Apparently Oracle are not known for timely fixes so hopefully in this
instance they will make a special exception and expedite the patching
process. This exploit is both potent and widely known about, which is a
recipe for chaos if it is left unchecked.
“100% Secure” is a term that you might think
had gone out of fashion but strangely there are still plenty of people out
there who are willing to make this extraordinarily bold claim about their
systems.In this day and age claiming to
be 100% secure on the Internet is a bit like claiming that you’ve built a machine
that is 100% efficient to a scientist or an engineer. At the very least it’s
going to be met with skepticism and at worst with derision.
Shopping sites seem to be among
the worst culprits for making this claim and it’s probably reasonable to assume
that this is motivated by a need to reassure the customer. The problem is that
no matter how many soothing claims a website may make, it does not provide a
guarantee that it is genuine or secure.Very
often the use of SSL (Secure Socket Layer) is the justification as to why they are
absolutely secure but SSL does not provide complete security. It simply secures
the communication channel between the client and the server with cryptography.This provides significant protection against man-in-the-middle
attacks, a situation in which an attacker has seized control of a routing
device between the client and server and can intercept and modify packets of
data.When the data in question is
transmitted over an unencrypted channel with no safeguards the attacker is free
to intercept sensitive information such as login credentials or they could even
manipulate the client’s session to perform unauthorised actions.
While it is very important to
protect against this type of thing it is by no means the only threat to a
website’s security. There are a whole host of other attacks which are much
simpler to perform and that can have a far greater impact. I will not go into
any great detail about these but some of the main classes of web attack are.
·Cross-site scripting
·Cross-site request forgery
·SQL injection
·Authentication bypass
·Remote code/command execution
Each of these vulnerability
classes comes in many different forms and they can be triggered in a wide
variety of ways. Each of them has the potential to undermine the security of
multiple users, while some have the potential to undermine the security of every
single user on the site. Securing communications between the client and server
is a moot point if the server suffers from devastating flaws. An example of
this might be that the client’s private data is stored in an unencrypted
database on the server and this data can be exfiltrated by means of an SQL injection
or by the attacker leveraging remote command execution to initiate a database
dump.
Just defending against all known
technical vulnerabilities is a herculean task, especially on large and complex
systems but even if the main system is immune to all known technical problems there
are still other ways it can be attacked. The server hosting a website may not
have sufficient physical security or someone who occupies a trusted position and
has access to the system may not really be all that trustworthy.Then of course there are any external dependencies
the system may have, we need to consider whether the system automatically
updates itself or otherwise depends on other systems and if so are they also secure?
There is no end of possible attack scenarios and we can even consider more
exotic threats, what if someone is willing to take down power supplies to disrupt
the system? What if someone tried to launch an armed assault against the data
centre in order to get at some juicy data? The problem is that these last two
scenarios are possible but they are extremely unlikely.If the risk of an event is low and the
measures required to prevent it are expensive then it is difficult to justify
spending time and resources on defending against it.So let us consider what it would take to make
a system fully secure.Every single
scenario will have been taken into account and some quantity of resources will
have been expended on reducing the risk of each event to exactly zero. Such a
system would be vastly expensive and would most likely have severely degraded
usability resulting from all the additional security measures. (Just imagine
filling out a CAPTCHA and multiple it by about oh let’s say 100)It should be apparent that such a system requires
an unrealistic amount of resources and would rely on its creators and users to
be completely infallible and absolutely trustworthy.Keeping a system secure is as much a
challenge of managing human nature as it is of engineering.
If the system is never going to
be totally secure then why spend time and money on security at all? Well the
best we can really hope for is to reduce the risk to acceptable levels and to
have a disaster recovery plan in place if something does go terribly wrong.Security is like any other risk and as with
any other risk assessments we need to know at least the following.
·What are the risks?
·How likely are they to occur?
·What is the impact if they do occur?
·How expensive is it to reduce the risk to an
acceptable level?
Once we know the answers to these
questions we can make an informed choice on the best place to focus on making improvements.It makes sense to start on items that give
the most benefit for the least cost and to keep making more improvements as the
resources become available to do them. It would also be wise to periodically
revise the list of risks as the world of security and the internet are very
dynamic and new threats can emerge overnight.
I believe that 100% security is
an ideal that we must strive towards within the constraints of the resources
available and without severely impeding the usability of a system. Even though
it may be impossible to reach perfection the very act of trying is what keeps a
system as secure as it possibly can be. The alternative is to complacently believe
that you are always safe while the threat landscape evolves around you; in this
case you become the proverbial boiling frog that sits waiting for the
inevitable disaster and who really wants to do that?
I
was recently released from prison following a successful appeal against the severity of my
sentence for the hacking of Facebook. I was surprised at just how difficult it
has been throughout this process for me to clearly express what happened in a
way that fully reflects my intent without pieces of information being missed
out or misinterpreted. The truth is
that an interview situation or
testifying on the stand are all highly anxiety inducing and so my performance
under these circumstances is always going to be well below par, I’m sure there
are many people who can relate to this.
For the first time in just under a year I am finally in a position to
reveal the truth about what happened on my own terms. I now wish to use my right to reply to balance
out statements made by certain parties.
I’d
like to start with the stuff that I feel is obvious or that just needs to be
said out of common decency. I accept
full responsibility for what I did, it was my idea and my idea alone to do it
and in truth I did not fully think through all the potential ramifications at
the time. Strictly speaking what I did
broke the law because at the time and subsequently it was not authorised, I was
working under the premise that sometimes it is better to seek forgiveness than
to ask permission, It is possible to offer up information and get a company to
retroactively authorise actions so that they become legal. This is an approach
I have used with some success in the past.
In any case it was my choice to take this risk and I made a bit of a mess
out of the project. For whatever it is
worth I would like to apologise for allowing the situation to escalate into a
full blown investigation and for any distress that my actions caused to certain
individuals. While I accept that some cost was caused by what I did I would still
dispute its quoted magnitude.
With
the initial pleasantries aside I now have some slightly more critical views to
offer, especially in relation to the following comment that appeared on the Sophos Naked Security website.
I'm not sure why
Sophos refers to this convicted criminal as an "ethical" hacker, but
that headline seems to be
misleading most of the people who are posting here. In fact, there is no evidence of ethical
hacking in this case other than the unsubstantiated claim of the defendant after he got
caught.
The judge rejected that defense because the evidence showed the defendant had
malicious intent, stole another's identity, engaged in extensive and destructive efforts to
remain undiscovered and anonymous, made no effort to contact Facebook with his
discoveries, and even denied involvement when initially questioned. His attempt to claim
he intended responsible disclosure only after faced with criminal action is insulting to
the community of responsible security researchers. Facebook has a really ambitious whitehat
program that not only gives immunity to ethical hackers who practice responsible
disclosure but also rewards them with cash. The company has paid out hundreds of thousands
of dollars to ethical hackers in the last six months alone. You can read about that
program here: https://www.facebook.com/whitehat.
It is disappointing
that Sophos is running an article that reflects an unawareness of the actual facts, suggests
Facebook supports prosecution of whitehat hackers, and doesn’t even reference the Facebook
whitehat program.
Joe Sullivan
Facebook CSO
I
find it very unusual that Mr Sullivan appears to have reached the conclusion
that I was some sort of horrible person out to harm Facebook. I also feel it
was entirely unnecessary for him to engage in a direct personal attack upon me in
the public arena while I was locked up in a prison, many of the things that he
states as facts are misleading or just completely untrue and that has played a significant
role in my decision to offer up my side of the story. The pungent smell of bullshit that emanated
from his comments was so foul that it’s managed to offend even my usually mild
temperament. My exact issues with it are
as follows...
[1] I’ll
start by tackling the claim that I am malicious. I actually have a neutral to
mildly positive view of Facebook and have no motivation whatsoever to harm it. There was no direct evidence of
ethical hacking in this case because I was cut off part way through the project
and had simply not wasted the effort on writing a report that I would not be
able to submit, I will elaborate on this point shortly. There was plenty of strong evidence for the many
past occasions where I had found and disclosed vulnerabilities and while my
paid work for Yahoo! was given the most attention, what you may not know is
that I have offered up many of my finds unconditionally, I have even turned
down offers of rewards after providing information because it was the challenge
and the gratification of conquering it that was important. I would have been quite happy to have passed
over the eventual report and to have simply got a “thank you” and a pat on the
back, I was not out touting for business, although I would have given serious
consideration to an offer if one was made.
The
prosecution’s claim that my intention was malicious was pure conjecture that if
anything ran against the evidence about my past conduct and my character. There was no evidence whatsoever to support this
statement and in my mind it was an absolute nonsense concocted by the
prosecution to bolster what was an already weak case. I sat quietly on bail for 9 months while my
life and prospects went nowhere and refused to speak to the media, once again
despite offers of payment to do so. It
may well have been in my best interests to try win public support but I was
conscious that what had taken place was commercially sensitive and so I did not
go blabbing and gave all the parties pursuing me every opportunity to keep the
whole thing quiet and to downplay the severity of the security breach. In-fact the first option they were given was
that if they would let me off with a caution then I would provide full cooperation
and sign a non-disclosure agreement, this would have been a mutually beneficial
arrangement but it was rejected, despite this I still gave my full cooperation
and kept quiet. This course of action
was not simply motivated out of self preservation, it was out of genuine
concern not to cause further damage but it proved futile as the information was
leaked by others anyway. I’m sure that it was an accident but when the
prosecution mentioned “Phabricator” and “intellectual property” in the same breath
they inadvertently spilled the beans and revealed that it was the source code
that had leaked.
It
is also worth mentioning that I had the source code for just over three weeks
with absolutely nothing to prevent me from making copies and redistributing it,
this was more than enough time to have caused significant damage to Facebook or
to find a buyer, if that had ever actually been my intention but quite clearly it
was not. I also do not accept that the
risk was significantly increased by my actions, almost nobody knew of the
existence of my copy and it was physically detached from the Internet, in many
respects it was better secured than the original, So just in case anyone is
unclear at the point I am driving at here, these are not the actions of someone
who is being malicious, I would argue quite the opposite.
[2] The
second point I’d like to deal with is why I never approached Facebook after I
realised they had noticed me. Getting
noticed half way through the process was never part of the plan and I have to
admit that I panicked because I knew how bad it looked without sufficient
context. I was more than aware of the “security scalps”, a way for security
staff to gloat about the various crooks they had helped to nail and when they
are catching paedophiles and the like then I agree that they should be proud of
their work. I was also aware of just how
cosy their relationship with law enforcement was, and again this is not a bad
thing when there is a legitimate public interest at work. The real problem for
me was that when I see staff from one company offering to booby trap their
system in order to help another company catch a hacker, without being prompted,
then I begin to suspect that they have an aggressive policy on hackers and will
use their vast repository of information to pursue them mercilessly. I had hoped that this would not be the case
with me and that once the initial vulnerability was patched it would not be
pursued any further, at which point I could go back and salvage some kind of
positive relationship with them, using the additional information I knew to
smooth things over. However I was not willing to risk establishing contact
whilst they were in seek and destroy mode as this was far too risky and I saw
subtle hints that the situation was not cooling. The name on one of the free domain
management accounts I was using was mysteriously changed to “Ryan” and a password
reset was initiated, this account could only have been known to investigators
and so I attempted to delete that account along with the email associated with
it as I now deemed it to be compromised. I did not authorise this attempted access
to my account making the attempted access a highly questionable tactic, although
if they had the appropriate authority then I concede it may well have been
legal, on the other hand it could have been some of that vigilantism that has
been eluded to. It is worth noting that
although I still felt pursued and had taken some precautions to fuzz the trail
I didn’t really think that it would escalate all the way but unfortunately I
was mistaken. I still believe that if I
had approached Facebook immediately then I would have been “scalped” sooner
rather than later.
[3] I
did not deny involvement when initially questioned; this is yet another load of
poppycock invented to malign my character.
What actually happened is that about 5 minutes after being arrested at
my home I was asked three questions about my involvement in hacking Facebook;
these were loaded questions so that had I provided positive or negative answers
then an inference of guilt might have been made immediately. Since I had not yet had the chance to consult
with a legal representative I felt it best to answer “no comment” until I could
arrange representation. This was not a
denial it was the application of common sense to ensure that I was subjected to
a fair process. Once I had consulted with a solicitor I decided to make a full
admission of what had taken place. I
don’t expect to get crucified for being smart enough to wait on advice from
someone who actually knows about law. I recall the prosecution also attempted
to use this weightless point against me, with virtually no effect.
[4] I
do not think my claim about my intended responsible disclosure is insulting to
anyone, especially since I know it to be true but I suppose I can’t blame
people for being sceptical, I would be too.
I’ll tell you what I think is insulting, a company that prides itself on
following “The Hacker Way” allowing it’s corporate attack dog to savage someone
who did no worse than some of the company’s own founders. It’s not surprising that being a
multi-billionaire attracts this dead-eyed breed of soulless sycophant but it
would be unwise to believe that they really subscribe to the company philosophy;
in another life their jaws would have been firmly clasped around the jugulars
of those that they now call their masters.
[5] I
think the white hat bug bounty programme is a very good idea and that schemes
like it are a very useful way for companies, especially the big ones to manage their
large attack surfaces. I suspect some people are wondering why I didn’t use it
to submit my findings, well the answer to that is that the bug bounty programme
DID NOT EXIST when I was working on my audit, therefore it was not an option that
I could take. I am willing to bet that
it became a higher priority afterwards though.
Beyond
Mr Sullivan’s comments there were a number of other things that I found to be
both curious and disturbing. For example when I surrendered my current passport
to the Metropolitan police I was under the impression it was solely to restrict
my travel. I have never travelled to the
United States on this passport so imagine my surprise when I discovered that a
copy of my passport photo had
been given to some random foreign national who is not an active member of law
enforcement, just so that he could place it in his ego stroking masturbatorium. Furthermore I don’t expect him to go gloating
to Forbes using my image, which he has placed alongside and therefore
associated me with a group of degenerates that include scammers and paedophiles. While I’m on the subject of leaked
information I also don’t recall giving my permission for the police to pass out
my mug shot to the media, although they made me sign so much junk that I may well
have agreed to all sorts. Even so it
seems a bit rotten to fetch someone out of a police cell first thing in the morning,
take a horrible picture of them and then dole it out to whoever comes asking
for it. I don’t have any problem at all with
the Metropolitan police e-crime investigation team who treated me with respect throughout
this entire process and I commend them for that but I suspect that there are lower
elements elsewhere in the police force who are just a bit too prone to leaking.
Tomahawk Joe - looking proud of his work.
I’m
sure that there are number of questions that people might like to know the
answer to and if not then I would still like to offer answers to them anyway. I
have compiled a selection of what I feel are the most pertinent questions along
with my answers to them.
Why
did you take the source code?
The
whole point of downloading the code and converting it into a manageable form
was to achieve a better understanding of how the system worked and to leverage
that knowledge to find more vulnerabilities. There are two distinct classes of
security audit referred to as black box and white box testing. In a black box test
the tester relies on feeding input into the system and deducing things about it
from the output without any prior knowledge of the system’s internal workings. Then
there is white box testing where the tester knows how the system works, this
has much greater scope as more can be deduced about the system’s behaviour,
making it possible to find more vulnerabilities that might not be immediately
obvious during black box testing. When
you consider the goal of the project was to compile a large report of findings
then using the code to perform white box tests was a perfectly logical step
towards that end.
Why
didn’t you use a proxy server or chain several proxies together?
Proxies
tend to slow the auditing process
because they increase the time delay between each request made to the
servers, this soon adds up when you
consider that the process of finding a vulnerability can take many thousands of
requests. There is also the issue of
trust, the operators of a proxy server are not necessarily to be trusted, they
can monitor all traffic passing through them, even when using cryptography
there are inherent risks. If you happen to find the next big vulnerability in
something, do you really want to risk sharing it with a complete stranger? Besides if all had gone to plan then this
concealment of my identity would not have been necessary, so proxies would have
been an unnecessary risk. It’s worth
mentioning that I did use a proxy at one point to tunnel through the corporate firewall,
it did not provide any real anonymity but it was under my control, so it could
be trusted.
How
much damage did you actually cause?
I
didn’t cause any damage to the system in the process and this fact was also
acknowledged by Facebook. I was very conscious not to cause any harm and took
many precautions, most notably the script I wrote to extract the source code
had two safety features. Firstly the
recursive algorithm that navigated the source code’s tree structure had a depth
restriction condition that prevented it from getting trapped in any infinitely
recurrent sub-structures. Secondly there was a hard coded delay that slowed the
speed of requests to prevent throttling of the server and impeding its
availability.
The
cost that has been quoted refers to the cost of the subsequent investigation,
the first I heard of this $200,000 figure was the evening before my sentencing
hearing and it came as one hell of a surprise, as most ambushes do. I hope people will forgive me if I am
incredulous about this number as I cannot understand how it took 3 weeks and
$200,000 dollars to look in the Apache access log, get my IP address, perform
some sense checking and request the record from my Internet Service
Provider. I am not denying that there
was a cost and I do regret that it was caused by my actions. However I found
the expenditure of $200,000 to be suspicious and it was of great concern at the
time that the number was accepted as fact when it was never substantiated by
any evidence. I would have expected an
itemised list stating each cost and justifying why it was necessary, with the
opportunity for me, the defendant to scrutinise it. The reason this is important is because I
have no way to know if this included things which should not have been there,
for example the cost of repairing the vulnerabilities cannot be attributed to
me as I did not create the security holes, they already existed and would have
required fixing regardless of my actions.
Even if I had somehow created these problems one of them could have been
fixed in about 5 minutes and the others would take a few hours. In any case this anomaly along with the
supposed necessity to send 2 FBI agents on a transatlantic jolly was rightly
flagged up during the appeal process and its true weight re-evaluated.
Why
didn’t you report the first security hole you found straight away?
Security
wise most systems have a tough outer shell and a soft inside, once an initial
penetration has been made into the system there are two options. You can report
the hole and have it sealed up immediately, which severely limits the scope of
the pen test and only allows one to repair holes in the outer shell. Alternatively
you can keep going deeper into the system in order to find more flaws that
exist internally, this should be done until some natural termination point is
reached, perhaps when all vulnerabilities have been found or some critical
point is reached where the risk to the company if the issues are left becomes
too high. I used the latter approach
because I believe that the first option is a superficial solution that only
pays lip service to true security.
Do
you think the punishment was fair?
I
think that the punishment given was a bit heavy handed, even with the reduction
gained on appeal. I had my life put on hold while I was on bail for several
months and had my intellectual property that entailed hundreds of hour’s worth
of work destroyed when a destruction order was made against my equipment. Even though these measures may not be
intended as punishments they certainly felt like one. To add a custodial sentence on top of this
felt a bit excessive to me, especially when I had expressed my willingness to
participate in a community order. I
understand that it was tough sentencing exercise as the issues involved were
complex, the case is unusual and many last minute changes were made that put
the Judge in a difficult situation. I
was however pleased with the appeal outcome, especially the quashing of the
Serious Crime Prevention Order, which was clearly excessive and so poorly
drafted that it would have been unenforceable.
Are
you really an ‘ethical’ hacker?
I
suppose it depends on your ethics but mine are to do no harm to the innocent,
at least not deliberately. When you
consider that the only thing that stood between Facebook and potential annihilation
were my ethics then I think the fact that it’s all still in good working order
should serve as some proof that I’m really not one of the bad guys. I’ve done enough good things in my time to
believe that I deserve the benefit of the doubt on being called ethical, even
if it is in slightly sarcastic quotation marks.
All
in all I am relieved that the ordeal is now over and that I can finally get on
with my life. Despite all my moaning I suppose that in many respects I have
been very lucky. I could have been subjected to the same kind of treatment as
Gary McKinnon, Richard O’Dwyer and Christoper Tappin. In this country It seems that whenever the Emperors
of New Rome summon one of us, we lowly plebeians must obey the command. The lopsided extradition treaty is doing a
marvellous job at ensuring British citizens are whisked off to cloud cuckoo
land to be buried in some desert for a few years. I thank my lucky stars that I somehow avoided
that fate, despite being such an obvious candidate for it.