Hacking = Innovation

I didn't really expect my rant to make it to security.nl today. It's funny to see that the term is almost as religiously debated as the choice of favorite linux distro.

I never said that we couldn't use the term hacker in more meaning then the original one, but we should also explain the other (positive) meanings from time to time. Which was my purpose and goal.

My problem is the use of the word hacker, just to grab attention and get more hits to the news article. Even if it barely fits the case of a cybercriminal. That was my real issue.

But I give journalists credit for sometimes writing good articles without hyping the word hacker. This week there was this NYT article on a study done on US powergrid vulnerabilities. Ok, they used the term "cyberwarrior" but maybe only once. And wired.com did a great piece on hackerspaces before. So it isn't all bad all the time.

Now some people said that it should be generally accepted that it means a criminal and I don't completely agree. Just have a look at wikipedia: http://en.wikipedia.org/wiki/Hacker

======================

Innovation

• Hacker (computing), a contentious term used for several types of person:
  • Hacker (computer security) or cracker, who accesses a computer system by circumventing its security system
  • Hacker (programmer subculture), who shares an anti-authoritarian approach to software development now associated with the free software movement
  • Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment

Analogous meanings in other fields are:

• Media hacker, innovative user of digital media
• Wetware hacker, who experiments with biological materials
• Reality hacking, activism through legally dubious disruption of digital media

======================
Yes, you can scold me for using wikipedia. But besides the many meaning of this word mentioned here, was the category that they belong to!!! INNOVATION!! And not just the old "meaning" of taking things apart. Hacking = innovation. And I hope we can communicate this as counterbalance to some of the press out there.

Have a look at this BruCON presentation by Astera on Hackerspaces and make up your mind.

Building Hackerspaces Everywhere - Astera - BruCON 2009 from security4all on Vimeo.

Three strike law threatening Belgium and "The Internet is freedom"

I saw this Datanews article (Dutch) that a Senator has proposed a three strike law for copyright protection in Belgium. I hoped that this insanity would stay in the UK and France but it seems it has come to Belgium as well. Spying on citizens and disconnecting them from the internet is not the way!!

As the internet has become a central part of our lives, it's becoming a basic right and need like electricity and water. And every person has the right to have it. You can't regulate a market that refuses to innovate and protect their "dying way". Labeling our children as pirates or terrorists is not the way to solve this issue.

Just last week, the copyright watchdog SABAM in Belgium was accused of not paying 200 million euro (zita) due fees back to artists. Yet, "pirates" are accused of causing all the issues.

I hope that everyone involved in this discussion takes 30 minutes to look at this presentation of Lawrence Lessig below that he gave before the Italian parliament. He explains it better then I ever could. Have a look! Take the time!

Blog and tweet about this. Engage others and write to your elected politicians. Don't sit idle!
--

The media spinwheel on the word Hacker. My rant of the day.

Hacker Disables More Than 100 Cars Remotely (wired.com). This story circulated a lot on different websites and on Twitter today and is the reason for this rant.

Normally I have high regards for wired.com for the articles they write, including the series they did on hackerspaces. But with this article, they really disappointed me. I'm used that the main media makes this mistake but not Wired.

How would you define an ex-employee, guessing or stealing a former co-worker's password to access the system and screwing with it out of revenge? A cybercriminal? A hacker?

Wrong and wrong. It's an insider threat! He really must had mad 1337 skills to pull this one off!

I know that the word hacker is a confusing term meaning a lot of different things to different people, including the media's insistent wish to use it to describe cybercriminals. (Hint: use a dictionary).
But this all leads to so many misunderstanding. Hardware hacker, blackhat hackers, whitehat hackers, greyhat hackers, software hackers, kernel hackers, lifehackers, script kiddies, etc etc.... there are so many different dimensions to the word hacker that it leaves the average outsider confused.

But I have to be honest, I sometimes catch even myself using the word hacker in the context of 'cybercriminal'. Even if I know better, it's a bad habit. I often try to correct myself and others but it's an uphill battle. Let's use more specific terms!

But a lot of the above variations have a common element: taking things apart and learning how they work and improve on them. It's this sharing and curiosity of how things work that is at the core of the original meaning of 'hacking' and involve non-computer related domains as well.

I'm a big supporter of the rise of the current flood of hackerspaces around the world and also in Belgium. As these spaces embody the original meaning of hacking and enables users to learn and share knowledge. Sometimes compared to Do-it-yourself labs or workplaces (wired.com).

Frank Rieger, part of the Chaos Computer Club couldn't have said it better in this BBC article today:

For CCC member Frank Rieger, the word hacking - the process of reconfiguring or reprogramming a system to do things that its inventor never intended - needs to be reclaimed, and stripped of negative connotations.

...

"We are trying to show people the beauty of technology, and how exciting it can be to find out new stuff and then do good things with that," he says. (Source: BBC news)

Emphasis added by me. So is it time to educate the media and others to reclaim the word hacker for what it really means? It might be!

I have no special talent, I am only passionately curious -- Albert Einstein

Related posts:

• Hackerspace Ghent (Whitespace or 0x20) will have their Open weekend on 19 - 21 March
• Hackerspace Antwerp in bootstrap mode
• The date for the Hackerspace Antwerp Startup Meeting
• Discussing about Hackerspace Antwerp
• What is a hackerspace?
• What does a hackerspace look like? And the next Hackerspace Brussels meetup.

International day against censorship

I saw some messages floating around on twitter that today was The Internation Day against Censorship. It's the first time I heard about this. So I'm helping a bit by mentioning Wikileaks again. Don't know what it is? Look at this short video from the BBC:


-

The Sunshine Press (WikiLeaks) is an non-profit organization funded by human rights campaigners, investigative journalists, technologists and the general public. Through your support we have exposed significant injustice around the world— successfully fighting off over 100 legal attacks in the process. Although our work produces reforms daily and is the recipient of numerous prestigious awards, including the 2008 Index on Censorship-Economist Freedom of Expression Award as well as the 2009 Amnesty International New Media Award, these accolades do not pay the bills. Nor can we accept government or corporate funding and maintain our absolute integrity. It is your strong support alone that preserves our continued independence and strength. (source: wikileaks)

They still need donations to keep running! Help them. Happy anti-censorshipday!

Related posts:

• Ways to bypass the Big Belgian firewall
• Automated Social Networking Surveillance Systems
• According to Child Support groups, Net filtering is a waste of money
• Big Brother 2009: Has the rebellion started?
• Police hacking laws moving from Germany to the rest of Europe. Do as I say, not as I do.

(Photo under creative commons from Akbar Simonse (away for one more week)'s photostream)

Internet-able touchscreens for Belgian Hospitalbeds: a dataloss incident waiting to happen?

I was reading this datanews article about this hospital in Leuven wanting to place touchscreen terminals next to each bed.

Medical personnel can consult the patient's medical dossier and other medical information. But these terminals can also be used by patients to surf and check their email. While a great service and idea, it's a security incident waiting to happen.

They do talk about making the system redundant. But there is no mention of security or potential dataloss. Maybe the journalist just forgot to mention/ask it? It might be securely implemented so that the medical information stays confidential. Let's give them the benefit of the doubt. But some researchers have shown that internet kiosk software is not always that securely designed. Meaning that a "jail" or isolated environment to surf with, is not that easy to implement.

So I'm hoping that they will test this and that the pentester or developer will have a look at iKAT, the internet kiosk attack tool. A really cool tool created by Paul Craig, a security researcher from New Zealand.

He gave a presentation about kiosk security and iKAT at BruCON. You can watch the video below.

Rage Against The Kiosk - Paul Craig - BruCON 2009 from security4all on Vimeo.

IE6 & IE7 zero day published in Microsoft Security Advisory 981374

Another 0-day in Internet Explorer is being exploited as reported by Microsoft in Security Advisory 981374 yesterday. IE versions 6 and 7 are affected and according to reports, it's only being used in targeted attacks. Which makes it even more dangerous if you are a potential target since IDS and AV signatures might not be available at this point.

No patch is available. User are recommended to upgrade to IE8 or use alternative browsers like Firefox with an add-on that blocks script by default like Noscript. Allowing Flash and Java by default nowadays is not a safe practice anymore.

Related posts:

• Some great whitepapers on the Aurora attacks
• ISPs in trouble, DDoS and Targeted Attacks
• ISACA Event: The changing threat: Targeted Attacks
• Office Word 2002 SP3 Zero day revealed
• United Tax Spearphishing attack and a little Belgian twist
• CEOs of large companies targeted in new whaling wave
• This is how good the targeted attacks are getting
• Which non-executables files are targeted the most?
• Security.nl, Maarten, social engineering and targeted attacks
• Social engineering put to the test. How would your employee score?
• Social engineering pentesting against your employees
• Do we need user education?
• Spear Phishing and Whaling

Some great whitepapers on the Aurora attacks

While the Aurora attacks were a good user awareness situation, it has become a lot of hype and three letter acronyms about something that has been happening for a longer period of time.

A few whitepapers have appeared that give us some juicy details about the dropper and backdoor and domain names used in the attacks. As well as the information they were after. Although ending with some vendor pitches, some are interesting read.

1. The first one is a report from HBGary which you can download here. It contains some good technical information about the dropper and malware used.

2. Then there is this McAfee whitepaper which has a lot more marketing fluff and more suited for CISA/Auditors (personal information will be asked for downloading but is not verified). A few good points but less technical details. It's mainly about the SCM they targeted.

Specifically, we have concluded that, in several cases, the attackers executed precision strikes to gain access to source code configuration management systems (SCMs) at targeted companies. SCMs are used by software engineers to manage their projects and are used to store source code, the crown jewels of any tech company.

In our analysis of the attacks we found that the perpetrators went through several hoops to ultimately compromise the systems of the SCM users at the targeted organizations. This means that the attackers now had access to the SCM system and could siphon out source code or, worse, modify and add code. (Source: McAfee)

Link to whitepaper.

It might also be worth mentioning that there is a LinkedIN group where articles and information about Aurora is being shared.

Related posts:

• ISPs in trouble, DDoS and Targeted Attacks
• ISACA Event: The changing threat: Targeted Attacks
• Office Word 2002 SP3 Zero day revealed
• United Tax Spearphishing attack and a little Belgian twist
• CEOs of large companies targeted in new whaling wave
• This is how good the targeted attacks are getting
• Which non-executables files are targeted the most?
• Security.nl, Maarten, social engineering and targeted attacks
• Social engineering put to the test. How would your employee score?
• Social engineering pentesting against your employees
• Do we need user education?
• Spear Phishing and Whaling

Time to step up your Acrobat Reader patching. Attacks are on the rise.

If you haven't patched the latest Acrobat Reader from two weeks ago, it might be time to step up the pace. If you look at this blogpost from F-secure, you'll see that the PDF format has become the choice for targeted attacks. Within the security community, it's being nicknamed Penetration Document Format.

Because we're now seeing the vulnerability (CVE-2010-0188) being exploited in targeted attacks (Microsoft also).

Our sample was submitted by a European financial organization and the file name includes a reference to the G20. The exploit drops a downloader and attempts to make a connection to tiantian.ninth.biz. We detect this attack as Exploit:W32/PDFExploit.G. (source: fsecure)

If patches/upgrades are not possible, think about using the usual workaround like disabling javascript or installing alternative clients.

PDFs can easily be used for info stealing purposed that evades AV, HIDS, etc... the victim doesn't event have to have admin privileges. Have a look at this explanation from security expert Didier Stevens on how such an attack is performed. Didier has written numerous analyses of PDF malware in the past and is a known researcher in this field.

On a small side note, Didier is going to give a malware analysis workshop at the BruCON conference. This is the occasion to learn some PDF malware analysis techniques from him!!

Related posts:

• 0-Day in Adobe Flash, also executable from Acrobat Reader (updated)
• Adobe pushes out fix for Reader and Acrobat zero-day, one day ahead of schedule.
• The sweet irony: Foxit PDF reader releases JBIG2 security patch
• PDF Exploit PoC without any user interaction
• Acrobat reader exploit works without opening pdf
• PDF attacks are becoming more widespread using ads
• Acrobat Reader exploits in the wild (updated)

(Photo under creative commons from Ludmila Tavares' photostream)

Hackerspace Ghent (Whitespace or 0x20) will have their Open weekend on 19 - 21 March

I was happy to see that a second Hackerspace was starting in Belgium after the one in Brussels. And now after finding a location, they are ready to open their doors.

More info at
http://hsg.bn2vs.com/Opening_Weekend

There will be presentations or workshops on topics like openWRT and IPv6. Let's not forget the opening drink (pssttt, they have Club Mate). Since it's a complete weekend, you don't have any excuse and have to drop by!!!

Related posts:

• Hackerspace Antwerp in bootstrap mode
• The date for the Hackerspace Antwerp Startup Meeting
• Discussing about Hackerspace Antwerp
• What is a hackerspace?
• What does a hackerspace look like? And the next Hackerspace Brussels meetup.

(Photo under creative commons from Laughing Squid's photostream)

The Icelandic Modern Media Initiative addresses the key issues for free expression in the digital age

The goal of the IMMI proposal is to task the government with finding ways to strengthen freedom of expression around world and in Iceland, as well as providing strong protections for sources and whistleblowers. To this end the legal environment should be explored in such a way that the goals can be defined, and changes to law or new law proposals can be prepared. The legal environments of other countries should be considered, with the purpose of assembling the best laws to make Iceland a leader of freedoms of expression and information. We also feel it is high time to establish the first Icelandic international prize: The Icelandic Freedom of Expression Award.

More info can be found on http://immi.is/

Have a look at this video. It's interesting to see what Wikileaks has inspired and this could mean a lot to free expression in the digital age and a good step towards fighting censorship.

Related posts:

• Ways to bypass the Big Belgian firewall
• Automated Social Networking Surveillance Systems
• According to Child Support groups, Net filtering is a waste of money
• Big Brother 2009: Has the rebellion started?
• Police hacking laws moving from Germany to the rest of Europe. Do as I say, not as I do.
• Privacy matters: A movie by XS4ALL to raise user awareness to data surveillance