal data protection in different U.S. States (such as "Consumer Protection Boards" or the "Attorney General"). Companies and institutions that suffer data loss must reported it to these institutions. The New York, Maryland and Massachusetts bodies are worth mentioning given the high number of cases that they spublish.

- Fifth, they list the personal data protection laws in each of the States. 12 of them have to keep track of  related incidents, 35 require notification to those affected but do not have a centralized register and 4 States have no such legislation.

- Sixth, they show statistics and incidents analysis including the types of lost data, the sector concerned and their figures for different time windows. So far, the largest incident contained in this site occurred in March 2012 and affected 150 million customers.

- Seventh, you can subscribe to three mailing lists, the first is the most relevant one, the second is to discuss incidents and the third is a weekly summary of activity.

The last three sections present:

- Those incidents that do not have the minimum information to be entered into the database in the form a newspaper called "the blotter"
- A section with strange incidents or small entity ones that have a limited number of affected users or do not refer to elements of identity such as social security numbers, credit cards, bank accounts, medical or financial records.
- A final section with the names that keep this site, its contact details and sponsors.

In short, the site is a valuable database of real personal data incidents. A useful tool to demonstrate that personal data are really threatened. I miss a similar database with incidents happening in Europe. The final question would be: does privacy still exist in our society?

A version in Spanish of this post will be located here in this publication. Stay tuned!

Happy browsing!

Human intuition: What if we apply it to improve security?

Within the @Google Presents talk series, the Nobel Price and psychologist Daniel Kahneman gave a lecture on intuition that I summarise in this post, always looking at it through the information security lens to distill innovate knowledge.

He started with an enticing question:

Intuition, why do we magically know things without knowing we know?

Different authors have studied human intuition. Gary Klein in his book on "Sources of Power: How People Make Decisions" think that judgement biases are not so negative. Malcolm Gladwell, in his book "Blink: The Power of Thinking Without Thinking" has also dealt with the power of intuition.

Mr. Kahneman is sceptict about expert human intuition. For example, in fields like Medicine, when can you trust intuition? He identifies two modes of thinking that lead to the creation of judgements:

- Mode A, as something that happens to us, e.g. when we perceive through our senses, have impressions and intuitive thinking. This is the intuitive and automatic one.
- Mode B, as something that requires effort. This is the deliberate and 'effortful' one.

He shares some scientific results that can have an impact in social engineering: self control related to mode B is impaired if we are doing another activity at the same time. This means that it takes some effort to control our impulses. For example, we would pick chocolate more easily if we keep at the same time a 7 digit number in our head (minute 12 of the talk).

Would that mean that if we ask someone for their password while they are doing an 'effortful' activity we could be more successful than if we ask them when they are idle? Probably.

However, if we focus at mode B, for example, driving is a skill. In a mode A skill things begin to happen automatically: we can drive and talk, we would brake in a completely automatic manner. The same cannot be said, for example, if we drive on skids. This is a completely non-intuitive skill.

But then, when can you trust intuition? Mr Kahneman states that, if there are clear rules in the environment, especially if those rules can give us immediate feedback, we will acquire those rules and let mode A run. This is the reason why we are very good at immediate reinforced practice. This is what he calls intuitive expertise: the reason why, in Medicine, anesthesiologists, thanks to the quick and good feedback they receive from their actions, develop intuitive expertise and the reason why radiologists get the opposite case: they receive slow and not so good feedback from their actions so they have a difficult time to develop intuitive expertise.

Let's have this point in mind when we approach a user community to improve their security practices.

This expertise is not possible in chaotic scenarios. This is why the world is not predictable. For those cases when predictability is poor, it is better to follow pre-made scripts.

This thought is valuable when designing incident response actions. Build your formula and don't let intuition be the main driver. 

Peculiarities of our mind

Mr Kahneman mentioned that human memory is superb at remembering routes through space but rather poor at remembering a list. An practical example of this can be found in the book "Moonwalking with Einstein" by Joshua Foer.

So what about if we associate places in our work facilities with secure behaviours?

Our mind likes to think about agents that have traits and behaviours. We are not good at remembering sentences with abstract subjects. Our behaviour is influenced by the signs and posters that we see around us. Especially by those that relate to something concrete. For example, when people are exposed to a threatening word, they move back. Symbolic threats have a real effect.

And what about if we place a poster with a pair of eyes watching us close to an Internet kiosk in a public place in a firm? Would users behave more securely?

Our mood is also influenced by our actions. If we make a smiling face, we are more likely to think that things are funny. If we place a pencil in our mouth, we will think that the cartoons we watch are funnier.

By partially activating ideas through these mechanisms e.g. by whispering words, then the threshold to feel emotions related to those ideas is lower and all this happen without us knowing it consciously.

This has a lot of potential at the time of designing a cultural change related to information security at workplaces.

Our associative memory is a repository of knowledge. We take very little time to create norms in our minds. Our reasoning flows along causal lines, this happens intuitively. The coherence that we experience can be turned into a judgement of probability. This is the reason why Mr Kahneman is not really a fan of human intuition: People have confidence in intuitions that are not essentially true.

This point is key for those applying risk management methodologies to their information security practice.

He mentions that, so far, all intelligence tests we have are for mode of thinking B. However, we are all influenced by our intuition. It's hard work for mode B to overturn what mode A tells us.

I finalise this summary with the 'security related' morale of the talk. When can we trust our intuition? Only when the environment is predictable and we have had the opportunity to learn its regularities.

Happy intuitive reading!

Were these the posters in the Middle Ages?

Surviving success in entrepreneurship and... in IT security?

Stanford University shares with everyone on the Internet a series of podcasts and videos related to entrepreneurship through their Entrepreneurship Corner. These pills of knowledge are not intentionally related to information security. However, I find that the learning points mentioned there are worth at least some reflection time by itsecuriteers. For instance, Mark Forchette presented his talk on how to survive success. I drew some lessons from his talk:

lesson 1 - know what you want, set your objectives, promise you will achieve it

lesson 2 - you must have passion

lesson 3 - no matter what you do, you must know how to sell, everybody sells

(proposal of a book to read : how to master the art of selling)

lesson 4 - there is no failure that you can't recover from (so enjoy failures)

lesson 5 - strategy and tactical implementation = success (if you cannot execute the plan, it's not worth the paper it is written in)

lesson 6 - the most dangerous thing in the world is a past success you are still in love with  - surviving success is one of the most difficult things - the best day has to be ahead of you

lesson 7 - do things other than just for money

lesson 8 - people do business with people they like - business is a contact sport - be likeable

lesson 9 - prepare, prepare, prepare

lesson 10 - make sure the right people are on the right seat

Look at these 10 lessons from the IT security practitioner viewpoint. They can provide you with value.

Happy entrepreneurial reading!

Learning to fly

WPA password strength (or the role of special characters in WPA passphrases)

It is a good security practice to use a long passphrase in WPA Personal protected wifi networks. WPA Personal is also known as WPA-PSK (pre-shared key). The strength offered by WPA-PSK is related to the strength of the passphrase, so that it cannot be easily guessed, either because it is a very short one or because it is a very predictible one. This is the reason why many of us opted to use up to 63 random printable ASCII characters, recurring to sites providing that such as

Life was fun when we had one, maybe two, wireless computers at home. We inserted the damned long passphrase (certainly after several attempts!) and off we go.

Soon our homes started to have new wireless-enabled inhabitants (smartphones, tablets, e-book readers and and and). In most of these new devices, it is not so straight forward to insert a 63 character long random printable ASCII chain. In some cases, some of those special ASCII characters are not even present in the suite of keyboards (via a physical board or displayed on screen) that these wireless devices offer.

Should we then decrease the complexity of our WPA passphrase or not? This is obviously a possible strategy, however sometimes you need to go and change your WPA settings manually in many devices. This takes time. Another alternative is to get the "strange character" via copy and paste or a similar short cut.

A third possible way is the following: If you are lucky, some of those new devices that do not allow typing "strange ASCII characters" on them allow the insertion of the 64-digit hexadecimal key that corresponds to your passphrase and your SSID. This is the case for Amazon kindle devices. You can code yourself the algorithm to obtain the 64 digit long hexadecimal key or you can use this site, or even only the Javascript code that it contains, by a software developer from the Netherlands.

Reaching this point of this post, you would wonder, and what has happened to the strength and complexity of my 63 character long random printable ASCII chain if it can be replaced by a 64 digit long hexadecimal key? it turns out that the WPA-PSK passphrase strength resides only on the entropy it displays. That's about it!

Keep randomness in your life ;-)!

Pieces of wisdom from Dr. Taher ElGamal in 2010 on the future of Internet

This talk took place in November 2010. Already some years and months ago. However, given the relevance of the presenter, Dr. Taher Elgamal, and the currency of the content, "the past 15 years and the next 15 years of security", I suggest that, if you find no time to watch this 100-minute long lecture, linked here, at least glance through these learning points:

minute 8 - 15 years later, we have not solved the authentication problem.
minute 12 - everything that starts social ends up being up business.
minute 12 - USD 350 billion - the amount of fraud in e-commerce is one order of magnitude higher than in the physical world.
minute 13 - 1.2 to 1.4 % of the transactions are fraudulent - so around 3 to 4 USD billion of fraud is generated every year - and this economy is the fastest growing economy in any country.
minute 13 - e-commerce size is 3 or 4 or 5 % of the overall economy - imagine it becomes 50% of the world's economy.
minute 14 - we cannot afford these losses if we would like e-economy to grow.
minute 15 - 98% of authentication is by someone remembering a password.
minute 15 - 22% of e-commerce transactions get manually looked at - this is crazy!
minute 17 - the credit card system does not know how to handle security in e-commerce.
minute 19 - we invented a (faulty) security model after having connected our LANs and created the Internet.
minute 19 - the future is an extension of the past - it is not disconnected.
minute 20 - we are ignoring the end user - security is sold to big companies.
minute 23 - we forget requirements when using technologies.
minute 24 - we forget that we have connected everything together.
minute 25 - it is much easier to build incremental changes in a system than to change completely.
minute 26 - security technologies that require user actions are generally not sucessful.
minute 27 - the reason SSL is really 'successful' is because it is hidden from the user.
minute 28 - things that work are things that we use (not things that technically work).
minute 29 - users use the same password for sites with very different profiles (banks and leisure).
minute 29 - 10% of people would send their password if requested.
minute 31 - we are just putting technologies in companies without looking at the threats.
minute 32 - we will see as much growth in connectivity as the last 15 years.
minute 33 - the size of the device is purely a function of the display size nowadays.
minute 33 - the number of phones is an order of magnitude higher than the number of laptops.
minute 34 - we want to always reduce hardware costs - cloud is just using hardware in a more effective way.
minute 35 - social networking will change business behaviour.
minute 36 - we are actually connecting things to the Internet.
minute 37 - a smartphone has multiple channels to connect - and they are fundamentally different.
minute 38 - we should avoid trying to solve tomorrow's problems with yesterday's solutions.
minute 41 - we will be doing business through social networks - a new layer on top of the web layer.
minute 42 - the power grid - the number one infrastructure that an attacker would compromise.
minute 44 - a billion mobile Internet user (IDC numbers).
minute 44 - 650 million laptops in 2010.
minute 44 - in 2020 the billion will become 1.6 billion - pc and laptops will be a 2 billion number.
minute 45 - in 10 years smart meters will be everywhere in the world and servers will become consolidated.
minute 49 - current e-commerce relies on the fact that most people are OK - this is not going to be scalable.
minute 49 - almost every country has their own definition of a digital signature.
minute 50 - governments literally need to stay out of things that we have not put into real use.
minute 52 - it is really hard to secure connections through a firewall because we are connected through different means simultaneously.
minute 53 - distributed security is the way to solve infrastructure security - not between networks (minute 55).
minute 56 - the fabric needs to be smarter to identify attacks.
minute 57 - the right place to do encryption is within the application itself.
minute 58 - the threat model is important to consider when securing an application.
minute 59 - information is the value to secure - we have protected the network but not the information.
minute 59 - identities, directories, roles - let's apply the right ones to secure information.
minute 60/61 - just by delaying the delivery of information for 30 minutes - especially in the financial industry - the loss would be high.
minute 62 - in the health industry is not only timing (e.g. availability of information in an ER - minute 63) but also data confidentiality.
minute 63 - in utilities the important thing to secure is the infrastructure - not really data confidentiality.
minute 64 - we don't teach security correctly in our globe.
minute 65 - before doing a pen-test, sit down and ask your customer what do they do? find out the threat model beforehand.
minute 66 - the 80/20 rule - identify the priorities before starting because the project will be done 80%, not 100%.
minute 67 - integrity is actually the top security problem by far - more than confidentiality.
minute 68 - priorities in security are very important.
minute 68 - identity theft is not yet mainstream but it will be a very important topic.
minute 69 - for those unix guys - the idea of a user being able to do everything in a machine at the same time is a crazy idea.
minute 69 - 90% of the really really bad security issues happening in the last 10 years had to do with a super user account.
minute 72 - a single security model will not solve all security requirements - it will be very expensive.
minute 72 - what about building authorisation rights in the data files themselves? (more a dream than reality).
minute 73 - do all your security checks at the backend - not in the browser!
minute 77 - security has not been solved yet - the center of all this is make things smarter.
minute 77 - networks were made to allow hacks! (can you believe that?).
minute 78 - life will have changed in the next 15 years as much as in the last 15 years (we are a very young industry).
minute 79 - cyberwar may actually happen though - any country can hack any country - not only neighbouring countries.
minute 82 - security is a business process - not a problem that requires a solution.
minute 85 - security vs privacy - we should not put them in a unique ranking.
minute 86 - information that is not meant to be shared is completely unimportant.
minute 87 - a law on privacy without understanding the circumstances makes no sense.
minute 90 - the vast majority of web transactions are less than 50 euro - SET was an overkill (in terms of cost).
minute 93 - PKI: you don't need to have a universal trust model.
minute 96 - the infrastructure should be more intelligent - to ease tasks off the users.
minute 96 - I still haven't sent a secure email (other than to my friends to have some fun).
minute 97 - usability always wins (to security).
minute 98 - quantum computing - if government funding stays, in 15 years computation could be done in different optical? ways.
minute 99 - quantum computing will not break all cryptography - it will change some methods we use - nothing is really ultimate (minute 100).
minute 100 - quantum crypto - there are some implementations (optical crypto keys) - they are not useful unless there is enough number of computers using that technology.

As you can read, age does not prevent us to be revolutionary (and creative?) in our thinking.

Wisdom needs time

 Happy viewing!

Through the IT forum jungle: an example with an Android smartphone

Daring upgrading an Android-based smartphone even if your carrier left you alone? Let's try, it is really worthy.

Firstly, if it is not automatically detected, you will need this step so that your Linux box can read the SD card as any other USB connected storage device.

Secondly, you will need to install the android SDK and JRE. For that, go to and download a tgz for Linux


Thirdly, you will need to configure a graphical downloader typing android in the tools folder created in the second step above mentioned.

Fourthly, if Java is still not installed, you can download it from

Let's take now, as an example our good old friend HTC Tattoo/Click:
is a good guide but with some inaccuracies that will take extra time to overcome, here you are some tips:

- We encountered a showstopper, and we found that we were not the only ones having the same experience

- However, after some time trying to implement the solution they propose, we realised that there was an easier way, using lateral thinking ;-)

If we cannot exit from ADB, then let's not exit and use two different ADB sessions, one using adb push to inject the required files and the other session adb shell where we reach the # prompt, i.e. we are root

Morale of the story: sometimes with the elements you have and your experience, you can solve a showstopper quicker than going deeper through confusing pages and pages of experiences from different users in IT forums.

As extra tips, try to make an application backup, as a possibility you can use

For some versions of android 1.6 the universal androoter app is an option to root the device

Little piece of advice, don't try both rooting possibilities simultaneously
they interfere between each other

And finally, two last hiccups

- One of the flashing files was too updated to work with an android 1.6 and we found the way forward in the following link (from the foum site of cyanogenmod themselves!)

- We were not able to find the sdcard root folder, the previous page also solves that, we need to connect the device in a non-USB mode so that the sdcard folder is mounted.

Finally, a tip from a colleague of mine, do not forget this app ;-) (thanks!)

Happy June labs!

Update your machine before it goes to a museum

Network detective

Here you are 3 "network detective" activities

Scenario 1: There is a Ubuntu Linux box connected to a shared LAN. There is a need to know whether that computer has had a network outage e.g. during the night or during the time when we are not looking at the screen. A network outage would mean that, for any given period of time, there was no network connectivity from the computer to the neighboring edge network device, a router, a switch or a hub, that it is connected to. What to do with no additional tools?

Quick solution:
$ grep -i networkmanager /var/log/syslog
and it will be a output similar to this:

Dec 25 10:55:30 aware NetworkManager[2520]: (wlan0): bringing up device.
Dec 25 10:55:30 aware NetworkManager[2520]:
(wlan0): supplicant interface state: starting -> ready
Dec 25 10:55:30 aware NetworkManager[2520]:
(wlan0): device state change: unavailable -> disconnected (reason 'supplicant-available') [20 30 42]
Dec 25 10:55:30 aware NetworkManager[2520]:
(wlan0): supplicant interface state: ready -> inactive
Dec 25 10:55:31 aware NetworkManager[2520]:
WiFi now disabled by radio killswitch
Dec 25 10:55:31 aware NetworkManager[2520]:
(eth0): device state change: activated -> disconnected (reason 'user-requested') [100 30 39]
Dec 25 10:55:31 aware NetworkManager[2520]:
(wlan0): device state change: disconnected -> unavailable (reason 'none') [30 20 0]
Dec 25 10:55:31 aware NetworkManager[2520]:
(wlan0): deactivating device (reason 'none') [0]
Dec 25 10:55:31 aware NetworkManager[2520]:
Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.
Dec 25 10:55:31 aware NetworkManager[2520]:
Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.

Network events will be identified e.g. in line number 6 the log says
activated -> disconnected (reason 'user-requested')

Scenario 2: There is a Ubuntu Linux box in a LAN. There is also the need to have a first approximation on the kind of traffic and IPs flowing through
the LAN e.g. the type of traffic, IP addresses that are chatting, packet sizes, and the like.

Quick solution:
# apt-get install iptraf
# iptraf

A character-based application will appear in the xterm window. Using the keyboard, there is the possibility to get a first glimpse of the data we mentioned we need in this scenario.

Scenario 3: There is a Ubuntu Linux box. There is also the need to have a fully fledged web-based network monitoring app running in localhost with statistics, graphs, apple pies and a myriad of possible functionalities.

Solution (based on
# apt-get install ntop
# ntop (and choose an admin password to access the web interface)
# /etc/init.d/ntop restart

check that ntop is running at local port 3000
# netstat -tulpn | grep :3000
and connect via a browser to
Now the only required ingredient is time to fine tune ntop and to get the most of it!

By the way, if there is no need to start ntop at bootup time, just rename /etc/init.d/ntop to e.g. /etc/init.d/ntop.notnow

Happy network detective activities!

The evil is in the details ;-)

Book Review - Surviving Cyberwar by Richard Stiennon

In 2011 I had the opportunity to share some hours with Richard Stiennon, author of the book titled "Surviving Cyberwar". This post is a personal summary/overview on this light (not related to thought depth but to physical weight) book,  on the use of IT systems to endanger nations' resources as a developing threat. As always, a modest disclaimer, this summary does not replace the reading of the book but rather encourages it.

chapter 1
The first chapter provides some clues about the hazardous life of a cyber warrior, often endangering their personal balance and/or their social relations. Preparing, performing and even reporting cyber attacks is usually a lonely task. As an example, he referes to the "Titan Rain" operation.

chapter 2
This chapter explains the difference in activities among CIA, tasked with infiltrating into foreign organisations to protect US interests, the NSA, tasked, among other things, with intercepting hostile communications and the FBI, devoted to US internal affairs. In this chapter, the reader starts to receive the message that some countries are not equipped to monitor, detect or respond to cyber attacks in a comprehensive and coordinated manner.
Richard also provides some evidences of the real existence of cyber attacks, some of them synchronised with specific events in the physical world, like the ones happening between China and the US in 2001 (related to a Chinese fighter jet and a US reconnaisance plane).
In this chapter, there is also a reference to the popular Sun Tzu's book "The Art of War" and how it presents the spirit of current national intelligence activities i.e. counter-intelligence, psychological warfare, deception, security and fabrication. And, to make things even more interesting, in our current IT systems, there is not even the need to find a vulnerability. All is needed is for a recipient, e.g. of an email, to be induced to install a piece of SW in their computer.

chapter 3
This chapter presents a clear concept, the essence of spionage is access. Let's have this piece of wisdom in mind. Depending on what we assume that is hostile in our environment, we have different scenarios: simple traditional security assumes that endpoints are hostile, but the network can also be hostile, and even the user. This is why the concept of activity monitoring is so crucial.

chapter 4 
Here we read why email servers have been and are important elements in cyber attacks (example mentioned from reality: "ghost net")

chapter 5 
Let's highlight only one figure: The US pentagon spent 100$ million: a clear demonstration that cyberattacks are happening.

chapter 6 
Where is real innovation is happening? In regional conflicts between opposing nations. They have a link with kinetic attacks and all potential adversaries learn from them.

chapter 7
An introduction to a key player, Barret Lyon, a guru in DDOS defence, DDOS today can reach 60GB throughput! and we currently relay on ad-hoc responses. Certainly, there is also a reference to the BGP routing protocol, a real threat vector that needs to be secured.

chapter 8
These pages present a powerful concept: the power of crowdsourcing cyber attacks, based on ancient military school strategies. Almost everything can be crowdsourced e.g. the naming of a whale by Greenpeace. We also read about the use of twitter as a mobilisation tool. By the way, in some countries, the provision of an IP address owner can mean a 10-year sentence for that IP address user e.g. if they sent an email instrumental for an attack or a crime to succeed.
This chapter finalises presenting that some big countries have armies of blog commentators and practice web site censorship.

chapter 9 
This chapter deals with an interesting case study: cyber attacks targeting Estonia in 2007. It also presents a secondary effect: by blocking attacks, a country can cut itself off the Internet. A last point mentioned on these pages: how content management web servers are easier to DDOS that less complex web servers.

chapter 10
From this chapter, two details are worth stressing: opponents at war try to silence each other's Internet sites and cyber events are synchronised with events happening in the physical world.

chapter 11
It is now time to go deeper into the link between kynetic and cyber attacks. The author mentions that this has already happened. Additionally, an example of collateral damage worth mentioning is an unwanted DDOS against a site that shares resources with the initially targeted one. We read in this chapter thath we have to assume that any future military conflict will bring along cyber attacks. Until some years ago, armies lacked cyber response or attack capabilities, the question now is how can armies attract security experts? Richard Stiennon proposes, as a first step, the use of a similar method to the one used by medical staff in the military to attract good professionals.
Some additional ideas are that we need to experiment and to create security labs and also new international treaties e.g. will the NATO help their members only using cyber resources in case of a cyber attack against one member country? The problem with this is again, attribution, not easy at all!

chapter 12
Around the most important topic of this book, we read that IT warfare is an "just" an extension of the evolution of warfare. So far, the author highlights that there has been a mostly reactionary approach towards cyber attacks. He claims that there is a lot to learn from studying previous attacks. For example,
most of the current security measures such as patching IPS, etc come from the experience gathered in past criminal attacks. Subsequently, we read a strong statement: the decision by banks to guarantee customers' funds when they suffer an attack, more than to improve security, is a way to fund new criminal hackers. This is an reflection-deserving thought. A new angle to daily incident management business.
In this chapter we can also read that espionage and DDOS are the two new open fronts. The author touches upon some still open questions such us how to organise a cyber security operation or how to organise resilience in critical infrastructures?

chapter 13
According to Richard Stiennon, the 4 pillars of cyberwar are intelligence, technology, logistics and command. The goal of these cyber attacks is information dominance. In the 1980s, some cyber attacks were already succesful. This chapter also mentions a foundational concept: every party needs to understand each other's way of thinking. Therefore, monitoring communications, activity so close to signal analysis, is essential. He also mentions three steps in a cyber espionage activity: reconnaisance, acquisition and analysis.
These pages finalise refering to concepts like vulnerability discovery, exploitation, automation, malware, rootkits, backdoors, DDOS, SCADA, DNS and BGP attacks.

chapter 14
We start reading a clear fact: human beings and organisations like states are slow to recognise the need for preparedness. Throughout this chapter, we read how different countries e.g. USA Germany Estonia... are preparing (or have prepared) themselves for cyber warfare (e.g. Estonia aims at a public-private sector collaboration). An element of this preparation is the creation of CERTs in different countries.

chapter 15
This last chapter talks about repercusions of this new scenario. Apart from improving IT systems in military organisations and the use of cyber attacks as deterrent measures, there are broader consequences. Some of them are good, like more secure companies and infrastructures, together with intrnational
cooperation, but some others are negative, like more control exerted to citizens by states and business being also victims of these attacks.

All in all, a book that everyone interested in geopolitics, even if they are not IT literate, will find worth reading. Thank you Richard for this book!

Happy reading!

New attack instruments

Tweet this post to your reader colleagues!

The Economics of Security - A talk by Ross Anderson in 2011 AusCERT

The following is a personal summary of a conference/lecture given by Mr. Anderson in the most recent AusCERT event. This summary is just a collection of un-connected (and wrongly interpreted?) thoughts. It does not replace the pleasure to listen to the lecture itself.
I listened to the audio via the Risky Business podcast. Here is the link to the mp3 file. The topic of the talk was "the economics of security".

The Economics of Security

system engineering is not enough
10000 years ago human beings invented agriculture. Soon after, human organisations, driven by people, created the civil service function. This was organised by individuals at the local level, this is why it was kept simple. As an example, he mentions a system that is still being run in Bombay to deliver packed lunches (with more than 20000 people in the system). Now this has become a complex system. The world is changing. We now have people plus software, and this is the novelty. Software adds complexity.

Facebook has reached 600 million users. How do you deal with competition among members? with conflict? All this is a new scenario.

Initially security was seen as an external boundary problem. By that time, all the systems related were under the same chief executive. Today the world works differently, there is a market and a supposed equilibrium. A traditional system engineering approach is required, but unfortunately this is not enough to manage this security effectively.

First thought: In the UK, banks are more protected than customers in case of a conflict between them. In the US, the situation is the opposite. So, we would think that security in US banks would be higher. However, it is the other way round.

Second thought: Will Internet users pay an antivirus (AV) to protect, not their PCs, but other systems such as Amazon clouds and the like?

the role of incentives
Things need to be very dependable. Things go wrong because the incentives are not right e.g. the triode customer, merchant and bank or why should an electricity company invest in extra capacity (to offer a more dependable service) if that would also benefit a competitor electricity company?

Third thought: Security and Insecurity are often an externality - it is not a result of a direct effort but a side effect of what people do globally.

Can governments do something about cybercrime? It seems so. See the recommendations below.

the economics of information related markets
The distinguishing features:
- The network effect, the more people use it, the more useful it is for each user - e.g. email and fax - the winner in the market gets all - after the tipping point.
- Fixed costs are high and marginal costs very low.
- Information likes to be free - At the margin information products cost zero - you need to find a distinguishing feature that is not price (e.g. compatibility).
- Switching costs - your price should consider them and adjust to that - this is why many security mechanisms are there to control users and not to protect users - e.g. lock-in mechanisms.

With all this, the likelihood of a monopoly is really really high.

enticing users through iterations
Getting it right in version 3 - this is how the world turns - the vendor need to be quick and to follow a recurring pattern in their value proposal. This is why, in every platform market, vendors first launch the platform, as open as possible, even if it is insecure... to make it easy for people to build apps there. Then they lock it out later.
Mr Anderson mentions that exactly the same happens with payment networks e.g. this is why we use SSL and not SET. it was very quickly deployed (even if it is suboptimal).

asymmetric information
The example of 100 cars, 50 are great and 50 are lemons - the good ones cost 2000 and the bad ones 1000. Will the price in the market be 1500? Nope, no one would buy a good one for 1500. In second-hand markets, nobody knows if it is a lemon or not - this affect the security product market e.g. how could we tell the difference between a good and a not so good encryption product? We can't. This is why the IT market went through the path of providing a pile of features, basing sales on a long list of irrelevant features.

adverse selection
E.g. sick people buy more insurance. If we apply this fact to trust, we see that websites with any sort of certification are twice as likely to be malicious that those with no seal at all e.g. in google, the paid search result is twice as probable to be malicious than the non-paid top result. This means that certification schemes work in rather unexpected ways.

In conclusion, without the proper incentive, there is no right security.

what do we then need as citizens?
Security breach notification laws, publication of fraud and malware statistics, sheding light on who is good and who is bad. There is a clear a role for governments on this topic. Google and similar names do not publish those data to avoid lawsuits (only 3 out of the 27 EU members publish those statistics),

An additional measure could be the issuance of cybersecurity checks/certifications in products before they are released (e.g. do they offer the possiblity to be regularly updated in an easy manner?).

Together with security engineering, we need to touch upon adjacent knowledge fields such as game theory, psychology and business to understand security.

In terms of security resilience, we need to collect long term network performance data and to create regulation to build extra capacity (a big issue will be who pays for it?) so that we provide the appropriate incentives to deploy measures such as  BGPsec or DNSsec.

We find more details on Mr Anderson's recommendations in an ENISA paper titled "resilience of the internet interconnection ecosystem" (or in the executive summary). The headlines are the following:

1 - Incident Investigation - An independent body should thoroughly investigate all major incidents and report publicly on the causes, effects and lessons to be learned.
2 - Data Collection of Network Performance Measurements
3 - Research into Resilience Metrics and Measurement Frameworks
4 - Development and Deployment of Secure Inter‐domain Routing
5 - Research into AS Incentives that Improve Resilience
6 - Promotion and Sharing of Good Practice on Internet Interconnections
7 - Independent Testing of Equipment and Protocols
8 - Conduct Regular Cyber Exercises on the Interconnection Infrastructure
9 - Transit Market Failure

Happy reading!

Security economics: Keeping the house protected and open
Tweet this post to your friend economists ;-)

Robin Dreeke on building rapport - A new pill of wisdom from the SE podcast

The crew always provide really useful information on human behaviour. This time I highlight a podcast about how to build rapport, where they interview Robin Dreeke, FBI agent specialised on these powerful topics. If you have 77 free minutes, listen to the entire podcast. If you don't, at least browse through the bullet points below, they are a very personal summary of the interview (some topics repeat themselves given their importance).
  • Building rapport: You can't fake it. It needs to be real (minute 20).
  • Stay within reality, send a congruent message with your words and non-verbals (minute 20).
  • How to defeat anxiety and stress when talking in public? Think that you are doing it to help a friend (minute 21).
  • Pre-text yourself: Offer something that your audience (or your interlocutor) would enjoy and like. Imagine they are your friends and you would like to share something with them. Be ready to trigger a good feeling in them (minutes 22 and 23).
  • Focus on making your interlocutor feel very well while you are pursuing your goals (minute 23).
  • Key aspects to consider when talking to someone: Don't try to impress, suspend your ego, downplay yourself, use the technique of sympathy to elicit help and reciprocal altruism (minute 25).
  • Make a quick smile, a quick glance and then glance away. Don't stare at them! (minute 26).
  • Keep your tempo slow, don't over speak, don't over sell, be confident but remember, you are seeking help (minute 27).
  • Appeal to their sense of humanity, seek help, seek their opinions, let them know that you value their opinions, make them believe that they are experts on their topic, open up to them (minute 28).
  • Get people's shields down by talking about dates and birthdays. Prepare your pocket of things about yourself and share it with them. Once you are done, they will open up to you (minute 32).
  • Send out an artificial time constraint, verbally or even better, non verbally (e.g. talk to them over the shoulder - talking at an angle, your feet and hips should be pointed like your are going to leave, keep the chin a little bit down and mention that you only have a few minutes - minute 33).
  • Start threading on the context they give you as a response. Be patient.
  • Accept people for who they are and validate their choices. Don't be judgmental. Don't pass judgement. 
  • How to do it when you don't agree? Be fascinated about them. Try to understand every aspect of their answer. Answer with "what an amazing thing you did!".
  • Constantly practice all the time, it is a muscle you need to train (minute 39). Talk to a stranger every day (get a little adrenalin rash).
  • People love talking about themselves. People don't care about you (hard but real fact).
  • Never argue with someone you try to social engineer. Ask them the question to them and let them answer.
  • Let the people filling the thoughts, the gaps in a conversation for you. Silence with little non-verbal confirmations are great.
  • Every generation has their own nuances.
  • If you don't have kids, reflect about friends who have them or even your own experiences when you were a kid.
  • If your interlocutor has a bad day, validate them and offer your help. People will start opening up (minute 49).
  • If you appear threatening, make a little joke and refer to that appearance in a critical way. Upper your chin a little bit.
  • People love the fact that you are trying to accommodate them.
  • As soon as you say "hey, I am not a bugger", people will believe. People take you at your face value.
  • Most people will go out a long way not to lie. Lying is a very uncomfortable thing to do. People generally don't want to lie.
  • Reciprocal altruism: Never try to impress but seek help. People are willing to help.
Thanks again to the Social Engineer crew!

Sides of human beings

Tweet this post to those in need of building rapport ;-)

Paella for hackers and security pros

To celebrate the end of the sixth year of the securityandrisk blog, this time my post is an alternative post. Information security professionals, "hackers" and "itsecuriteers" need to explore IT systems but they also need to eat every now and then ;-). I share with all readers one of the most precious cooking recipes. A crown jewel: The recipe of a modest but tasty version of the well known Valencian Paella - a typical dish with rice from Valencia, Spain.

Ingredients per serving
2 portions of chicken
1 portion of rabbit (it can also be spare ribs)
a glass (250ml) of water
half a glass (125ml) of rice
a quarter of an onion
half a red pepper

Other ingredients (typically for 4 people)
some vegetables e.g. green beans and peas
some seafood e.g. squid, mussels and prawns
crushed tomatoes (125ml)
2 to 4 cloves of garlic
saffron (this is expensive, you can also find paella colouring - less pricey)
olive oil

In a frying pan (or in the paella-pan, called paellera, if you have one) fry the salted portions of chicken and rabbit until they get a nice golden color. Once fried, place the fried portions on a plate nearby.
In the same frying pan, with the remaining oil, fry the chopped onions and peppers until they get slightly brown. Then, add the tomato and subsequently the selected vegetables and seafood. Once all those ingredients are lighthly brown, add the fried chicken and rabbit.

Mix the chopped garlic, salt and parsley in a wooden bowl with a wooden stick, if available. Otherwise, mix these spices as well as you can.

Add a glass of water (250 ml) per serving and the spice-mix until it starts boiling. Then, add 125 ml of rice per serving, well spread out through the paella-pan and finally the pinch of saffron. Cook all ingredients over a low heat for about 18 minutes and without a lid! Let the paella smell captivate you. Afterwards, turn off the heat, put the lid over the paella-pan and let it settle for 5 minutes.

You can now enjoy a paella for hackers and security pros!
Happy cooking and eating!

Security and cooking are human passions
Paella is a dish to share with people.
Tweet this post to those you will share the paella with!