A Warriors Code: Cyber Bushido
Bushido is Japanese for the “Way of the Warrior” It is the code by which the Samurai of Japan lived and died. It was their way of life, similar to the code of Chivalry espoused by medieval Knights of Western Europe. It evolved from the Samurai’s code which stressed the importance of frugality, martial arts mastery, and honor unto death. It’s evolution came as the result of the violent world in which the Samurai found himself for a thousand years. A world fraught with bloodshed and feudal warfare, it encouraged them to embrace the wisdom, peace and knowledge espoused by their their faith; a faith influenced by both Confucianism and Buddhism ultimately culminating in Zen. It was a code which spread through the warrior class, the class of the Samurai, quickly. It became ubiquitous throughout their ranks and was to be followed and embraced without question. To follow the code was to adhere to a lifestyle not suited for all, but for those who dared, it was a way of balance which lead to harmony and freedom. It required discipline, loyalty to one’s master, filial piety, and reverence to the Emperor of Japan. Additionally, it called for the Samurai to protect and show compassion to those who could not protect themselves (often those of a lower social station), while in all things, maintaining ones name; ones honor and reputation. Kato Kiyomasa, a Warlord of the Sengoku period said that if a man did not study the ways of Bushido daily, it would be difficult for that man to die a brave and manly death. Essentially, Kiyomasa advocated that all Samurai should engrave the business of the warrior (Bushido), in his mind well so that when called upon to act in offense or defense, that man would be prepared whatever came. Severe penalties were paid for failing to adhere to the code. Disgrace or dishonor was intolerable. So intolerable in fact that seppuku or ritual suicide was established and accepted as being the only way a Samurai who had been disgraced or dishonored could, regain his honor while removing the blemish from his name and the name of his family.
Bushido was comprised of seven primary tenets with, at times, three additional ones added depending on the time period and circumstances. They were as follows:
- Rectitude (義 gi )
- Courage (勇 yuu )
- Benevolence (仁 jin)
- Respect (礼 rei)
- Honesty (誠 makoto or 信 shin)
- Honor (誉 yo)
- Loyalty (忠 chuu)
- Filial piety (孝 kō)
- Wisdom (智 chi)
- Care for the Aged (悌 tei)
To the Samurai these were not merely empty words, used trivially carrying no weight in their meaning. These words were paramount to their existence and subsequently aided in defining who they were, what they believed and what separated them from those with no honor. Honor was everything and pride was to be mastered in the struggle to maintain ones honor. The Samurai were not without knowledge of war craft, tactics and strategy. This knowledge coupled with their adherence to their code, enabled them to remain centered and balanced. As such, they were prepared for both the conventional and unconventional encounted in battle as well as in their day to day existences. Furthermore, their comprehension of war craft and mastery of martial arts (their skills if you will), enabled them to contend with all manner of enemies (seen and unseen — mercenaries, assassins, shin-obi).
In our discipline there are paths which lead to many destinations; each one containing challenges and obstacles all their own. Our world, like that of the Samurai is a complex place. There are those who wish to do harm and subsequently pose threats to the established norm with no concern for others, especially those who cannot defend themselves. These threats vary, some being physical, some being “cyber” — all posing risks to our world, threatening imbalance and disorder. As a result, I feel that amongst our community, there needs to arise a warriors code of our own; a “Cyber Bushido” which sees those of us whose calling it is to protect those who cannot protect themselves while serving a greater good be defined. Though it may not need to be a carbon copy of the Bushido of the Samurai, it could benefit from the adoption of some elements considered essential to that code in addition to the tenets encouraged and embraced by the Samurai.
Our challenges are not presented at the end of a katana, nor are they necessarily quelled by a vigorous, honorable death in battler. However in some respects they are more complex than even the wisest of the Samurai could have imagined. Fundamental to our struggle is the code and our belief in its importance and unrepentant embracing of it, like the Samurai and their view of Bushido. Our enemies are both foreign and domestic (as research has demonstrated), and in many cases their reasoning and rationale for their actions varies but their dedication to their ends does not. With this in mind I challenge those who believe in that which is virtuous and good; that which is honorable and noble; that which is for the greater good to consider the concept of a cyber warriors code, our own Bushido.
RFID Hacking Series: E-Passports
I just recently returned from Stockholm, Sweden where I presented on “Assessing the Security Risk of Cloud Computing” at the Sec-T Conference. Amazing conference with a lot of great speaker’s and content. Shortly before I went on I was able to catch Adam Laurie’s presentation on a “Day in the life of a hacker”. Adam’s presentation was great but what really caught my eye was the research he has done on RFID exploitation. I’ve read about RFID hacking and the tradecraft that is required to pull off such a feat. To actually see this in real time was price-less. What made the presentation more interesting is that Adam selected an individual from the crowd that was brave enough to give his E-Passport up for a live demonstration. Within seconds, Adam was able to harvest all of the data off the E-Passport. Additionally, he had the capability to change the picture and even digital sign the passport. Some might chalk this up to a nice bar trick since the E-Passport was open and pressed against the RFID reader.
However, that is not the case with E-Passports as they use ISO 14443 contactless smart card technologies that has a read range of up to a few inches…so the standard claims. After doing some digging, I found someone that was successful at reading contactless smart card at 50M in 2005 (http://www.rfidblog.org.uk/hancke-rfidrelay.pdf). That’s where the cool little bar trick turns into a pretty big issue. Your identity is worth something to someone depending on the context. The following Youtube video takes the context of identity to a much different level…check this out: http://www.youtube.com/watch?v=-XXaqraF7pI&feature=related. I would fast forward to 2 minutes and 40 seconds into the video. The proof of concept is interesting and plausible but not enough to make me second-guess as I walk by a garbage can in another country.
To the greater security community this is nothing new and alarming but seeing it first hand as I mentioned was price-less. However, we shouldn’t just pick on E-Passports, as they are not the only ones using contactless smart card. What about credit cards that use contactless smart cards? Stay tuned for more in the RFID Hacking Series.
For those of you that are not familar with RFID technology, the following is a quick primer:
RFID: radio-frequency identification, RFID can take the form of Passive and Active Tags. Passive tags have no power and rely on the reader to provide power and Active tags actually contain an onboard power supply. RFID’s are made up of 3 parts: RFID tag, Antenna and RFID Reader. Data is stored on the RFID tag, which can consist of Personal Identifiable Information (PII) in the case of E-Passports that can be transmitted freely with the right RFID reader. For further information on RFID technology, check out: http://www.rfid.org/
The above comments are strictly mine and mine only, they in no way reflect the position of my employer, management or any other organization with which I’m associated.
Microsoft to XP customers: Drop Dead.
Along with the rest of yesterday’s Patch Tuesday dump, Microsoft published MS09-048, describing a critical remote-code-execution bug in Windows’ IP stack affecting virtually every release version of Microsoft Windows. 2000, XP, 2003, Vista, and 2008, are all listed in the bulletin as being vulnerable, but what I found interesting was this: patches were released only for 2003, Vista, and 2008.
I’m willing to give Microsoft a pass on their decision to not patch Windows 2000. It’s now ten years old, and has been out of patch support for some time. While there are people that are still forced to run it (typically to support legacy software that won’t run anywhere else), it’s unreasonable to expect Microsoft to keep patching it forever.
On the other hand, XP is also not being patched against this very serious bug. Microsoft’s explanation for why is very simple: The XP firewall blocks that service by default. This is true, except for all those machines that might have an exception configured, or have it turned off, or might actually NEED to have that port exposed.
Furthermore, patches were also turned out for Vista, 2003, and 2008, all operating systems with built-in firewalls that, by default, would have protected them. In other words, the same logic they used to justify their decision to ignore XP also applies to Vista, 2003, and 2008, which have patches. It’s inconsistent, which makes this decision even more ridiculous.
In case anyone at Microsoft is actually reading this, I’ll point this out for their benefit, and for the benefit of the user commuinity as a whole: Roughly 65% of all machines on the Internet are still running XP, and you are giving the people who own those machines the finger with this decision. MS has really, truly made great strides over the past five years or so with regard to security, but this is, quite frankly, a retreat to the lax policies of the bad old days, when Microsoft earned their reputation for indifference when it came to matters of security.
Blaze Bot Update
Not long ago I wrote about the ‘Blaze Bot’, which at the time, I believe I may have been one of (if not), the first researcher to comment on. Since that writing the bot has been (according to sources in the underground), ‘beta tested’ for quality and effectiveness. What’s interesting to note however is that there is another malware author claiming to have authored and released the ‘Blaze Bot’ (sounds kind of familiar doesn’t it?). As a result this has caused some skoffing and gaffing in the underground and just as I touched on in an earlier post on brand relevance and importance in the underground, authorship is just as important. The reasoning should be quite obvious as authorship is, in a sense, a guarantee of ones quality and as such going back to the point of brand relevance and importance authorship must certainly be guarded and maintained accordingly. In the graphic below you will see one example of a member of the underground pointing out the false author and his / her attempts to publish sub-par code as though it were the real ‘Blaze Bot’. Enjoy!
In a world where everyone likes to use labels, ours, the world of information security is certainly no different. Often terms such as black hat, gray hat, and white hat are used to generically describe or assign allegiance to the side with which one allies him or herself. I have no problem with using the designation of black hat or white hat within in the appropriate context however, the gray hat designation can (and arguably is), troublesome. Why, you might be asking yourself, would I suggest that this is the case? Well, let me begin by using a metaphor. Are you a fan or have you ever watched a film such as The Good, The Bad, and The Ugly? It’s a classic Italian spaghetti western starring three greats of American cinema: Clint Eastwood (The Good), Lee Van Cleef (The Bad), and Eli Wallach (The Ugly). I highly recommend it to anyone and everyone.
The basic plot takes place during the American Civil war and sees a bandit, Tuco (The Ugly), is on the run from bounty hunters looking for freedom. I he’s clearly ‘gray’ in this film those like most ‘grays’ his leanings tend more towards ‘black’ than ‘white’. Enter Angel Eyes (The Bad), a bounty hunter who by right and reputation is the ‘black’ in this film. He is a known mercenary & bounty hunter who is after confederate gold any bounty he can collect upon along the way. Tuco eventually runs into more trouble with bounty hunters who capture him with the intention of collecting the bounty on his head when he is delivered from the hands of the bounty hunters by “Blondie” (The Good), in turn hands Tuco over to the authorities after delivering him from the hands of the bounty hunters much to Tucos dismay and rage. Later, Blondie delivers Tuco from the authorities and splits the bounty money with him; it becomes a cycle they repeat until finally they come to a crossroads which sees them part on unfriendly terms. I won’t spoil the whole film but if you watch it you see, clearly, how each character segues into his final destination of being either The Good, The Bad, and The Ugly.
What always struck me about this was that it was easy to see who the good guys and bad guys were (like in many of these old westerns), where as the guys playing both sides towards the end were, at least for a spell, a bit more difficult to spot. However, it almost becomes clear what their true colors are when both the good and the bad guys, during the process of shooting at each other, also shoot at the guy who plays both sides to the middle. The moral, I think is that there is no middle in situations such as this. That there is only black and white with gray really being a position that is either one of convenience or crossroads for those electing to exist in that space. I believe this to be the case in our industry as well. I believe that the same principles or role relevance exists and is appropriate in the world of information security. You’re either The Good (white hat), The Bad (black hat), or The Ugly (gray hat) and decisions with respect to allegiance need to be based off of both moral and ethical conviction in addition to a sense of lawfulness. The reality is shots are being fired from many sides and being the guy in gray is a doubly dangerous place to be.
PCI DSS Sisyphean Task?
PCI DSS Compliance is a Sisyphean task. I believe this wholeheartedly. Though well intentioned, I feel it it is just as challenging as the price paid by Sisyphus for his transgressions against the gods. The myths tell us that Sisyphus was a rather nasty bloke. He was a king who believed he was above the laws of men and gods and was condemned by Zeus for his trickery to be chained in Tartarus by Thanatos (Death personified) for all eternity. Sisyphus being the crafty fellow that he was, asked Thanatos to demonstrate how the chains worked and subsequently, chained Thanatos himself thusly disrupting the natural cycle of life and death. This deceit led to Ares eventual intervention which led to Sisyphus’ final destination. It is in honor of Sisyphus’ punishment that we in the modern world refer to tasks that are seemingly insurmountable as being of a Sisyphean bent.
I want to be clear that I am not suggesting those who are being tasked with meeting PCI DSS compliance have earned that fate by virtue of their wickedness as Sisyphus earned his, but that like Sisyphus, the net result is often an uphill battle that never culminates in victory. It seems that the nature of the PCI DSS standard, and the interpretive flexibility given to QSAs and ASVs responsible for conducting both audits and assessments result in cases in Sisyphean ends. Regulatory Compliance (and this is not solely reserved for PCI DSS), has somehow become equivalent with being secure; the two couldn’t be further from the truth. My good friend and former co-worker, Josh Corman is fond quipping that the PCI DSS standard has become the information security space’s equivalent of ‘no child left behind’; in other words a demonstration of too little too late. I tend to believe that there is nobility in desiring to address the weaknesses which place so many (and so much), at risk however we cannot afford to ignore the lessons learned from Sisyphus’ struggle up the mountain. A great deal of time, toil, and effort (let’s not forget exertion and pain), are required to get the boulder (or in this case audit criteria, artifacts, interviews, etc. complete) up the hill only to see it teeter and begin rolling back down. But had the work been done to begin with, would the boulder ever meet the foot of the hill? The the myth of Sisyphus offers many lessons in morality. One which stands out in my mind is that actions have consequences and results may vary.
