Tuesday, December 23, 2008

Australia To Block BitTorrent

Just when I thought our government couldn't get any dumber.

Did Senator Conroy take my comments on P2P a bit *too* far... ?

So it seems.

Time to setup up your own private VPN boys and girls. At least, let us hope he doesn't try to outlaw VPNs too.

Doomed to Fail...

I hate to say "I told you so" but....

I told you so.

Key quotes:

"Professor Landfeldt, one of Australia's leading telecommunications experts, says some of the fundamental flaws include:

■ All filtering systems will be easily circumvented.

■ Censors maintaining the blacklist will never be able to keep up with the amount of new content published on the web every second.

■ Filters using real-time analysis of sites to determine whether content is inappropriate are not effective, capture wanted content, are easy to bypass and slow network speeds exponentially as accuracy increases.

■ Entire user-generated content sites such as YouTube and Wikipedia could be blocked over a single video or article.

■ Filters would be costly and difficult to implement for ISPs and put many smaller ISPs out of business.

■ While the communications authority's blacklist will be withheld from internet users, all 700 ISPs will have access to it so it could easily be leaked.

■ The filters will not censor content on peer-to-peer file sharing networks such as Limewire, online chat rooms, email and instant messaging."

Thursday, November 13, 2008

Censorship Update

Hi all

Today I emailed my local MP to ask them to apply the hard questions to Senator Conroy. I strongly urge you all to do the same.

For more timely advice, I urge you all to visit http://nocleanfeed.com/.

Cheers.

Thursday, November 6, 2008

Email to Senator Stephen Conroy

Email him yourselves at senator.conroy@aph.gov.au.

--
Dear Senator Conroy

My name is Jarrod Loidl and I am curently employed as an Information Security Specialist. I have been actively employed as an information security professional for the past five years, active in the Information Technology industry for the past ten years. In that time I've spent approximately six years working for various Internet Service Providers (both in Australia and outside of Australia).

Some of the responsibilities I have had in that time have been:
- managing spam filters for a major U.S. ISP serving approximately four million users,
- reporting child pornography cases to federal law enforcement,
- managing intrusion detection and prevention systems,
- conducting/coordinating penetration tests and vulnerability assessments of various networks,
- develop and provide recommendations on security architecture for various projects,
- provide strategy guidance on policy creation and development, etc.

I am also a member of the Australian Information Security Association and Open Web Application Security Project.

As such I am aware of the way criminals operate over the Internet to escape detection and have a unique perspective on these issues having worked them from both technical and security angles. I am also familiar with the social and political issues surrounding the proposed Internet filtering.

I am writing to state my opposition to this plan and it is my hope that by explaining why, you will reach the same conclusion.

Firstly, these filters being proposed are based on HTTP proxy level filtering. That means these filters will only inspect unencrypted web traffic. That means that anything that is encrypted or not web based, will bypass the filtering.

What follows is a list of technologies that are free (or easily affordable at most) that will defeat this form of filtering:
- Anonymous Proxies and anoymisation services (e.g. TOR),
- Virtual Private Networks,
- SSH Tunnels,
- Peer-To-Peer (P2P) Networks,
- SFTP/FTP.
I'm sure there are more but those are the most prevalent in use today.

Studies have statistically shown that most of the traffic ISPs service today is P2P based. This traffic is not just generated by kids downloading music but also criminals sharing child pornography. These tools are either easy to install, easily bypass the proposed filters and what's more are completely legitimate in day to day business - so blocking or prohibiting these tools isn't a feasible option either. Criminals have been using many of these tools for years to minimise their chances of detection or avoid it entirely. I urge you to ask anyone dealing with child pornography or computer crime from the Australian Federal Police or Australian High Tech Crime Commission.


Infact, this proposal may have the unintended side effect of creating a smarter criminal by forcing them in larger numbers to adopt the above technologies and hamper law enforcement dramatically.

Secondly, my understanding of the proposal hinges on the use of two blacklists (and please correct me if I'm mistaken) - one is an "opt-out" list for general adult content. The second list cannot be "opted out" and is for content deemed illegal. Looking at the black list issue from a purely technical perspective, it is well regarded as a poor security model. The reason being is that anything not defined as prohibited is expressly permitted. This means any site that hasn't been classified as either adult or illegal will be allowed. Managing these lists becomes a full time basis as they will only grow over time as more sites are classified. Infact for a blacklist to work, you would need to classify every site on the Internet - a rather impossible feat given my estimate to be in excess of 30 billion pages to date and growing at an exponential rate.


If the solution relies on automated tools to populate these lists, this opens up the potential for sites to be incorrectly classified - potentially creating an even larger problem.


But let us assume for a moment that somehow, every page is classified appropriately. The proxy filters will then have to match all web requests against these two very, very, very large lists to see if a search is prohibited. This will cripple Internet speeds - already I'm sure you've heard of the reports surrounding performance concerns. I can assure you that by using this approach that such reports will only increase over time as the lists grow in size and performance impacts will be inevitable.

The preferable security model is to do the reverse - whitelist "permissible" websites and block anything not on that list. However, this would also require the classification of every website as well and also create another large list - thus creating the same issues.

Thirdly, there is the issue of classifying content. How is that assessment made and who determines it? What if a site is classified incorrectly? What one individual finds offensive another may not. Is it open to public scrutiny? What checks and balances are put in place to prevent abuse by Government or private enterprise by adding content they deem to be "undesirable"? There are equal arguments for and against open inspection of the black lists by the public and I completely recognise this. If you open the lists to inspection, people will invariably try to access the content however, if you don't how can the public at large be assured they aren't being censored by content that the Government doesn't want them to access? There is no clear cut answer to this - only a careful deliberation of risks can help to shed some light here. However when you weigh it all up with the other points I've raised I'm sure you will agree that this proposal creates more problems than it solves.

To summarise my key concerns -
- It is technically trivial to bypass such filtering,
- Managing the blacklists or whitelists for that matter to determine the content of all web traffic is largely impossible,
- This will create performance issues,
- By allowing a specific group to classify content on behalf of all Australians poses the risk of widespread abuse to all Australians.

In my following of this issue it seems that there hasn't been much clarification around the impetus of this plan. Is the plan to protect children from exposure to inappropriate content? Is it to stop the proliferation of child pornography? Before we can rush ahead with a technical solution that does not work, we need to be very clear about what it is we are trying to prevent. With collaboration with the ISP industry, information security professionals, law enforcement as well privacy and civil liberty groups such as the Electronic Frontiers Association - I have no doubt a better path can be found.


As a soon to be parent, I fully support the governments cyber-safety initiative. However as an information security professional I must advise you that the current proposal is rife with flaws and further examination of the issues is required. What I've covered here is just the tip of the iceberg.


I apologise for the long email but sincerely hope you read this and take the above into due consideration. I welcome any further feedback or response.

Best regards,

- Jarrod Loidl
Ph: XXX-XXX-XXXX

Saturday, November 1, 2008

More on the Internet Censorship Saga

Two really good articles.

Watch the video too.

Information Sharing

Hey all,

Since us busy professionals all need to keep abreast of what is happening, I'm increasingly finding a large portion of useful info on blogs these days. I've just discovered the joys of Google Reader and trying to collate them all into a good list.

If anyone has or reads any other good blogs, please msg me or email me the URL. I'd love to take a glance.

Thanks in advance. :)

Sunday, October 26, 2008

Internet Censorship in Australia

It seems this nation hasn't learned from the lessons of the past, or at the very least - our government hasn't:
The Age
ABC News

For those interested in some background reading:
EFA Article
Wikipedia

This issue rolled around in 1999 and none of the largest ISPs or ISP associations within Australia were consulted when Senator Alston pushed these laws back then. The final workable solution was client side filters deployed on home PCs to restrict undesirable content.

Before delving into the obvious issues:
E.g.
- the technical difficulties of blacklisting all web traffic (to say nothing of the futility of it),
- any discussions over who has the right to determine what is "undesirable" content,
I'd like to point out that the previous model made sense (at least in part). It placed responsibility for end user security with the user.

If you are going to deploy these filters, do so at the client side. Combined with putting a computer in an open family area, log and monitor their traffic, have open discussions with your children about the use of the Internet (and parents not turning to the PC as the new babysitter) I think is a sound strategy for preventing children from access inappropriate content.

I know many people scoff at such filters but hey, at least this streategy doesn't involve implementing proxying layer content filter to degrade the Internet back to the Dial-up Dark Ages.

However, this isn't really about preventing kids from viewing pornographic or violent material. Infact, it seems the Government can't decide if they are trying to restrict child pornography from the masses or stop children from accessing undesirable content.

From my reading of the above two articles, it sounds to me like the government is really trying to crack down on child pornography and is using the whole "protecting the kids" schtick to justify it.

I wish I could find it but earlier this year, there was another article somewhere that a kid was beta testing these same filters filters and was able to bypass their filters within approximately 30min.

If this isn't enough to persuade you - the model they are using for restricting content is a black list.

Enough said.

When you consider the number of technologies that exist (for free) that can be used by pedophiles to remain almost undetectable - and that such technologies can easily defeat the proposed implementation the government is rolling out, we have to ask ourselves:
a) who are we really protecting?
b) what is the value add?

As security professionals, we ask ourselves these questions every day when we explore new controls to protect data. In asking myself the question here I find that the requirements aren't well defined.

The government has not clearly articulated what they are trying to protect, why they are trying to protect it and most importantly - it has failed to explain how this solution will meet their requirements.

Anyone who strongly objects to Internet Censorship, please read the EFA link under the background reading.

While I'm all in favor of shouting out against censorship, my experience has been that unless you have a better suggestion, you'll be ignored and not taken seriously.

As information security professionals, we should all stand up do what we do best - express our discontent, highlight the technical risks and weaknesses of this solution and encourage an open forum to discuss these issues. Maybe by better understanding the requirements of the day we can find a solution.

Write to your MPs, write to the EFA, Today Tonight, whatever. Just get your opinion out there.

Tuesday, October 7, 2008

Builder or Breaker?

Mark Curphey wrote an excellent piece not long ago about whats wrong with the Information Security industry. For those that haven't read it, the piece is here.

One of the biggest gripes I have had about my job was often the feeling that I'm not a builder. That I'm a breaker - or at least have a strong feeling at times all I'm doing is pointing out what's wrong rather than what's right.

How many of you are guilty of this?

Reading this article made me take a good long think about how I operate and made me realise that I'm closer to being a builder than I previously thought. In the process of mapping out my career plan and training plan for the next 12 months, its fairly evident that the skills I'm focusing on right now that I'm on the right path... or at the very least a better one according to Mark.

Kudos to Mark for the advice.

Wednesday, September 24, 2008

Certification

It's that special time of year again at my work when we need to decide how we should spend our training budget. I'm torn between looking at training or certification. I know its a dirty word that many an InfoSec (and IT) professional look down on - certification that is - hence it got me thinking that perhaps I should talk a bit about it here.

Anyone familiar with the rough history of IT (at least in Australia) should be familiar with the basic history. I write this one more for people unfamiliar with the field.

For a long time, just prior to the dotcom boom and Y2k, IT workers were in short supply (primarily due to Y2k Compliance and businesses wanting to connect to the Internet).

Businesses were looking for them able to build and manage their networks and systems. In assessing their requirements, they looked on at the Cisco and Microsoft certifications and began hiring anyone with four letter acronym after their name.

Soon engineers were commanding high salaries for a certification that could be readily obtained for under $5k and cram studied. Some of these were people from non-IT industries who made the jump with barely a clue of where the "power" button was, let alone the finer technical skills required. A lot of them were people jumping into IT from different industries entirely, thinking IT was a real cushy job compared to their previous roles. Pretty soon these people with no prior experience other than what they learned in their certification were earning big cash while uncertified (but skilled) workers were starving.

When the dotcom bubble burst, and when the world didn't blow up on Jan 1 2000, IT was not well regarded by business. Spending was cut, people were sacked, the market flooded. Skilled workers without certs were competing against unskilled workers with the certs. It often seemed that those with the bits of paper won out in the end (further perpetuating the image that there were too many workers in IT with excessively high salaries for comparitively little knowledge or skill).

This is a gross simplification of the situation but it helps to highlight why the IT industry (note: not just infosec) is full of people who have little regard for certification. The issue is often compounded within information security - as the most technical skills required for security are rarely taught and even fewer certified. There is also the stigma of those in the industry who believe that there should not be non-technical people in the information security industry (another subject for another day).

In case anyone is wondering why my fascination around certification, I was working in IT during this period and while I was lucky, I knew of too many skilled IT professionals who were unemployed for a long time because of this very issue. As a result, this left a very lasting impression on me and I swore I'd never let this happen to me.

Back to the topic at hand...

What does certification mean?

To my thinking, it simply means that the holder has demonstrated that they hold the level of skill and knowledge required to be proficient in that area. It doesn't mean mastery of a given area, only a measure of skill. I don't think true mastery is something that can be readily certified.

What is the value of certification?

Value of certification certainly does vary and not all certifications are equal.

The value of a certification is dependent on three things (IMHO):
1) Industry recognition
Is the certifying body recognised by the information security industry? Is it comprised of existing professionals? How many members? How is it regarded by the industry? I only look at certs that come from well known, well recognised industry bodies.

2) Skill vs. Knowledge
Some certifications are little more than exam that can be crammed for. Some have practical components and others require research. Well regarded certifications - CCIE, GSE, have this. CCIEs have the dreaded lab ontop of the exam. GSEs have to sit 3 exams and do no less than two research papers before even applying for the GSE. Certifications that require you to be able to demonstrate the skill in a practical sense and not just theoretical, should hold higher weight.

3) Vendor Neutral vs Vendor Specific
Many certs are vendor neutral and do not harp on anyone specific technology or operating system but rather, rely on a strong technical understanding to obtain it. In the infrastructure side of security, you'll be hard pressed to find a certification that isn't vendor aligned. One is neither better than the other, but I usually lean towards vendor neutral unless you're working with a specific technology on a regular basis. I'm not saying vendor neutral is better than vendor specific, but you'll find you'll often learn more of the theoretical underpinnings from a vendor neutral certification.

In looking how to spend my training budget, I tend to look for certification. Not because I'm trying to add marketing spin on my resume but I look for certifications where I might actually A) learn something and B) hopefully get a piece of paper to prove it. Even more hopefully, my employer (and any prospective employers in future) will see that I can demonstrate a modicum of proficiency in a given area and I've taken the time and effort to prove it.

I am a big believer in self-directed study, but if history has shown us anything it is to always plan ahead. Having the skill is one thing, being able to demonstrate it is another, and again, having them formally recognised another thing entirely.

However I have a dilemma. And in retrospect, perhaps it comes back to my own criteria of what I look for in certification -

* Do you pursue certification if the certification you're looking at is not widely adopted/accepted/recognised?

* How do you pursue certification if the area you are looking at is new and emerging within the field?


In particular I'm interested in application security and security architecture and when it comes to formal training/certification, the options are limited and rewards seemingly dubious. Maybe I'm just better off committing more to my self directed study and presenting at a conference somewhere?

I'd love to hear from other InfoSec professionals (and IT professionals) on this subject.

Tuesday, September 16, 2008

/start/here

Hi all,

I finally decided to get the ball rolling and start my own blog. This is to capture my musings and journey in the information security field. It is my intention to share what I've learned along the way as well as learn from other members of the infosec community.

I'm looking forward to trip.

Cheers,

- Jarrod