Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Category Archives: Technology

EU legislation – Digging below the FUD line

Yesterday I started to see some chatter on Twitter about new/updated EU legislation dealing with “cyber” attacks. Before I dig into some of the quoted content and some of the details I’d like to make it clear that I’m not a lawyer, I didn’t stay at a Holiday Inn last night, and I’m probably not smart enough to really understand how politicians think… also, as with everything in legal terms, there’s a whole other area of how people interpret these legislations. So, take what’s said here as a personal opinion!

The initial link I saw posted on Twitter (care of my good friend @wimremes) was to a new article on the European Parliament News site (article can be found HERE). I clicked through to see what all the fuss was about and was greeted with the FUDridden headline of:

Hacking IT systems to become a criminal offence

OMG, the sky is falling! Despite the fact that in most countries in the EU, “hacking” in the sense of illegally gaining entry to IT systems, has been a crime for a long time already! Moving past the large print, the thing that really seemed to be rattling people was the explicit legislation surrounding “hacking” tools.

The news article goes on to state:

Possessing or distributing hacking software and tools would also be an offence

and then further on gives a small paragraph detailing things:

Cyber-attack tools

The proposal also targets tools used to commit offences: the production or sale of devices such as computer programs designed for cyber-attacks, or which find a computer password by which an information system can be accessed, would constitute criminal offences.

Those reading this article without further context would have little choice but to think back to the poor decisions made in Germany (see 202(c) )  that resulted in many security researchers from upping sticks and moving out. The news article makes it very clear that “hacking” tools are seen as the problem, and anybody in possession of them is a criminal…

Digging deeper

Call me a cynic, but I’m not one to trust journalists much, at least without reason… so I dug a little deeper.

The new EU Legislation discussed in the news article is based on a draft report by Monika Hohlmeier originally written back in November 2011. For those that want to get the details, you can read a copy of the draft report HERE.

This version of the draft report includes not only the proposed amendments, but also justifications. So, lets have a quick search and see where the news article got it’s content.

Searching on the word “tools” provides only 5 results… none of which seem to state that writing, or possessing them is a crime.

Searching on the word “possession” however brings up some interesting information (Amendment 22).

The text on the left-hand side is the origin text proposed by the commission, and includes a clause for possession. As you can see from the amendment voted on and accepted this week, the word “possession” has been completely removed, and the wording slight altered to change “for the purpose of committing any offences” to “for the clear purpose of committing any offences”.

The justification given in the amendment makes it plain that the goal of this legislation is not to target people working in security, but malicious attackers!

Justification

Given the possibility to use programmes in dual forms, i.e. for legal as well as criminal
purposes, the possession of a tool should as such not be punishable. In addition, the purpose
of the actions described in this article should only be punishable when it is clearly aimed at
committing an offence.

There are more than a number of clarifications present in these amendments that I think help to make the legislation clearer and more targeted towards criminal usage, without infringing on the InfoSec community. I won’t cover all the changes here, but if you’re interested I suggest reading through the 26 page draft report HERE.

So, were’s the problem! Well, this draft report seemingly never made it through… instead it was once again amended, and replaced in January this year by a draft report (PDF) that takes these changes, and deletes them.

Initially I thought this deletion was to remove the amendment, but instead the justification makes it clear that the deletion was mean to remove this section from the EU legislation completely! As I said, I’m no expert on these things ;)

Justification
So-called ‘hacker tools’ are inherently dual-use, and they are crucially needed for security
testing. If we want to have the whistleblower protection, we also have to legalise their
possession and distribution. Passwords and access codes should not be regarded as hacker
tools. If they get lost, the operator should immediately improve his security measures and set
up new passwords, just as people do when they lose their keys

It’s nice to see that at least somebody understands that security testing is important, and that outlawing tools isn’t the way to go!

End-Game

Despite there being some good amendments suggested, ones that not only help clear up any misconceptions, but also help to clarify the use and possession of “hacking” tools… these clear minded and well-reasoned amendments didn’t seem to make it into the final document delivered to the 2010 committee proposal (PDF) I can#t seem to find anywhere that explains which were accepted and which were denied!

This final version 2010 committee proposal includes the following in regards to possession, creation and distribution of “hacking” tools.

General Context

….  Developments in information technology have exacerbated these problems by making it easier to produce and distribute tools (‘malware’ and ‘botnets’), while offering offenders anonymity and dispersing responsibility across jurisdictions…

At least they make a clear distinction here that they refer to “tools” as a shortcut for “malware” and “botnets”.  Still, this is where the good news seems to end!

Summary of the proposed action

A: Penalises the production, sale, procurement for use, import, distribution or otherwise making available of devices/tools used for committing the offence

…this Directive shall refer to ’tools’ that can be used in order to commit the crimes listed in this Directive. Tools refer to, for example, malicious software, including botnets, used to commit cyber attacks.

So it seems that “hacking” tools aren’t welcome, at least in the original committee proposal. The text describing what those tools are is open to interpretation and as a result could easily be applied to people producing anything from scanners through to example exploit code for penetration testing and vulnerability analysis purposes. As with everything, it’s not set in stone until somebody takes it to court and defines it!

Article 7
Tools used for committing offences

Member States shall take the necessary measure to ensure that the production, sale, procurement for use, import, possession, distribution or otherwise making available of the following is punishable as a criminal offence when committed intentionally and without right for the purpose of committing any of the offences referred to in Articles 3 to 6:

(a) device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences referred to in Articles 3 to 6;

(b) a computer password, access code, or similar data by which the whole or any part of an information system is capable of being accessed.

The only saving grace here is the inclusion of the phrase “when committed intentionally and without right for the purpose of committing”. This still doesn’t save things from being a total car wreck however.

Conclusion

I started this write-up based on the amendments I saw from Monika Hohlmeier in the belief that things had been altered for the better… however after taking time to dig through the various proposals, amendments and finally reviewing the all the available documentation it’s unclear what changes will be made. Without a clear list of amendments that were accepted, and that were either withdrawn or denied, it’s very hard to tell where this is heading.

I’ll fall short of saying what I really think… but the future doesn’t look good if the only people offering sane advice are ignored in favour of such poorly thought out legislation. Is there anywhere left were you can ply your honest trade anymore? Hopefully these proposals will become clearer once documentation is released.

Hopefully somebody with a little more legal background will take a look at this and post their opinions. Until then, I hope people keep doing what they’re doing. Without sharing of tools, techniques and knowledge, we’ve already lost!

Update: I’ve also posted some follow up comments/thoughts HERE

Update 2: A commenter has drawn my attention to a flaw in my review. I’ve attempted to rework some of the thought and information to reflect this flaw… apologies for any confusion. I’ve sent an email to Monika Hohlmeier requesting further information on what was and was not accepted. Hopefully this will clear up some confusion.

Links:

  • Hacking IT Systems to become a criminal offence (Europarl article)
  • Draft Report / Amendments –  Monika Hohlmeier (PDF)
  • Draft Report / Amendments –  34 – 128 (PDF)
  • Final commission proposal 2010  – Attacks against information systems (PDF)
  • Draft Agenda of the LIBE Meeting of 26-27 March 2012 (PDF)
  • Meeting notes and links LIBE Meeting (Europarl site)
  • Monika Hohlmeier (MEP Information Page)
  • Jan Philipp Albrech (MEP Information Page)

Commandline Kung-fu – Solution

So yesterday, in a fit of Winrage I posted a cry for help… (see original Commandline Kung-fu needed! Apply within).

The basics of it were, I needed to resolve a group SID  to its name and then use it in a later command. Simple you’d think, but not so! The resolution is simple using wmic, but the way it’s returned and the limitations of Windows command line tools really started to be a pain.

Once you add in the limitation that it had to be a one-liner and not a script, you really started to have issues. You couldn’t set a variable or use substring as once you set an environment variable it didn’t seem to be available until the one-liner had finished and Windows had refreshed the env list…. and that was just the start of the hair pulling (not that I have much to pull out anymore).

So, after a bit more playing I realised that one of my earlier solutions might just have worked if I’d have set the delimiter right… so, here you have it… a working one-liner to find the local administrators group (no matter what it’s called, spaces and all) and add a newly created user to that group.

FOR /F "usebackq tokens=2* skip=1 delims==" %G IN (`wmic group where sid^='S-1-5-32-544' get name /Value`); do FOR /F "usebackq tokens=1 delims==" %X IN (`echo %G`); do net user username password /ADD && net localgroup "%X" username /ADD

Simple you say… well I guess hindsight is 20/20!

Some more useful SID values for testing:

  • S-1-5-32-555 –> Remote Desktop Users
  • S-1-5-32-551 –> Backup Operators
  • S-1-5-32-549 –> Server Operators
  • Well-known security identifiers in Windows operating systems (here)

{Quick Post} Commandline Kung-fu needed! Apply within

Edit:

After some more playing, and some headache tablets, it seems I’ve found a solution (or should I say, found the bug in a solution I thought didn’t work)… I won’t post a spoiler just yet incase people are playing… but I will post the answer I found tomorrow once I have time!

In the meantime happy hunting…. and remember, Windows sucks sometimes!

—- —- —-

So, I’ve been fighting with the following command for a while and can’t quite get it working (due to whitespace or linefeeds at the end of the string). So I’m putting it out there and asking for help!

Goals:

Create a single Windows command-line (not a script) that runs on all modern versions of Windows (no powershell here) that resolves a localgroup name from its SID, and feeds this group name (including any spaces!) into a “net localgroup” command… It seems easy, but due to the spaces present in some group names, it’s a bit tricky to solve without using some mystical command-line kung-fu that I certainly don’t seem to posses!

Example (not working):

For /F “usebackq Tokens=1* Delims==” %I In (`wmic group where sid^=’S-1-5-32-551′ get name /Value ^| Find “=”`); do net user username password /ADD && net localgroup %J username /ADD

The above example uses the SID for “Backup Operators” as it contains a space… which meets the criteria! It also fails…

Example (working for group names w/o spaces only):

FOR /F “usebackq skip=1″ %g IN (`wmic group where sid^=’S-1-5-32-544′ get name`); do net user username password /ADD && net localgroup %g username /ADD

This example works for group names like “administrators”, but if you alter the SID to S-1-5-32-551 then it will only take “backup” from the “backup operators” group name and therefore fail. It’s simple enough to fix if you known beforehand that the group has a space, but that’s not the point… we don’t know for all cases.

Anybody got the smarts to solve this? I hate batch scripting!!!

Rewriting Tumblr RSS feeds

After the demise of Google Readers sharing function (thanks for that Google), a lot of people in (and out) of the InfoSec community searched about for a suitable replacement, without much joy. As a stop-gap solution I moved over to Tumblr (feed.c22.cc) and starting using it to share interesting things through an RSS feed and have that reposted to Twitter (see my [SuggestedReading] tweets). This seemed to work as well as any solution, but there was one nagging issue that kept bugging me. When you clicked on a [SuggestReading] link posted to Twitter you were redirected to Tumblr, and given the real link to click to see the story. A small issue, but something that bugged me, and bugged people using those links as well…

Feed from Tumblr (example entry):

<item>
<title>
Oatmeal: I tried to watch Game of Thrones and this is what happened
</title>
<description>
<a href="http://theoatmeal.com/comics/game_of_thrones">Oatmeal: I tried to watch Game of Thrones and this is what happened</a>: <p>… and THIS is why people pirate shit!</p>
</description>
<link>http://feed.c22.cc/post/18002558690</link>
<guid>http://feed.c22.cc/post/18002558690</guid>
<pubDate>Tue, 21 Feb 2012 03:19:37 -0500</pubDate>
</item>

As you can see the link tags point to posts on feed.c22.cc (the tumblr blog)… and not direct to the end URL.

So, in a moment of frustration I sat down and wrote some PHP code to rewrite the RSS feed. It’s not well written, and it’s not perfect (infact I struggled a bit with some UTF-8 encoding issues, which I HOPE are now fixed). In the spirit of sharing, I’ve uploaded the source incase anybody with the same issue wants to host their own script to perform rewriting.

Rewritten feed (example entry):

<item>
<title>
Oatmeal: I tried to watch Game of Thrones and this is what happened
</title>
<description>
<a href="http://theoatmeal.com/comics/game_of_thrones">Oatmeal: I tried to watch Game of Thrones and this is what happened</a>: <p>… and THIS is why people pirate shit!</p>
</description>
<link>http://theoatmeal.com/comics/game_of_thrones</link>
<guid>http://theoatmeal.com/comics/game_of_thrones</guid>
<pubDate>Tue, 21 Feb 2012 03:19:37 -0500</pubDate>
</item>

The rewriting process is called each time the PHP file is requested, but this can easily be scheduled and output to a file if you need.

Process:

  • Feedburner calls rssRwrite.php (self hosted)
  • rssRwrite reads in the Tumblr RSS
  • Entries are extracted from this RSS
  • A new RSS is created (with required changes to the link)
  • This new (rewritten) RSS is returned to Feedburner
  • Feedburner does it’s thing!

Personally I setup feedburner to access the rewrite PHP link and republish (and share out) the content as required. This step is up to you, but to reduce load on the rewrite script this seemed like the best trade-off, and I use feedburner for sharing things anyway. It’s a bit of a tangled web, but one that seems to work for now!

Hope you enjoy… and please, no laughing at my bad PHP code ;) comments are, as always, welcomed!

Update:

@mubix pointed me to Yahoo pipes as an easier alternative to achieve the same kind of rewrite… You can cehckout the solution he suggested HERE. I hadn’t really looked much at Yahoo pipes, and TBH, thought it has been discontinued as the Yahoo empire began sinking into the sand from whence it came. Good to see it’s not only still available, but actually one of the few Yahoo resources that is actually useful ;)

Links:

  • rssRwrite PHP source –> HERE
Follow

Get every new post delivered to your Inbox.

Join 129 other followers