Tuesday, 28 August 2012

Loss of Appletite

So it seems that a rather potent exploit in Java 7 is going around at the moment. The exploit allows an attacker to craft an applet that can circumvent Java's security manager, this allows the applet to access files on the user's system, to access networking functionality and of course to execute programs. Obviously this is very dangerous and anyone running a vulnerable version should immediately disable the Java plugin in their browser until a patch is released. Even if you're using an older version that is not vulnerable to this new issue, it may still be prudent to disable Java until the next release as the older versions have previously discovered vulnerabilities. There is also the possibility that new variants might come about now that a working approach has been demonstrated. This has already happened in the short time the exploit has been around, it was first believed that Google Chrome was immune but this just turned out to be a minor bug in the attack code that has since been fixed.

If you would like to check whether you are vulnerable or are just curious about what this attack can do I have compiled an adapted version of the proof of concept code that will be triggered when you click the button below.  This test will only work on Windows systems and you will need both Java and JavaScript enabled ( If you're enabling Java don't forget to disable it once you're done )

If the attack is successful notepad will be launched on your system and when you close notepad you should be redirected to the advisory page for this issue. All quite harmless but it demonstrates the issue well enough.

There is a very nice analysis of the vulnerability by DeepEnd Research which is available here.

There are also instructions on how to disable the Java plugin in a variety of browsers available below.

Internet Explorer


Apparently Oracle are not known for timely fixes so hopefully in this instance they will make a special exception and expedite the patching process. This exploit is both potent and widely known about, which is a recipe for chaos if it is left unchecked.

Friday, 3 August 2012

100% Secure

“100% Secure” is a term that you might think had gone out of fashion but strangely there are still plenty of people out there who are willing to make this extraordinarily bold claim about their systems.  In this day and age claiming to be 100% secure on the Internet is a bit like claiming that you’ve built a machine that is 100% efficient to a scientist or an engineer. At the very least it’s going to be met with skepticism and at worst with derision.

Shopping sites seem to be among the worst culprits for making this claim and it’s probably reasonable to assume that this is motivated by a need to reassure the customer. The problem is that no matter how many soothing claims a website may make, it does not provide a guarantee that it is genuine or secure.  Very often the use of SSL (Secure Socket Layer) is the justification as to why they are absolutely secure but SSL does not provide complete security. It simply secures the communication channel between the client and the server with cryptography.  This provides significant protection against man-in-the-middle attacks, a situation in which an attacker has seized control of a routing device between the client and server and can intercept and modify packets of data.  When the data in question is transmitted over an unencrypted channel with no safeguards the attacker is free to intercept sensitive information such as login credentials or they could even manipulate the client’s session to perform unauthorised actions.

While it is very important to protect against this type of thing it is by no means the only threat to a website’s security. There are a whole host of other attacks which are much simpler to perform and that can have a far greater impact. I will not go into any great detail about these but some of the main classes of web attack are.

  • ·         Cross-site scripting
  • ·         Cross-site request forgery
  • ·         SQL injection
  • ·         Authentication bypass
  • ·         Remote code/command execution

Each of these vulnerability classes comes in many different forms and they can be triggered in a wide variety of ways. Each of them has the potential to undermine the security of multiple users, while some have the potential to undermine the security of every single user on the site. Securing communications between the client and server is a moot point if the server suffers from devastating flaws. An example of this might be that the client’s private data is stored in an unencrypted database on the server and this data can be exfiltrated by means of an SQL injection or by the attacker leveraging remote command execution to initiate a database dump.

Just defending against all known technical vulnerabilities is a herculean task, especially on large and complex systems but even if the main system is immune to all known technical problems there are still other ways it can be attacked. The server hosting a website may not have sufficient physical security or someone who occupies a trusted position and has access to the system may not really be all that trustworthy.  Then of course there are any external dependencies the system may have, we need to consider whether the system automatically updates itself or otherwise depends on other systems and if so are they also secure? There is no end of possible attack scenarios and we can even consider more exotic threats, what if someone is willing to take down power supplies to disrupt the system? What if someone tried to launch an armed assault against the data centre in order to get at some juicy data? The problem is that these last two scenarios are possible but they are extremely unlikely.  If the risk of an event is low and the measures required to prevent it are expensive then it is difficult to justify spending time and resources on defending against it.  So let us consider what it would take to make a system fully secure.  Every single scenario will have been taken into account and some quantity of resources will have been expended on reducing the risk of each event to exactly zero. Such a system would be vastly expensive and would most likely have severely degraded usability resulting from all the additional security measures. (Just imagine filling out a CAPTCHA and multiple it by about oh let’s say 100)  It should be apparent that such a system requires an unrealistic amount of resources and would rely on its creators and users to be completely infallible and absolutely trustworthy.  Keeping a system secure is as much a challenge of managing human nature as it is of engineering.

If the system is never going to be totally secure then why spend time and money on security at all? Well the best we can really hope for is to reduce the risk to acceptable levels and to have a disaster recovery plan in place if something does go terribly wrong.  Security is like any other risk and as with any other risk assessments we need to know at least the following.

  • ·         What are the risks?
  • ·         How likely are they to occur?
  • ·         What is the impact if they do occur?
  • ·         How expensive is it to reduce the risk to an acceptable level?

Once we know the answers to these questions we can make an informed choice on the best place to focus on making improvements.  It makes sense to start on items that give the most benefit for the least cost and to keep making more improvements as the resources become available to do them. It would also be wise to periodically revise the list of risks as the world of security and the internet are very dynamic and new threats can emerge overnight.

I believe that 100% security is an ideal that we must strive towards within the constraints of the resources available and without severely impeding the usability of a system. Even though it may be impossible to reach perfection the very act of trying is what keeps a system as secure as it possibly can be. The alternative is to complacently believe that you are always safe while the threat landscape evolves around you; in this case you become the proverbial boiling frog that sits waiting for the inevitable disaster and who really wants to do that?

Monday, 23 April 2012

The Facebook Hack - What Really Happened

I was recently released from prison following a successful appeal against the severity of my sentence for the hacking of Facebook. I was surprised at just how difficult it has been throughout this process for me to clearly express what happened in a way that fully reflects my intent without pieces of information being missed out or misinterpreted.  The truth is that  an interview situation or testifying on the stand are all highly anxiety inducing and so my performance under these circumstances is always going to be well below par, I’m sure there are many people who can relate to this.  For the first time in just under a year I am finally in a position to reveal the truth about what happened on my own terms.  I now wish to use my right to reply to balance out statements made by certain parties.

I’d like to start with the stuff that I feel is obvious or that just needs to be said out of common decency.  I accept full responsibility for what I did, it was my idea and my idea alone to do it and in truth I did not fully think through all the potential ramifications at the time.  Strictly speaking what I did broke the law because at the time and subsequently it was not authorised, I was working under the premise that sometimes it is better to seek forgiveness than to ask permission, It is possible to offer up information and get a company to retroactively authorise actions so that they become legal. This is an approach I have used with some success in the past.  In any case it was my choice to take this risk and I made a bit of a mess out of the project.  For whatever it is worth I would like to apologise for allowing the situation to escalate into a full blown investigation and for any distress that my actions caused to certain individuals. While I accept that some cost was caused by what I did I would still dispute its quoted magnitude.

With the initial pleasantries aside I now have some slightly more critical views to offer, especially in relation to the following comment that appeared on the Sophos Naked Security website.

I'm not sure why Sophos refers to this convicted criminal as an "ethical" hacker, but that headline seems to be misleading most of the people who are posting here. In fact, there is no evidence of ethical hacking in this case other than the unsubstantiated claim of the defendant after he got caught. 

The judge rejected that defense because the evidence showed the defendant had malicious intent, stole another's identity, engaged in extensive and destructive efforts to remain undiscovered and anonymous, made no effort to contact Facebook with his discoveries, and even denied involvement when initially questioned. His attempt to claim he intended responsible disclosure only after faced with criminal action is insulting to the community of responsible security researchers. Facebook has a really ambitious whitehat program that not only gives immunity to ethical hackers who practice responsible disclosure but also rewards them with cash. The company has paid out hundreds of thousands of dollars to ethical hackers in the last six months alone. You can read about that program here:

It is disappointing that Sophos is running an article that reflects an unawareness of the actual facts, suggests Facebook supports prosecution of whitehat hackers, and doesn’t even reference the Facebook whitehat program.

Joe Sullivan
Facebook CSO

I find it very unusual that Mr Sullivan appears to have reached the conclusion that I was some sort of horrible person out to harm Facebook. I also feel it was entirely unnecessary for him to engage in a direct personal attack upon me in the public arena while I was locked up in a prison, many of the things that he states as facts are misleading or just completely untrue and that has played a significant role in my decision to offer up my side of the story.  The pungent smell of bullshit that emanated from his comments was so foul that it’s managed to offend even my usually mild temperament.  My exact issues with it are as follows...

[1] I’ll start by tackling the claim that I am malicious. I actually have a neutral to mildly positive view of Facebook and have no motivation whatsoever to harm it.  There was no direct evidence of ethical hacking in this case because I was cut off part way through the project and had simply not wasted the effort on writing a report that I would not be able to submit, I will elaborate on this point shortly.  There was plenty of strong evidence for the many past occasions where I had found and disclosed vulnerabilities and while my paid work for Yahoo! was given the most attention, what you may not know is that I have offered up many of my finds unconditionally, I have even turned down offers of rewards after providing information because it was the challenge and the gratification of conquering it that was important.  I would have been quite happy to have passed over the eventual report and to have simply got a “thank you” and a pat on the back, I was not out touting for business, although I would have given serious consideration to an offer if one was made.

The prosecution’s claim that my intention was malicious was pure conjecture that if anything ran against the evidence about my past conduct and my character.  There was no evidence whatsoever to support this statement and in my mind it was an absolute nonsense concocted by the prosecution to bolster what was an already weak case.  I sat quietly on bail for 9 months while my life and prospects went nowhere and refused to speak to the media, once again despite offers of payment to do so.  It may well have been in my best interests to try win public support but I was conscious that what had taken place was commercially sensitive and so I did not go blabbing and gave all the parties pursuing me every opportunity to keep the whole thing quiet and to downplay the severity of the security breach.  In-fact the first option they were given was that if they would let me off with a caution then I would provide full cooperation and sign a non-disclosure agreement, this would have been a mutually beneficial arrangement but it was rejected, despite this I still gave my full cooperation and kept quiet.  This course of action was not simply motivated out of self preservation, it was out of genuine concern not to cause further damage but it proved futile as the information was leaked by others anyway. I’m sure that it was an accident but when the prosecution mentioned “Phabricator” and “intellectual property” in the same breath they inadvertently spilled the beans and revealed that it was the source code that had leaked.    

It is also worth mentioning that I had the source code for just over three weeks with absolutely nothing to prevent me from making copies and redistributing it, this was more than enough time to have caused significant damage to Facebook or to find a buyer, if that had ever actually been my intention but quite clearly it was not.  I also do not accept that the risk was significantly increased by my actions, almost nobody knew of the existence of my copy and it was physically detached from the Internet, in many respects it was better secured than the original, So just in case anyone is unclear at the point I am driving at here, these are not the actions of someone who is being malicious, I would argue quite the opposite.

[2] The second point I’d like to deal with is why I never approached Facebook after I realised they had noticed me.  Getting noticed half way through the process was never part of the plan and I have to admit that I panicked because I knew how bad it looked without sufficient context. I was more than aware of the “security scalps”, a way for security staff to gloat about the various crooks they had helped to nail and when they are catching paedophiles and the like then I agree that they should be proud of their work.  I was also aware of just how cosy their relationship with law enforcement was, and again this is not a bad thing when there is a legitimate public interest at work. The real problem for me was that when I see staff from one company offering to booby trap their system in order to help another company catch a hacker, without being prompted, then I begin to suspect that they have an aggressive policy on hackers and will use their vast repository of information to pursue them mercilessly.  I had hoped that this would not be the case with me and that once the initial vulnerability was patched it would not be pursued any further, at which point I could go back and salvage some kind of positive relationship with them, using the additional information I knew to smooth things over. However I was not willing to risk establishing contact whilst they were in seek and destroy mode as this was far too risky and I saw subtle hints that the situation was not cooling. The name on one of the free domain management accounts I was using was mysteriously changed to “Ryan” and a password reset was initiated, this account could only have been known to investigators and so I attempted to delete that account along with the email associated with it as I now deemed it to be compromised. I did not authorise this attempted access to my account making the attempted access a highly questionable tactic, although if they had the appropriate authority then I concede it may well have been legal, on the other hand it could have been some of that vigilantism that has been eluded to.  It is worth noting that although I still felt pursued and had taken some precautions to fuzz the trail I didn’t really think that it would escalate all the way but unfortunately I was mistaken.  I still believe that if I had approached Facebook immediately then I would have been “scalped” sooner rather than later.

[3] I did not deny involvement when initially questioned; this is yet another load of poppycock invented to malign my character.  What actually happened is that about 5 minutes after being arrested at my home I was asked three questions about my involvement in hacking Facebook; these were loaded questions so that had I provided positive or negative answers then an inference of guilt might have been made immediately.  Since I had not yet had the chance to consult with a legal representative I felt it best to answer “no comment” until I could arrange representation.  This was not a denial it was the application of common sense to ensure that I was subjected to a fair process. Once I had consulted with a solicitor I decided to make a full admission of what had taken place.  I don’t expect to get crucified for being smart enough to wait on advice from someone who actually knows about law. I recall the prosecution also attempted to use this weightless point against me, with virtually no effect.

[4] I do not think my claim about my intended responsible disclosure is insulting to anyone, especially since I know it to be true but I suppose I can’t blame people for being sceptical, I would be too.  I’ll tell you what I think is insulting, a company that prides itself on following “The Hacker Way” allowing it’s corporate attack dog to savage someone who did no worse than some of the company’s own founders.  It’s not surprising that being a multi-billionaire attracts this dead-eyed breed of soulless sycophant but it would be unwise to believe that they really subscribe to the company philosophy; in another life their jaws would have been firmly clasped around the jugulars of those that they now call their masters.

[5] I think the white hat bug bounty programme is a very good idea and that schemes like it are a very useful way for companies, especially the big ones to manage their large attack surfaces. I suspect some people are wondering why I didn’t use it to submit my findings, well the answer to that is that the bug bounty programme DID NOT EXIST when I was working on my audit, therefore it was not an option that I could take.  I am willing to bet that it became a higher priority afterwards though.

Beyond Mr Sullivan’s comments there were a number of other things that I found to be both curious and disturbing. For example when I surrendered my current passport to the Metropolitan police I was under the impression it was solely to restrict my travel.  I have never travelled to the United States on this passport so imagine my surprise when I discovered that a copy of my passport photo had been given to some random foreign national who is not an active member of law enforcement, just so that he could place it in his ego stroking masturbatorium.  Furthermore I don’t expect him to go gloating to Forbes using my image, which he has placed alongside and therefore associated me with a group of degenerates that include scammers and paedophiles.  While I’m on the subject of leaked information I also don’t recall giving my permission for the police to pass out my mug shot to the media, although they made me sign so much junk that I may well have agreed to all sorts.  Even so it seems a bit rotten to fetch someone out of a police cell first thing in the morning, take a horrible picture of them and then dole it out to whoever comes asking for it.  I don’t have any problem at all with the Metropolitan police e-crime investigation team who treated me with respect throughout this entire process and I commend them for that but I suspect that there are lower elements elsewhere in the police force who are just a bit too prone to leaking.

Tomahawk Joe - looking proud of his work.

I’m sure that there are number of questions that people might like to know the answer to and if not then I would still like to offer answers to them anyway. I have compiled a selection of what I feel are the most pertinent questions along with my answers to them.

Why did you take the source code?
The whole point of downloading the code and converting it into a manageable form was to achieve a better understanding of how the system worked and to leverage that knowledge to find more vulnerabilities. There are two distinct classes of security audit referred to as black box and white box testing. In a black box test the tester relies on feeding input into the system and deducing things about it from the output without any prior knowledge of the system’s internal workings. Then there is white box testing where the tester knows how the system works, this has much greater scope as more can be deduced about the system’s behaviour, making it possible to find more vulnerabilities that might not be immediately obvious during black box testing.  When you consider the goal of the project was to compile a large report of findings then using the code to perform white box tests was a perfectly logical step towards that end.

Why didn’t you use a proxy server or chain several proxies together?
Proxies tend to slow the auditing process  because they increase the time delay between each request made to the servers,  this soon adds up when you consider that the process of finding a vulnerability can take many thousands of requests.  There is also the issue of trust, the operators of a proxy server are not necessarily to be trusted, they can monitor all traffic passing through them, even when using cryptography there are inherent risks. If you happen to find the next big vulnerability in something, do you really want to risk sharing it with a complete stranger?  Besides if all had gone to plan then this concealment of my identity would not have been necessary, so proxies would have been an unnecessary risk.  It’s worth mentioning that I did use a proxy at one point to tunnel through the corporate firewall, it did not provide any real anonymity but it was under my control, so it could be trusted.

How much damage did you actually cause?
I didn’t cause any damage to the system in the process and this fact was also acknowledged by Facebook. I was very conscious not to cause any harm and took many precautions, most notably the script I wrote to extract the source code had two safety features.  Firstly the recursive algorithm that navigated the source code’s tree structure had a depth restriction condition that prevented it from getting trapped in any infinitely recurrent sub-structures. Secondly there was a hard coded delay that slowed the speed of requests to prevent throttling of the server and impeding its availability.

The cost that has been quoted refers to the cost of the subsequent investigation, the first I heard of this $200,000 figure was the evening before my sentencing hearing and it came as one hell of a surprise, as most ambushes do.  I hope people will forgive me if I am incredulous about this number as I cannot understand how it took 3 weeks and $200,000 dollars to look in the Apache access log, get my IP address, perform some sense checking and request the record from my Internet Service Provider.  I am not denying that there was a cost and I do regret that it was caused by my actions. However I found the expenditure of $200,000 to be suspicious and it was of great concern at the time that the number was accepted as fact when it was never substantiated by any evidence.  I would have expected an itemised list stating each cost and justifying why it was necessary, with the opportunity for me, the defendant to scrutinise it.  The reason this is important is because I have no way to know if this included things which should not have been there, for example the cost of repairing the vulnerabilities cannot be attributed to me as I did not create the security holes, they already existed and would have required fixing regardless of my actions.  Even if I had somehow created these problems one of them could have been fixed in about 5 minutes and the others would take a few hours.  In any case this anomaly along with the supposed necessity to send 2 FBI agents on a transatlantic jolly was rightly flagged up during the appeal process and its true weight re-evaluated.

Why didn’t you report the first security hole you found straight away?
Security wise most systems have a tough outer shell and a soft inside, once an initial penetration has been made into the system there are two options. You can report the hole and have it sealed up immediately, which severely limits the scope of the pen test and only allows one to repair holes in the outer shell. Alternatively you can keep going deeper into the system in order to find more flaws that exist internally, this should be done until some natural termination point is reached, perhaps when all vulnerabilities have been found or some critical point is reached where the risk to the company if the issues are left becomes too high.  I used the latter approach because I believe that the first option is a superficial solution that only pays lip service to true security.

Do you think the punishment was fair?
I think that the punishment given was a bit heavy handed, even with the reduction gained on appeal. I had my life put on hold while I was on bail for several months and had my intellectual property that entailed hundreds of hour’s worth of work destroyed when a destruction order was made against my equipment.  Even though these measures may not be intended as punishments they certainly felt like one.  To add a custodial sentence on top of this felt a bit excessive to me, especially when I had expressed my willingness to participate in a community order.  I understand that it was tough sentencing exercise as the issues involved were complex, the case is unusual and many last minute changes were made that put the Judge in a difficult situation.  I was however pleased with the appeal outcome, especially the quashing of the Serious Crime Prevention Order, which was clearly excessive and so poorly drafted that it would have been unenforceable.

Are you really an ‘ethical’ hacker?
I suppose it depends on your ethics but mine are to do no harm to the innocent, at least not deliberately.  When you consider that the only thing that stood between Facebook and potential annihilation were my ethics then I think the fact that it’s all still in good working order should serve as some proof that I’m really not one of the bad guys.  I’ve done enough good things in my time to believe that I deserve the benefit of the doubt on being called ethical, even if it is in slightly sarcastic quotation marks.

All in all I am relieved that the ordeal is now over and that I can finally get on with my life. Despite all my moaning I suppose that in many respects I have been very lucky. I could have been subjected to the same kind of treatment as Gary McKinnon, Richard O’Dwyer and Christoper Tappin.  In this country It seems that whenever the Emperors of New Rome summon one of us, we lowly plebeians must obey the command.  The lopsided extradition treaty is doing a marvellous job at ensuring British citizens are whisked off to cloud cuckoo land to be buried in some desert for a few years.  I thank my lucky stars that I somehow avoided that fate, despite being such an obvious candidate for it.