Cracked, inSecure and Generally Broken

Starting Metasploit

2012-01-11T14:07:00.001+11:00

Well, we have installed Metasploit and now we need to start configuring it to run.

First, as we have created a self-signed certificate, it is necessary to accept the validity of it. If you do not like this you can add the cert to the browsers list of trusted certs, but that is something for another time.

Click “Yes” to continue.

From here we will need to setup a new user (at least one).

You can see I have filled this into the form displayed in the image above. What matters is that you have a username and password that you will remember and not forget. Also, the “Password confirmation must contain letters, numbers, and at least one special character”.

If you have a personal firewall and anti-virus – you may have to disable them. At the least it is likely that you will have a hard time configuring all of the exceptions. This is why using a distro is a good idea.

Click “Create Account” on the lower right hand side of the screen and move onto registering and Activating Metasploit

Clicking “Register your Metasploit license here!” will take you to the “Rapid7” website where you can select either the free (community) or commercial (Metasploit Pro) version. We will be using the free version for this exercise.

Enter your email and click “Go” to continue. A Product Key will be sent in email.

Enter the product key into the website and click on the “Next”tab:

Click “Activate License” to load the new license and start using Metasploit.

You will see below that we are redirected to our local instance.

Also notice that the product is activated as it displays “Activation Successful”.

New Project

We are now ready to start exploiting systems. Let us start by clicking “New Project” and setting up the project we wish to run.

After filling out the details, we are ready to start with clicking “Create Project”:

Tomorrow we will continue this with scanning and selecting a system to exploit. If you already know that a system exists (such as from the results of a Nessus scan) with a potential vulnerability, we can use Metasploit to validate it.

This is important. Unless you have the time and money to fix ALL vulnerabilities found using a vulnerability scanner (such as OpenVAS or Nessus) it will be essential that you priorities the findings based on risk. This means you will need to validate the potential vulnerabilities discovered. This is what Metasploit does.

It is difficult to argue if an exploit can occur or not once you have a video of breaking into the site. It also allows you to show just how Easy/Hard a particular exploit would be.

The process is a four (4) step one and will incorporate the following:

Select the platform or application that you seek to exploit
Select the exploit to use
Select the payload (shellcode or other)
Run and load the exploit

Tomorrow we will run the scan and actually break into a system.

'Character Assassination attempt?'

2012-01-11T13:24:00.001+11:00

I have seen a few posts talking about the issue in “attrition.org” as if it was an attempt at Character assassination.

Honestly, what they are doing is important. I would have liked to have been contacted and given an opportunity to respond first, but this is something we all have to live with. Having come back from vacation to find the twit and the page was not something I enjoyed, but the reality is that I screwed up.

I trusted too much in technology for a start, this is always an issue with me. I ASSUMED that turnitin and other checking tools would have worked more effectively. I am not too happy with them right now.

Mostly, I am humbled by my stupid error.

I do forensic work and I practice in an industry that requires care. The fact of the matter is that whether I was not intentionally doing the copy without permission is not the issue for me. I asked for permission from the wrong person and this is not something I am happy with. It is negligence and displays a lack of due care on my part.

Having received permission from a person (inadvertently on his part as he also runs an XSS site) who has no authority over the material is a mistake I would not be happy from had an intern done it.

The matter remains that I did use material without permission whether I did this intentionally or not (and I did not intentionally want to do this).

The fact that I only just got the error after running about self-righteously thinking that I had permission was compounded on receiving a reply stating: “Robert Auger, not Robert Hansen, is the author of the XSS FAQ.”

It has been four (4) years and I have only just got this. It is my error and I will do my best to be humbled by it and to learn from it, but it is my error and I will live with it. I will still write and post and the other things I have planned for this year will go ahead, but I will also ensure that I take more care in checking these things in future.

I will post more tomorrow, but for today, I actually need to do work. I am teaching tonight and need to make sure the lecture is prepared and to also get a few articles I am writing checked.

Dumb thing for the decade.

2012-01-10T17:45:00.001+11:00

Well, I have just realized I have made a really STUPID mistake.

Well not just, but in 2008.

Back then as I was rushing to complete a book, I asked a few people for permission to use material in a book. I sent an email to “h@ckers.org” and rsnake for XSS stuff I used. I have just had it pointed out to me that Robert Auger, and not Robert Hansen is the author of the XSS FAQ. I should have know this and more I SHOULD HAVE CHECKED!

I asked Robert to use material from his XSS page but I did not ask both Robert’s and screwed up mixing the two people. I have to apologize to both Roberts for this.

For this I ask forgiveness and offer a sincere apology.

It just goes to show that even education does not stop stupidity. This is a true case of stupidity on my part and I am humbled by it.

I do hope that people understand that this was not intentional and I do make stupid mistakes.

Installing Metasploit on Windows

2012-01-10T17:30:00.001+11:00

Ok, we have downloaded the installer.

Now, find where it has been saved and right click on it.

Run this as Administrator. Without, many things will not work. Do the normal bit to accept this and then you will come up with the install banner:

Click next and accept the agreement:

Select the location to install this:

Select the port to run Metasploit on:

Generate an SSL cert:

Then leave it as default as allow it to update:

And we are ready to install by clicking “Next”:

Make a coffee as it installs:

You should also check that the files are not being stopped by your Anti-Virus program:

Well it is installed:

Let us click “Finish” and run it.

Click Start –> Run and select the console (“Metasploit Console”):

From the console we have the start of our CLI:

Tomorrow we go through using it.

Some Specs:

There are a number of specifications on the Metasploit site for the current Windows version. I would take these with a grain of salt. Like all developer specs, they relate mildly to a base install and a slow run. I would personally say the following as a minimum:

2.8 GHz+ processor
4 GB RAM (If there are any VM targets on the same device just keep adding RAM)
500MB+ available disk space
100 Mbps/ 1 Gbps network interface card (add wireless for tests over wireless)

Less than this and it may run, but it is slow as a dog with a broken leg and it can crash making the process a waste of time.

On top of this, I would change the systems to:

Windows XP SP2 or SP3,
Windows 2003 Server,
Windows Vista SP1 + (and 8 GB ram),
Windows 2008 Server (with WAY more specs), and
Windows 7 (make it 6 GB ram)

In addition, you need to have a web browser. I would stick with one of the following (and prefer it not to be IE):

Mozilla Firefox 5.0+
Microsoft Internet Explorer 9 +
Google Chrome 10+

Tomorrow we will start to use Metasploit on a target.

More on what is plagiarism…

2012-01-10T16:37:00.001+11:00

Today I will continue with checklists.

T^his follows as a response to accusations that I plagiarized material in one of my books.

I will look in particular at the section from the following pages.

This was attributed to Appendix 8A: Lan Audit Guide of Information Technology Audits by Xenia Ley Parker (June 15, 2007) in the Security Errata page.

The reason, my book was published in 2008 (though I had already submitted this section in 2007). The section in Xena Parker’s book is not actually from that author in any event. There is an attribution from Xenia Ley Parker to JHU. These checklists do not start in 2007. They actually go back to the 90’s.

I have uploaded a couple old DeMorgan documents (I am still searching the original ASX ones and will have these loaded as soon as I have found them).

There are a couple for today:

I have loaded and hyperlinked these documents above.

Lucky for the wayback machine. The windows section was used as my submission to SANS for the Windows NT 4.0 security book. I will link this when I actually find it, but finding things from the 90’s, well it takes time (and I still have work as well strangely enough and an added 4-5 hours a day right now was not in my plan).

The two manuals above became a DeMorgan template. I was only one of several people who worked to create these and they were edited to become FAR better by the others than I could have hoped for.

In particular, I have to note the following people from the Australian Stock Exchange (and they are but a few of around 20 people involved in making those documents including others from outside the exchange and a few at PWC who also helped and Dave Maunsel who moved to Andersons to become an Andriod).

Chris Fox
Lesley Gear

The original goes to 1996 with the majority of it in 1997.

A real bugger for what I am being accused of plagiarizing as my document dates a decade before hers. Even used at BDO, this goes to 2005. Now, she has not plagiarized this, she has attributed the source she used. She attributed these to JHU (John Hopkins) which is also wrong. JHU placed these online in 2010 in the current format and around 2007 before.

I mentioned Treasury yesterday. I have to find a way to load old emails and more in such a way onto this site that offers them as proof. However, first I will remove Xena Parker’s supposed authorship of these documents in 2007 and that from around the time of JHU.

To do this, have a look at the 2000 Treasury report linked here. It only contains a small section of the ASX document, but this is a simple online section of the checklist predating Parker’s attribution to JHU in any event. We see the JHU document properties come to March 2007, well after mine.

Also see: http://www.scribd.com/doc/1218262/5/Audit-Objectives-and-Tests

So, the question is just how did these checklists get around?

Well simple. They were issued to over 100 companies in Australia, India and the USA. More, we loaded them onto Auditnet.org. I do not think you can access these without a membership from there, but I will do my best in the coming days to link these. More, in starting DeMorgan, we subcontracted a good deal. We handled a good deal of security work for IBM and CSC under a sub-contract arrangement. IBM said they did everything for the 2000 Olympics, in fact DeMorgan ran systems such as the OCAs (Olympic Co-ordination Authorities) and even some of the Police and traffic interfaces.

So all of these documents were issued as PWC, IBM, CSC and other documents.

I should have self-referenced this, but I did not. In future, I will do more to ensure that I do so. My crime here is not that I stole the works of Xena Parker, but that I did not attribute my own work (and more that I did not note those who had helped me create this.

More importantly, I have not attributed those who helped me, made updates and who actually made these documents of use (they where so full of spelling and grammatical errors the first time). The early versions of this have flowed around for over 15 years now. They are not recent as is supposed.

Those people from the ASX who reviewed my work also need a mention. The grammatical errors in my early work was appalling.

Lesley Gear in particular truly helped. I was a good techie back than, but I could not write a report to save myself. When we worked together in the 90’s, she really helped me get on track and she added a good deal of insight and help into these checklists.

Well, just how did this stuff get to JHU?

I would guess from the auditors. I have not spoken to Chris for years now, he has moved to Queens and I do not get to NY as much as I have in the past. Chris was and is an auditor. He was my handler you may say when I was in the Australian Stock Exchange. He used to (with Lesley’s help) take the mash I created and make it legible (and intelligible).

Chris worked for the Big 4 for some time and then others with more reach. We used and re-used each others work. These were the real Wild Wild days of the web. So, really, these documents are a collaboration. So many auditors and managers have reviewed them that they are not the original.

He was my means to be able to survive a political animal such as the exchange and I learned many lessons from him.He took technical knowledge from me and I had a polished product when he had reviewed it.

The original emails are available as are the documents if anyone wants to analyze them more.

Showing permissions 1

Here is the email from the SQL cheat sheet section. I used some material there. Nothing complex on any of these and I guess I should really formally obtain permission to use the web pages and materials of others.

I actually do have more formal permission sheets these days and publishers are more stringent than they used to be just a few years back. This is of course one of the reasons why.

More emails like this later in the week. Right now, I am already behind on work and I promised a Metasploit step by step in parts. So… to it.

More tomorrow…

SSH Port Forwarding

2012-01-10T12:39:00.001+11:00

WAY back in 1998-2002 when I was with DeMorgan still, we had a project with F-Secure in Australia and a few overseas people (it never got anywhere, but it could have been great). The idea was to have an end to end secure tunnel, malware detection and control system. Basically much as NAP in windows does now.

The project was called “Triple-S” and “BlackNet”. It was under the radar fairly well, but was listed with the Australian Government for research and development funding. A small deployment of the concept was used with CUSCAL and the ASX.

The idea and concept was a little advanced for the time and many in F-Secure that I spoke to (mostly non-technical people) saw it as a threat. They wanted the sales leads but not the concept. This is a reason I like SourceFire at the moment, they have a great integrated anti-malware and IDS approach .
I guess a little of why this failed was the use of third party products to make things better. We used Snort as an IDS and integrated this and a couple other products. Back then, F-Secure could have bought out SNORT for a small stock swap. Now…

As I have said, it is not always easy getting people to see what the future can bring.

Well, here is a little from the project, just a snippet of SSH forwarding (originally using F-Secure SSH). This is now completed using open-ssh. The project involved automating SSH tunnels for Windows with software to see if the host was running the latest anti-malware definitions and was patched. All this is of course achievable using NAP in a Windows domain now. I have modified the post below using this material.

We can use Port forwarding, or tunneling, as a means to forward otherwise insecure TCP traffic through SSH Secure Shell. Using an SSH tunnel, the host can communicate securely using common unprotected protocols (these can include POP3, SMTP, SMB and HTTP). That is, connections and communications that would otherwise be send across insecure channels. Through encryption, the tunnel allows us to ensure that all traffic is protected from eavesdropping and interception.

Figure: Making insecure TCP connections secure using channels inside the encrypted ssh2 tunnel

SSH allows for two varieties of port forwarding. These are:

local tunneling ( aka an outgoing tunnel), and
remote forwarding (aka an incoming tunnel).

Local port forwarding forwards traffic coming to a local port to a specified remote port.
As an example, we could send the following command to set a local forwarder:
ssh -L [local_port:remote_port] user@remote
or…

ssh -L [bind_address:]local_port:remote_host:remote_port] user@remote

This command will send any (and all) traffic destined for the port set as local_port on the local host and it will forward this to the port we have set as remote_port on the remote host.

Remote port forwarding does the opposite to local forwarding. That is, remote forwarding forwards any traffic that is destined for a remote port to be sent to specified local port.

As an example, we could use the following command:

ssh -R [remote_port:local_port] user@remote

or…

ssh -R [bind_address:]remote_port:host:local_port] user@remote

In this example, any traffic destined to go to the port defined as remote_port on the remote host will be forwarded to the port defined on the local host by the value local_port.

In an event where there are three (3) or more hosts ( we will call these client, sshdserver, and appserver). We can forward the traffic securely taking the traffic coming to client's port x to appserver's port y. Heree we create a gateway as we you connect through the system sshdserver.

The connection between client and sshdserver is secure and that between the systems sshdserver and appserver remains as clear text and can be monitored and scanned using an IDS.

In order to create this type of tunnel, we can issue the following command on client:

ssh -L x:appserver:y user@sshdserver

Figure : Forwarding to a third host

These days of course, we have IPSec (and also SSL/TLS) so these types of SSH sessions are becoming less common. They do still offer an administrator an effective (and simple) means of securely connecting to remote servers and should not be discounted fully yet.

A little on Metasploit

2012-01-09T17:15:00.001+11:00

What is Metasploit firstly?

Well, it is a simple way to exploit vulnerable systems.

I have a few things to try and do this week. I have several Metasploit posts to complete as well as a couple on IPv6.

First… Metasploit has been around since H.D. Moore released it in 2003. It has grown immensely and an entire community has arisen to support and develop it further. It can run on:

Windows,
Linux,
BSD,
as well as on MacOS X

Where to start…

I would recommend starting with IronGeek’s tutorials. These are an excellent start to understanding Metasploit. They start on the web interface which I do not like as much (I am still an old fuddy and love CLIs).

Next, download a copy…

I will run through this in Windows for now… Linux later. Just:

Goto the site:

Click download for the platform you are using. Save the file in Windows.

Install it in the normal way.

Windows is rather simple – just a standard installer and you are done.

I will be stepping through setting up and using Metasploit a little at a time this week. I am doing Windows this week and Linux next.

In addition, you should really go to Tenable Security and download Nessus. NMap is also a must have. The windows installer is available here.

Some of the other tools that work well with Metasploit include the following:

BiDiBLAH is an Automated Assessment Tool by SensePost. Now end of life and depreciated, but a good toy to play with and learn.
Yeti. Early days still, but well worth watching.
Nessus of course. Well we need a way to find what is actually vulnerable. Just network vulnerabilities really, but a start.

Tomorrow I will do a step by step install and configuration.

What is plagiarism?

2012-01-09T14:07:00.001+11:00

Well, I have a new port and not the IPv6 one I had planned to start this new year. I found it surprising to come back from a break accused of plagiarizing material in one of my books.

It is surprising for a couple reasons:

I am strongly opposed to the unauthorized and unattributed use of other’s works.
I use Turn-it-in AND have a subscription to Grammarly (which includes plagiarism checks).

Having used these services now for six (6) years, I found the accusations surprising. That said, I will go through each section one by one. This will of course take time and I will offer the supporting evidence this week as I progress through it.

What I have done is missed the attributions for a total of under three pages of a 750 page book. The reasons are not excuses, but are offered below.

Mostly, I have self plagurised a few sections of what I have created as far back as the 90’s and which has been re-used since. Not all of this material is easy to find in a Google search, but I will add the originals of this material.

I will start with the areas I missed and did not attribute well. That is first the IT Security Cookbook by Sean Boran.

The section I used was from notes from a course I took in 2002. I did not reference this correctly and the notes I have are clearly copied. I am surprised that neither Turnitin nor Grammarly noted this. This I missed badly despite using these products.

The section “Identifying Vulnerabilities” (1 page of list on pages 286-287) should have been referenced. I missed this as well (as did the checking software).

I cannot excuse this but will say it was time constraints that led to it being missed. A shame in more ways than one as a whole set of pages were dropped that did reference that paper. The chapter was cut short and ended not having an entire section (one I think was necessary) on testing. For this, I offer my apologies to the authors of the paper as I dropped any reference to them and this was a paper that should have been linked (and was at one stage).

This was originally chapter 15 but was merged with another to make chapter 11 without much of the material (and some referencing). I am good at writing voluminous amounts, but I am not good at editing my work down to a smaller size. When the page count was already at 750 and the deadline was approaching, I should have checked the editing more thoroughly, but losing pages and hence footnotes and references is not my strong point.

When writing a book with time constraints, it is possible to miss many things. Hence why I use these services and why I was surprised I have missed a reference. This was inexcusable, the others are less of an issue and will be addressed below.

Page 13 has a section taken from COSO. This could have been referenced better, but it is referenced. The text from page 13 of the book states the following:

The Committee of Sponsoring Organizations of the Treadway Commission [COSO] defines an Internal Control as follows:

Internal control is a process, affected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories

So yes, I have taken material from COSO. I also referenced it. I saw no need and in fact a detriment in not using the material from COSO as this is the Gold Standard for Internal Auditing. This is what referencing is for, to show where we have sourced material.

Page 16 and pages 46-47 come to a standard refrain used to and spoken by auditors the world over. I have not seen nor even sighted “Ethics in Quality” by Mundel.

I should have started that the original source is unknown as it is definitely not something that only dates to 1991. These statements on objectivity and ethics have been a professional refrain for at least 50 years now. It is something that has been used by the IIA, ICA and more for as long as they have been professional bodies. I could have written what I did and added a reference to the end after searching (I do this sometimes), but I do see it silly adding a reference for the sake of adding a reference.

If I write something and it is a common definition, then I am writing it. I do not remember nor reference each and everything I have learned nor do I seek references having written something.

Having worked in an audit firm for years, the previous mater was something I spouted without reference much to the consternation of others. So, it was not referenced, but no, I also have never seen the site of the supposed match. I can (as with the IIA site) find many others that are equally close to my definition here.

The same also applies to page 27.

I have not read nor still seen a copy of Sawyer's Internal Auditing : The Practice of Modern Internal Auditing by Lawrence B. Sawyer. So I cannot say what is and is not close.

What I can say is that these are common refrains drilled into Internal Auditors. I have read and re-read the same for years and having worked for an audit firm, it was not something I needed a reference source to write. Yes, there will be some similarities, these are common terms and definitions and I did not need to use a source to have these definitions. I suspect many dictionaries have both similar and differing definitions. Yet this does not make them plagiarized.

If anything and had I referenced this, it would have been the following as this is a paper I have read many times and in detail to the point I can quote some sections verbatim:

The Professional Practices Framework IIA ; 20 Questions Directors should ask about Internal Audit By Fraser and Lindsay, ECIIA Position Paper on Internal Auditing in Europe; and Practice Advisories 1000-1,1100-1,1110-1,1120-1.

Page 37 is one that should have been picked up by Turnitin. It was written as it was as I had memorized it. I had not noted the source as CERT as I did not obtain it from there. I had studied for my GSE-Compliance the year before and I knew this rote as it was at that time.

I read and re-read the definition of many terms over and over in 2007 in preparation for my SANS GSE exam. By the end of it, I could state many things word for word. This was a remnant that slipped through. I am sure that others also existed, but they should have been picked up using Turnitin. I am not happy that this, nor even some of the other services used (such as Eve) did not note this.

That stated, as similar to the cert definition as this is, it was not actually copied.

It is also possible to “mine” for text and ensure that you match something another has also written.

Now…. some things I have written and found used against me. I hate the notion of self-referencing, but I have actually started doing this. One reason is that it is becoming necessary to defend one’s self.

This applies to the accusations in the following pages which will be addressed individually:

50
60-61
95
96
99
545
593-594

First page 50.

There are two parts to this, the Wiki one and that from IBM.

First to the Wiki page I have to note that using Wiki as an authoritative source is a means to getting into trouble.

The original source of the Wiki section was the BCP policy document written for Mikael Michau at the Australian Stock Exchange Ltd in 1996/1997. This was way back, but like many of the documents I created back then, it was re-used and distributed widely. I have not seen Mikael for more than a decade, but I did enjoy my time back then at the ASX.

Like many consultants, this was not the end of the document and with modifications, it became a part of the policy and procedures for News Ltd here in Australia when I issued a copy to Nick Rishbeth and I will admit I even added some of this to policies I helped create for Vodafone.

So, did I copy this, well yes, from myself. Have others also copied it? Copiously since it was first written in late 1996. The first draft of the Wiki article to include this was published in 17 Jan 2005. DeMorgan was no more at that stage so it is difficult to see how a document I will show as a DeMorgan template could be construed as not being the original over a Wiki post.

Back in the 90’s I contracted to IBM. They have rights to use any of the material they paid me for in any format. The other sites using this do not.

I was a contractor for a small time with them (that is IBM and sub contracting through DeMorgan). The document that Wiki has taken some material from is actually an IBM sales and template document I helped create. The BCP section is mine. This template has been used by several consulting firms and has evolved into what I have seen as the “BCP Master Plan” used by a number of organizations.

I will download, scan and display some of the old DeMorgan material later in the week. A waste of time, but it offers proof that this was the original source.

Now to page 61. Here I have self plagiarized some earlier work that has been around a long time. This was in part taken from policy work I completed for a firm I started and ran for a time, DeMorgan. This policy was written and that segment was used for the following organizations (as well as others) that engaged me (between 1997 and 2002):

HREOC (Human rights and equal opportunities commission
ASX (Australian Stock Exchange)
Dept. Treasury
Several Credit Unions
Mahindra and Mahindra
Railcorp

Some of the policy documents have been loaded to Auditnet.org. They were loaded around 2002, so I have no idea how current the versions there are.

Again, I will waste time showing that the origins of these was my time at DeMorgan.

Page 110, again… materials issued to IBM were allowed to be used by IBM… but they are still a part of what I created. The RBAC points date to 1999 with the ASX yet again.

Next 110-111 (Bell La Padula).

ACTUALLY… the source is way wrong. There is a reason this is “some text”. We have EACH taken from Bell (one of the creators of the model). I did reference this on page 108, but also needed to ensure that more footnotes existed later to stop confusion. The text was taken from old class notes.

These have bounced around since the late 80’s, but I have NO idea which class I actually got this page from any more. I have seen it used in several Universities as a handout. It is DIRECTLY based on the paper by Bell but the person to first summarize this is anonymous now. It dates back to at least 1989 and being that there was no web, there is no way to trace it I can see.

Page 545 came from a longer document I also self plagiarized. It was first created in 2006 for selected clients of BDO. It was updated in late 2007 for Microsoft. So yes, this was copied, from myself. I do not see small sections of self-copied text as an issue personally. When entire documents are resubmitted or at least large sections thereof, well that is another issue.

It could be argued that I have not attributed the source where I leant this material. That is true, it was SANS. I could have stated that on each page nearly from the start.

Page 541 was badly referenced not plagiarized.

I contacted several people to get permission for using material in the book. RSnake was very good as were the people at FWBuilder and other sites. It was noted that I used material from CGISecurity and Ha.Ckers.org, just badly.

I will dig up and link copies of emails and permission forms that I have received for this section. Each party was sent a copy of what I was doing and only RSnake at Ha.Ckers.org corresponded to any extent about the materials (and nobody noted the mission attribution for their material at the time).

So I did miss the XSS refernce to CGISecurity, but so did RSnake. I had contacted Robert Hansen regarding the use of the material as I stated and did send a chapter for review. I was given permission. I still have this and will link the permission received for this later this week. So yes, my referencing was not up to scratch on this section, but Robert did not ping me for it before publication.

The holiday period

2012-01-03T17:01:00.001+11:00

How soon it all passes.

Next week, we are all back to normal.

Christmas

2011-12-22T18:28:00.002+11:00

We will be back in the swing of things following Christmas.

Tonight, the reversing code lecture is at 7PM AEST.

Cyber (Crime / Espionage / Terror)

2011-12-19T12:57:00.000+11:00

The lecture series, Cyber (Crime / Espionage / Terror) is on tonight.

This is part 2 of "Cyber Terror" and is lecture 6 of 24.

Reserve your Webinar seat now at:

https://www2.gotomeeting.com/register/532843426

Lecture 6 in a series of 24.

We have just seen the largest cyber espionage incident in recorded history and it is only set to get bigger. The rise of cyber based groups engaging in hactivism is creating chaos, but it is only the start as these groups start to do more damage. Al-Qaeda and other pure terror groups have been on the back foot unable to leverage the social aspects of Web 2.0, but will this change as groups such as

Anon and LulzSec define a distributed model for social malfeasance?

Add to this criminal controlled botnets of millions of zombie hosts and the decade is set to be the decade of the hack!

In this lecture, we focus on Cyber Terror. This will be the next in 4 lectures detailing the rise and development of cyber terror and its links to traditional criminal enterprises (including the drug trade, prostitution and smuggling), states and more.

Presented by Dr Craig Wright of Charles Sturt University [1] and the Global Institute for Cyber Security + Research [2].

1. Http://www.csu.edu.au

2. Http://www.gicsr.org

Title:

Cyber (Crime / Espionage / Terror)

Date:

Monday, December 19, 2011

Time:

7:00 PM - 8:00 PM AEDT

After registering you will receive a confirmation email containing information about joining the Webinar.

Router Audit Tool (RAT)

2011-12-06T16:22:00.001+11:00

The Router Audit Tool or RAT was designed to help audit the configurations of Cisco routers quickly and efficiently. RAT tests Cisco router configurations against a baseline. After performing the baseline test, it not only provides a list of the potential security vulnerabilities discovered but also a list of commands to be applied to the router in order to correct the potential security problems discovered. The router audit tool (RAT) is available from the Centre for Internet Security (CIS) website http://www.cisecurity.org/bench_cisco.html.

Aside from providing an industry-accepted benchmark for the CISCO IOS, RAT helps solve the following issues:

Difficulty maintaining consistency
Difficulty detecting changes
Need to quickly fix incorrect settings
Need for reporting and customization
Need to check non-IOS devices

Although RAT does provide many useful functions, it is not actively updated and therefore requires the user to check from time to time the latest version releases and patches. Also, as powerful as it is, there are a number of issues that it does not address such as:

Management Issues
Poor Ops Practices
Vendor code
Protocols weaknesses
Host-based problems (viruses, code red….)
Bandwidth based DoS New vulnerabilities
Local configuration choices
Need for competence and vigilance.
Non-CISCO devices are not yet supported.

How RAT works

The Router Audit Tool was written in Perl. It is consists of 4 other Perl programs namely ncat, ncat_report, ncat_config and snarf.

Snarf is used to download the router settings.
Ncat reads the rule base and configuration files and provides output in a text file.
Ncat_report creates the html pages from the text files.
Ncat_config is used to perform localization of the rule base.

The rules and baseline document are licensed by the Center for Internet Security. RAT performs an audit by comparing text strings in the configuration file from the router with regular expressions in the rules. Each rule has either a “required” or “forbidden” regular expression element. Based on this element RAT determines if a rule is passed or failed. Due to the use of regular expressions, the RAT rule base is extremely flexible. There are currently Level 1 and Level 2 audits that can be performed. The Level 1 audit is based on the NSA guidelines. The Level 2 audit includes additional tests from several sources including Cisco. The majority of the rules are for the protection of the router. There are, however, several rules that provide limited protection to the networks they serve. Additional rules can be added to the rule base with relative ease. This allows RAT to work with any configuration.

How to install RAT

Installing RAT is fairly simple. First, download the installer from http://www.cisecurity.org/bench_cisco.html. For windows users, select the win32 native installer.

1. Ensure that any previous versions of RAT are no longer installed; if necessary, use the Windows "Add/Remove Programs" control panel to uninstall a previous version of RAT.

2. Run the installer, either by double-clicking on it, to selecting it through the Windows "Add/Remove Program" control panel. You may be asked to restart your computer at this point.

3. At the CIS RAT logo splash image, click Next>

Figure 1 CIS RAT Logo

4. Click Next> again.

Figure 2 CIS RAT Install Box

5. After reading the Licensing Agreement, select "I accept the terms..." and click Next>

Figure 3 CIS Accept Page

6. Read the background information presented on the next page of the wizard, then click Next>

Figure 4 CIS RAT Release Notes

7. Select a directory where RAT should be installed. For best results, do not select a directory with spaces or special characters in its name. If the default is acceptable on your system, then use it. Then click Next>

Figure 5 CIS RAT Select where to install

8. Choose an installation type. Most users require only the "Basic" setup. Then click Next>

Figure 6 CIS RAT Install details

9. Verify that the installation settings are correct and then click on Install.

Figure 7 CIS RAT Ready to Install

10. Wait patiently during installation; allow for about 5-15 seconds.

11. Click on Finish.

Figure 8 CIS RAT is installed and ready to go

Read the documents rat.html and ncat_config.html in the \doc subfolder to view relevant options and files. For more information on running RAT on Windows, see the file etc\README.WIN32.txt. For information on running RAT specifically for CISCO PIX, see the file etc\README.PIX.txt.

Note that the file etc\OLD-INSTALL.WIN32.txt contains instructions for another, older, more complex method of installing RAT on windows. This involves installing ActiveState PERL and downloading and installing Perl (CPAN) modules. This is not recommended for most users.

How to run RAT

Prior to running RAT, first determine whether router configurations are going to be obtained directly from the router or if they have been already downloaded and saved into a file. In the case of the latter, the path to that file should be specified when invoking RAT on the command line. Alternately, with the use of the --snarf switch, RAT will log into the routers specified (you have to provide login info and the router’s IP address), pull down the configurations, audit them against a set of rules and produces several output files.

Figure 9 Running RAT

There are several options or “switches” that can be used to control the behavior of RAT. These switches are supplied later in the chapter. In the example of Figure 11.13, the configurations of the router are contained in a text file called syd_1760rt_06082007.txt.

NOTE: In this example it is assumed that the path to the directory where the RAT executables and supporting files has already been established. In the default installation, those files and folders are located at C:\CIS\RAT. Also, there are several ways of saving the router configuration file to a file. However, HTTP, TFTP or Telnet methods are not recommended as they produce output in clear text and therefore poses a risk to confidentiality. Pressing the <RETURN> key in the above resulted to the following:

Figure 10 CIS RAT Having been run

Several files have been created after running RAT against the configuration file. If we list those files using the dir command we get:

Figure 11 CIS RAT Creates Several Output files

The details of the output files that are created by RAT are included in the following table:

syd_1760rt_06082007.txt	Raw file containing router configurations.
syd_1760rt_06082007.txt.ncat_out.txt	raw ncat output. This is a ";" delimited file showing pass/fail data for each rule
syd_1760rt_06082007.txt.html	A HTML-based report showing fulll details of results, with links into rules.html
syd_1760rt_06082007.txt.ncat_fix.txt	A file containing commands to fix problems found.
syd_1760rt_06082007.txt.ncat_report.txt	A text based report showing summary of results, with links into rules.html
cisco-ios-benchmark.html	List of rules that were used to perform the audit
rules.html	An HTML version of the benchmark data
all.ncat_report.txt	A text based report showing summary of results, with links into rules.html, of all the routers included in the audit. In our sample, since there is only one router, this file is the same as syd_1760rt_06082007.txt.ncat_report.txt
all.ncat_fix.txt	A file containing commands to fix problems found in all the routers included in the audit. In our sample, since there is only one router, this file is the same as syd_1760rt_06082007.txt.ncat_fix.txt.
all.html	A HTML report listing summary of pass/fail status for all rules checked on all devices.
index.html	A HTML index of reports. This is probably the file that most users will want to examine (with the aid of a browser) after running RAT.

The generated index.html file looks like this:

Figure 12 CIS RAT Report Page

Clicking on the Description of Rules link brings up the rules.html file

Next, NCAT, the Network Config Audit Tool.

Call for Adjunct Research Supervisors

2011-11-30T17:26:00.001+11:00

Adjunct Doctoral Supervisors

- Part time, after hours
- Industry based
- Multiple Volunteer positions available

Company Background & Job Purpose

With over 1,000 IT professionals currently enrolled, Charles Sturt University is one of Australia's largest providers of Postgraduate Information Technology education to Australian students.

Charles Sturt University has developed an innovative Doctor of Information Technology which extends knowledge of the discipline of Information Technology and develops the attributes required to successfully identify, investigate and resolve problems confronting these fields. Students carry out research into a current opportunity or problem confronting information and communication technology, and present the findings in a thesis or portfolio. Students studying the Doctor of Information Technology will generally be working full time in the IT industry, and developing their Doctoral thesis after hours (http://www.csu.edu.au/courses/postgraduate/information_technology_doctor/course-overview refers)

We are seeking part time, industry-based volunteers to assist in supervising Doctoral students conducting research in a wide range of Information Technology topics. As an Adjunct Supervisor, you will work with the principal supervisor at Charles Sturt University and provide expert technical input into the topic being researched. This supervision will include after hours, Webinar-based virtual meetings between you and the student and/or the principal supervisor.

Successful applicants will:

- be appointed as Adjunct Supervisor at Charles Sturt University.
- get the opportunity to network with an elite group of supervisors at the University and in the IT industry.
- gain access to a range of University services such as the online research library.

Training on the technical, ethical, administrative and professional aspects of supervision will be provided.

Key Result Areas:

Charles Sturt University's Doctor of Information Technology provides a complex and challenging research experience and, at its heart, is the key educational role of the supervisor. As a supervisor, your Key Performance Indicators will reflect the crucial role that you play including:
- that you are holding regular, Webinar-based virtual meetings with the student that you are supervising and that these meetings are well planned and have an agenda
- that you are providing the required monthly reporting on the progress of the student that you are supervising, including seeing that agreed targets for the submission of chapters or parts of the project are being met.
- that the student you are supervising believes that you are supplying the required level of support, encouragement, advice and guidance
- that you successfully complete the Charles Sturt University supervisor training program

Education:
Completion of a PhD, Doctorate, Research-based Master's degree or equivalent experience in the commercial research industry (preferred).

Experience:
Extensive experience in the IT industry (essential).

Metadata

2011-11-29T18:33:00.001+11:00

The following is a small extract from what will become the GPen Study Guide.

As organizations create documents, the software that they use to create these documents embeds an enormous amount of information in the document files. A good deal of metadata is also included in the file. Much of this metadata is associated with formatting and display of the other data in the file. Besides this formatting metadata, a lot of file creation and editing tools include additional metadata entries that can be very useful for penetration testers during our reconnaissance phase, such as:

· User names: Penetration testers often need user names for exploitation and password-guessing attacks

· File system paths: Knowing the full path of the original file when it was created can reveal useful tidbits about the target organization

· E-mail addresses: This data can be useful if the penetration test scope includes spear phishing tests

· Client-side software in use: Given that client-side exploitation is such a common attack vector, it can be helpful to penetration testers to know which client-side programs are in use

Almost every document type has some form of metadata, but some are richer in metadata than others. The following types of documents, generated and used by most enterprises, are of particular interest to penetration testers:

· pdf files: These files are associated with Acrobat Reader and a variety of other pdf creation and editing tools.

· doc/docx, xls/xlsx, and ppt/pptx files: These files are associated with Microsoft Office suite, but are also used by several other related tools.

· jpg and jpeg: These image files often contain a significant amount of metadata, including data about the camera used to take a picture, the file system of the machine where the image was edited, and details about the image-editing software.

· html and htm: These file types contain web pages, and may at first seem uninteresting. However, their comments and hidden form elements could contain metadata that is very useful to a penetration tester. Additionally, scripts embedded in the HTML may reveal sensitive information or undocumented features of a web application.

What is a hash

2011-11-28T13:30:00.001+11:00

With conferences and the like I have been behind in writing up a load of material on topics such as NAP etc. I have not forgotten these. For now, I will start by detailing some terms I have seen used poorly.

To start, I will look at what a hash function is.

Formally, a hash function H is defined as a transformation that takes a variable-size input m and returns a fixed-size string. This fixed string is what we term the hash value h.

We can express this as: h = H(m)

There are some things we need to know in developing our function h:

the input m can be or any length (this includes being smaller than the resulting hash output h, larger than the output or even of the same size).
The size of the output h remains the same no matter what the input is. That is, if the output of the hash function returns a length of L bits for a given input m, it must return an output of length L bits for ANY input m.
The hash function H(m) is one way. If we have a value h we cannot use this to determine the initial input m.
The function, H(x) must be simple and computationally inexpensive to compute. That is, making a table of mapped values and indexing calculated hashes against input must be expensive when compared to making the hash.

Hashing is used primarily in digital signatures and for integrity checks. They also aid in time stamping.

Collisions

It is stated that a hash needs to be “collision free”. This is wrong. If we think that an 8-bit hash has only 256 possible values, we see that there is an infinite number of collisions as we can have an infinite variability in input. Collisions abound!

Collisions always EXIST IN A HASH FUNCTION. This is NOT the issue. The issue is not the existence of a collision, but the fact that we may be able to calculate the collision and predict it.

A hash function H(x) will have collisions, but the distribution of these collisions should be unpredictable.

If we constrain the length of the input m to a certain value, the number of collisions can be stated to be in the order of:

No. Input messages possible

--------------------------------------

No. Hashes by Hash length

Where:

No. Input messages possible = 2(length m)
No. Hashes by Hash length = 2^(hash length)

Reversing Code

2011-11-25T06:35:00.001+11:00

The first webinar/lecture for the Reversing code series is up.

https://www2.gotomeeting.com/archive/597275986

Cyber (Crime / Espionage / Terror)

2011-11-22T06:14:00.001+11:00

The webinar link for last night's lecture on "Cyber (Crime / Espionage / Terror)" is up and available.

https://www2.gotomeeting.com/register/532843426

Windows Management Instrumentation Command-line (WMIC)

2011-11-20T06:36:00.001+11:00

The WMIC is a Windows command line tool that will allow you to do many of the things we are used to doing at the shell in Unix. For instance, Windows does not have a “kill –9”command, but with WMIC you can do then same function using the following command:

wmic process where name='winrar.exe' delete
wmic process process [pid] delete

So, unlike Unix, we can kill a process using just the name of the executable as well as selecting the individual PID (Process ID). This is extremely useful in malware analysis.

For auditing, you can also gather a lot of information. For instance, lists of users on the system.

More importantly, you can list the service patches and hotfixes that are installed on the system.

wmic qfe

As you can see, this allows you to script a check of all the patches on a system and to even automate this over your domain.

WMIC is one of the commands you really need to know if you are administrating a Windows system. I will post more on this command soon as well as more in the series on IPSec and NAP this week.

Using Process explorer to discover network properties

2011-11-18T08:12:00.001+11:00

Process Explorer is a tool from Microsoft that is in effect Task Manager on steroids without all the bad consequences.

Right clicking on a running process allows you to select properties.

From here, selecting the TCP/IP tab will display the connections in progress from this application.

So, if you have a suspicious application, now you have a tool to watch what it is doing.

More Windows tasks

2011-11-16T15:49:00.001+11:00

Most people know of the Windows Task-manager GUI application. There are many times when it is better to use a CLI (command line interface). One such example would be where a script tests what is running.

The command “tasklist” is a Windows command that allows just this.

Just like its GUI cousin, you can also list services using this tool. The “/svc” option for instance displays the services hosted in each process.

More, you can filter such as in the example below where we have selected processes that do not respond to task-monitoring requests.

Knowing what you are running is the first part of stopping malware.

Investigating tasks in Windows

2011-11-15T22:27:00.001+11:00

When investigating an incident in Windows environment, one of the things you should check is the scheduled tasks. Many malware varieties use startup processes to reload and maintain themselves. By seeking new and unusual tasks, you can quickly look for simple compromises and malicious processes.

The inclusion of privileged processes (those running as SYSTEM and Admin for instance) are or particular concern. It is also not unusual to discover malicious code running using a blank username.

To make a simple check of the running and scheduled tasks from the command line, type:

schtasks

You can see in the image above that we have a number of scheduled tasks on the system that this was run from. This is divided into groups as follows:

by folder
Task name
The next run time
The status (ready to run or if it is running now)

You can create tasks in Windows using these commands as well, but for now, we are simply seeking commands out that we did not expect. Diff’íng the results is a good way to look for system changes.

You can see the help for this command using the “schtasks /?” extension as displayed below.

Next is WMIC.

WMIC is great for doing malware analysis. It will display all of the files loaded at Startup. More, the Registry keys the system has associated with the “autostart” are also returned.

You can see the values returned in the figure below:

wmic startup list full

We can also use this to select individual processes.

wmic process list full | find "cmd.exe"

Here we have restricted the process search to just cmd.exe.

This is useful in checking paths and if a process has inserted itself before the “true” system file.

IPv6 RoutingHeader like Loose-Source Routing (LSR)?

2011-11-14T22:40:00.001+11:00

A question to ask is whether the IPv6 Routing Header is like Loose-Source Routing? In many ways it is extremely similar and in fact, RH0 can be used in this way. Consequently, Routing Header Type 0 was depreciated in RFC5095.

The Routing Header: Type 0 Routing Header (RH0) can be exploited in order to achieve traffic amplification over a remote path for the purposes of generating denial-of-service traffic just as with LSR.

With Type 0 Routing Headers (RH0) a packet can be constructed such that it will oscillate between two RH0-processing hosts or routers many times. This is a serious amplification that lead to the end of RH0 in the standard track as it allows a stream of packets from an attacker to be amplified along the path between two remote routers and could be used to cause congestion along arbitrary remote paths and hence act as a denial-of-service mechanism.

Worse, when coupled with the ability to assign Multiple addresses per node, we also have to ask, “Who needs spoofing”? With IPv6, spoofing becomes a non-issue as Renumbering means that for a certain lifetime, two (2) addresses are coexisting on the node.

Mobility support means that paths can be defined.

The point is when deploying IPv6, we need to take care to ensure that we think of the traffic coming into and out of our networks. More, as this is commonly encrypted in IPv6 (using IPsec), we need to think seriously about design and trust.

Obscurity and PII

2011-11-09T07:05:00.001+11:00

PII is Personally Identifiable Information. Right now, I see and hear many people talking about just how easy it is to take and use PII. That it sells for cents in the dollar.

WELL WHO CARES!

I mean honestly, if all you do to manage the security of your finances is hide your head in the sand and trust to obscurity, then you deserve all that this approach entails. I may seem uncaring and I may come across as cruel here, but really, it is a simple process to actually protect your information.

WHY?

The most commonly missed issue in security is WHY. We commonly fail to investigate the cause and need. PII is not about privacy, it is about stoping unauthorised applications and changes to your credit file. This is, it is all about stopping people doing things such as applying for a credit card or a home loan in your name. The main issue being a credit card.

In this, the issue is not whether a criminal can buy your information, but if they can steal money from you.

So why are we looking at PII as the issue?

The big issue is (as is common) awareness (or rather a lack thereof). There are real controls that stop the problem and are not ones that can fail catastrophically as obscurity does. This is something such as credit monitoring.

I will first state, I an simply a client of Veda. I pay them money and they provide a service. I have not been approached to talk about their product. I am plugging it as I use it and like the service. It is a security solution to PII.

I use “MyCreditFile”, a service by Veda (http://www.mycreditfile.com.au/personal/).

For a dollar a week, I have any changes to my credit file reported to me. I can stop applications cold. I have had three attempts to apply for loans under my name and I do not hide any information (privacy is dead). Each time I have been notified. I have lost nothing but the time to send an email with a dispute notification.

It is that simple. There are similar agencies in the US, UK etc. SO I have to ask WHY? Why care about PII. Like many security solutions, they address a problem that is a symptom and do not offer solutions at all.

It is about time we address the cause and implement solutions that actually solve the problem. Here, this is a simple solution to PII theft.

Next…

I use Quicken and I load my statements into it and check what I have spent. I scan my receipts and I reconcile my accounts. Not only is this good from a point of view of managing my accounts, I also know when something has occurred and I can lodge a hold within days.

We only win when we actually find controls that solve the problem and not ones that look at the symptoms.

Viewing Email headers

2011-11-08T12:21:00.001+11:00

An e-mail message is composed of a message header and the subject body. An investigation involving e-mail may hinge on successfully capturing the e-mail header. The e-mail header is imperative as it holds information detailing the e-mail’s origin. This will include the source IP address of where it came from (this can be spoofed but it is less likely), the method used to send it and potentially who sent it. The subject body of the e-mail contains the message. Subsequent to copying the email message, the e-mail header can be retrieved. This process is different for each e-mail program.
Below we detail the process used to display the email headers in a number of common email clients.

Retrieving the Email Header (Microsoft Outlook)

1. Open Outlook and open the copied email message.

2. Right-click the message and click Options to open the dialog box.

3. Select the header text and make a copy of it.

4. Paste the header text in any text editor and save the file with as Filename.txt.

5. Hit <Alt-P> and take a screen image of the header. Print this Image.

6. Save a Copy of the E-mail message as message.msg

7. Close the program.

Retrieving the Email Header (Outlook Express)

1. Open Outlook Express.

2. Right-click the message and click Properties.

3. To view the header, click Details.

4. Click Message Source to view the details.

5. Select the message header text and copy it.

6. Paste the text in any text editor and save the file as Filename.txt.

7. Save a copy of the e-mail (with the header) to disk.

8. Hit <Alt-P> and take a screen image of the header. Print this Image.

8. Close the program.

Retrieving the Email Header (Eudora)

1. Open Eudora.

2. Select and go to the Inbox folder.

3. Double-click the message to select and open it.

4. Select the message header text and copy it.

5. Paste the text in any text editor and save the file as Filename.txt.

6. Save a copy of the e-mail (with the header) to disk.

9. Hit <Alt-P> and take a screen image of the header. Print this Image.

7. Close the program.

Retrieving the Email Header (AOL)

1. Open AOL.

2. Open the e-mail message.

3. Click the “DETAILS” link.

4. Select the message header text and copy it.

5. Select the message header text and save the file as Filename.htm. This may also be achieved from saving the “view source” data associated with the header.

6. Hit <Alt-P> and take a screen image of the header. Print this Image.

7. Close the program.

Retrieving the Email Header (Hotmail)

1. Go to Hotmail and login using your web browser.

2. Open the relevant e-mail message.

3. Go to Options and click Preferences. For version No.8 click Mail Display Settings.

4. Click Advanced Header. For version No. 8 go to Message Headers and click Advanced option.

5. Select the message header text and copy it.

6. Select the message header text and save the file as Filename.htm. This may also be achieved from saving the “view source” data associated with the header.

7. Hit <Alt-P> and take a screen image of the header. Print this Image.

8. Close the program.

Retrieving the Email Header (Yahoo)

1. Open Yahoo.

2. Go to Mail Options on the right hand side.

3. Go to the General Preferences link and click “Show All Headers On Incoming Messages” and save the message.

4. Select the message header text and save the file as Filename.htm. This may also be achieved from saving the “view source” data associated with the header.

5. Hit <Alt-P> and take a screen image of the header. Print this Image.

6. Close the program.

Retrieving the Email Header (Pine for UNIX)

1. Start the e-mail client program by typing “pine” at the command prompt.

2. For setup options press “S”.

3. For the e-mail configuration press “C”.

4. Exit the mode of configuration by pressing “E”.

5. Save the changes by typing “Y”.

6. After selecting the message using the arrow keys, select “O” from the lower screen.

7. View the header by typing “H”.

8. Close the program by typing “Q”.

Effective Enforcement in the Wild Wild Web

2011-11-08T07:24:00.001+11:00

1 Introduction

Some time ago Hilary E Pearson (1996) noted that, “in many cases, liability will depend upon how a court faced with a case of first impression analogizes a particular Internet service provider to more conventional categories of information providers. For example, should the service provider be viewed as the equivalent of the telephone company, purely a conduit for information? This might be the right analogy for the telecommunications link provider, but clearly does not fit the publisher. On the other hand, if the provider is viewed as analogous to a publisher of a printed publication, there is a much greater exposure to liability”[1].

Further, it was noted that the provider of a host computer for third party web pages could be compared to a printer or perhaps a distributor of printed publications. It could also be argued that a Usenet group or bulletin board is analogous to a library, so that the provider should be treated as the librarian.

The foremost dilemma with the study of electronic law is the complexity and difficulty in confining its study within simple parameters. Internet and e-commerce do not define a distinct area of law as with contract[2] and tort law. Electronic law crosses many legal disciplines, each of which can be studied individually. Examples of a range of areas of law that electronic, e-commerce, and Internet law touch upon can be seen in the following pages.

2 Remedy in Tort and Civil Suits

The availability of the Internet Intermediary as co-targets for actions makes them susceptible to the actions of both their clients and also uninterested third parties for passing off and misleading and deceptive conduct. An action for intentional interference with business by unlawful means may also be possible. The tort of intentional interference with business by unlawful means may be available where the use of the trade mark is unlawful.

The courts generally seem willing to apply conventional fault-based tort principles to weigh up the behaviour of intermediaries. The instances in which comparatively egregious conduct has ended in the liability of the intermediary are few,[3] and the majority of cases conclude with the absolution of the intermediaries from blame.[4] Those circumstances that have resulted in a decision by the court that in effect declare that the intermediaries hold considerable accountability for the behaviour of any primary malfeasors have mutually in the EU and the US Congress resulted in the respective parliaments acting to overrule the decision through the legislative conceding of expansive exemptions from liability to the intermediaries.[5] “The paths share not only the reflexive and unreflective fear that recognition of liability for intermediaries might be catastrophic to internet commerce; they also share a myopic focus on the idea that the inherent passivity of internet intermediaries makes it normatively inappropriate to impose responsibility on them for conduct of primary malfeasors. That idea is flawed both in its generalization about the passivity of intermediaries and in its failure to consider the possibility that the intermediaries might be the most effective sources of regulatory enforcement, without regard to their blameworthiness”[6].

In the US, Congress has endorsed legislative protections for intermediaries from liability through defamation with the introduction of the Communications Decency Act[7]. In 47 U.S.C. §230, it is unambiguously positioned as regarding internet regulation[8] that the act introduced a series of “Good Samaritan provisions” as a part of the Telecommunications Act of 1996. This was tested in DiMeo v Max (2007),[9] in which the court found the defendant not liable for comments left by third parties on a blog. The plaintiff alleged that the defendant was a publisher of the comments hosted on the website but did not allege that the defendant authored the comments on the website or that the defendant was an information content provider. Under 47 U.S.C. § 230 (f)(3), the court determined “the website posts alleged in the complaint must constitute information furnished by third party information content providers" and as a consequence immunity applied to the forum board operator. The Court upheld the dismissal of the suit.

The act, first passed in 1996[10] and subsequently amended in 1998,[11] has the apparent rationale of minimising Internet regulations in order to promote the development of the Internet and safeguard the market for Internet service. The internet has consequently become so essential to daily life that it is improbable that the addition of extra legislation would intimidate service providers away from the provision of services at a competitive rate.[12]

In the US, 47 U.S.C. § 230(c)(1) provides a defence for ISPs stating that, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” This statute would seem[13] to afford absolute immunity from any responsibility. Contrasting the DMCA, the ISP or ICP could chose not to do away with material in the event that the ISP or ICP has tangible awareness of the defamatory nature of material it is in fact hosting.[14] Notwithstanding the focal point of this legislation having been towards liability for defamation, it has pertained to seemingly unrelated auction intermediaries, including eBay.[15]

Inside the European Union, judgments obtained in the courts of one state are enforceable in any other state included within the Brussels Convention. If not, a judgment in one state will be enforceable in another only where there is a bilateral treaty creating the provision for such reciprocal enforcement between them. Frequently, these treaties add formalities surrounding the enforcement process that offer the courts of the jurisdiction in which the defendant is situated prudence both as to a decision to enforce, or to what degree. It is consequently vital when deciding on a jurisdiction to bring suit to decide if any judgment obtained is enforceable against a defendant who may in effect be judgement proof.

2. Cyber Negligence

Not acting to correct a vulnerability in a computer system may give rise to an action in negligence if another party suffers loss or damage as the result of a cyber-attack or employee fraud. Given proximity[16], a conception first established in Caparo Industries Plc. v. Dickman, [1990][17] and reasonable foreseeability as established in Anns v. Merton London Borough Council, [1978][18] A.C. 728, the question of whether there exists a positive duty on a party to act so as to prevent criminals causing harm or economic loss to others will be likely found to exist in the cyber world. The test of reasonable foreseeability has however been rendered to a preliminary factual enquiry not to be incorporated into the legal test.

The Australian High Court regarded a parallel scenario, whether a party has a duty to take reasonable steps to prevent criminals causing injury to others in Triangle Shopping Centre Pty Ltd v Anzil[19]. The judgment restated the principle established by Brennan CJ in Sutherland Shire Council v Heyman[20]. The capacity of a plaintiff to recover hinges on the plaintiff’s ability to demonstrate a satisfactory nexus (e.g. a dependence or assumption of responsibility) between the plaintiff and the defendant such that it gives rise to a duty on the defendant to take reasonable steps to prevent third parties causing loss to the plaintiff[21]. Consequently, if a plaintiff in a case involving a breach of computer security could both demonstrate that the defendant did not in fact take reasonable measures to ensure the security of their computer systems (as against both internal and external assault), and they show the act of the third person (e.g. an attacker/hacker or even a fraudulent employee) occurred as a direct consequence of the defendant's own fault or breach of duty, then an action in negligence is likely to succeed[22].

Many organisations state that current standards of corporate governance for IT systems pose a problem due to the large number of competing standards. However, it needs to be taken into account that all of these standards maintain a minimum set of analogous requirements that few companies presently meet. Most of these standards, such as the PCI-DSS[23] and COBIT[24], set a requirement to monitor systems. COBIT control ME2 (Monitor and Evaluate Internal Controls) is measured through recording the “number of major internal control breaches”. PCI-DSS at 10.5.5 states a minimum requirement to “use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert)”. As a general minimum, it may be seen that an organisation needs to maintain a sufficiently rigorous monitoring regime to meet these standards.

Installation guidelines provided by the Centre for Internet Security (CIS)[25] openly provide system benchmarks and scoring tools that contain the “consensus minimum due care security configuration recommendations” for the most widely deployed operating systems and applications in use. The baseline templates will not themselves stop a determined attacker, but could be used to demonstrate minimum due care and diligence.

It is interesting to contrast this general proposition with a peculiar case where the plaintiff went to great lengths in an attempt to recover loss caused by its own negligence, namely loss suffered due to computer fraud perpetrated by its own employee in its own system.

In Mercedes Benz (NSW) v ANZ and National Mutual Royal Savings Bank Ltd[26] (unreported), the Supreme Court of New South Wales considered if a duty to avert fraud would occur in cases where there is an anticipated prospect of loss. The Mercedes Benz employee responsible for the payroll system fraudulently misappropriated nearly $1.5 million by circumventing controls in the payroll software. Mercedes Benz alleged that the defendants, ANZ and NMRB, were negligent in paying on cheques that where fraudulently procured by the employee and in following her direction. The plaintiff's claim was dismissed by the court. It was held that employers who are careless in their controls to prevent fraud using only very simple systems for the analysis of employee activities will be responsible for the losses that result as a consequence of deceitful acts committed by the organisations’ employees. It takes little deliberation to extend this finding to payment intermediaries.

The decision was founded on the judgment of Holt CJ in Hern v Nichols (1701)[27] that stated in "seeing somebody must be a loser by this deceit, it is more reason that he that employs and puts a trust and confidence in the deceiver should be a loser than a stranger"[28]. The question remains open as to the position that may result from unsound practices operated not by the plaintiff but by an organisation in supplying services under an outsourcing agreement. In either event, the requirement for an organisation to provide controls to ensure a minimum level of system security is clear.

The situation is further compounded in instances of cyber-attack that lead to a loss. An innocent third party that suffers an attack that originates from an inadequately secured system would be able to easily demonstrate a lack of reasonable care if the minimum consensus standards mentioned above are not achieved. Coupled with facts demonstrating that the attack originated from the defendant’s insecure system, the evidence would provide the requisite substantiation of both proximity and reasonable foreseeability.

3. Prevention is the key

The vast majority of illicit activity and fraud committed across the Internet could be averted at least curtailed if destination ISP and payment intermediaries implemented effective processes for monitoring and controlling access to, and use of, their networks. Denning (1999) expresses that, "even if an offensive operation is not prevented, monitoring might detect it while it is in progress, allowing the possibility of aborting it before any serious damage is done and enabling a timely response”[29].

As is being noted above, there are a wide variety of commonly accepted practices, standards and means of ensuring that systems are secured. Many of the current economic arguments used by Internet intermediaries are short-sighted to say the best. The growing awareness of remedies that may be attained through litigation coupled with greater calls for corporate responsibility[30] have placed an ever growing burden on organisations that fail to implement a culture of strong corporate governance. In the short term the economic effects of implementing sound monitoring and security controls may seem high, but when compared to the increasing volume of litigation that is starting to incorporate Internet intermediaries, the option of not securing a system and implement in monitoring begins to pale.

The Internet remains the wild, wild, web not because of a lack of laws, but rather the difficulty surrounding enforcement. The Internet’s role is growing on a daily basis and has reached a point where it has become ubiquitous and an essential feature of daily life both from a personal perspective and due to its role in the international economy. If an ISP is to be held liable for authorisation as an intermediary, it must have knowledge, or otherwise deduce that infringements are proceeding.[31] Although, intermediaries commonly monitor their systems and have the means to suspect when infringements are occurring, Internet intermediaries also require the authority to prevent infringement if they are to be held liable for authorisation, a condition that entails an aspect of control.[32]

References

1. Barker, J. Cam, (2004) “Grossly Excessive Penalties in the Battle Against Illegal File-Sharing: The Troubling Effects of Aggregating Minimum Statutory Damages for Copyright Infringement”, 83 Texas L. Rev. 525

2. Bick, Jonathan D., (1998) “Why Should the Internet Be Any Different?” 19 Pace L. Rev. 41, 63

3. Bowne, A (1997) “Trade Marks and Copyright on the Internet” 2 Media and Arts Law Review 135

4. Collins M, (2000) “Liability of internet intermediaries in Australian defamation law” Media & Arts Law Review 209

5. Cooney, K (1997) “Liability for On-line Images: How an Ancient Right Protects the Latest in Net Functions” 16 Communications Law Bulletin 5

6. Demott, Deborah A. (2003) "When is a Principal Charged with an Agent's Knowledge?" 13 Duke Journal of Comparative & International Law. 291

7. Denning, Dorothy E. “Information Warfare and Security”, ACM Press, New York, 1999

8. Eisenberg J, (2000) “Safely out of site: the impact of the new online content legislation on defamation law” UNSW Law Journal

9. Gilchrist, Simon (1998) “Telstra v Apra –Implications for the Internet” [1998] CTLR 16.

10. Hare, Christopher (2004) “Identity Mistakes: A Missed Opportunity?” The Modern Law Review, Volume 67 Page 993 - November 2004 Volume 67 Issue 6

11. Harmon, Amy (2003) “Subpoenas Sent to File Sharers Prompt Anger and Remorse”, N.Y. Times, July 28, 2003, at C1.

12. Hazen, Thomas L. (1977) “Transfers of Corporate Control and Duties of Controlling Shareholders. Common Law, Tender Offers, Investment Companies. And a Proposal for Reform” University of Pennsylvania Law Review, Vol. 125, No. 5 (May, 1977), pp. 1023-1067

13. Kao, A. (2005) “RIAA v. Verizon: Applying the Subpoena Provision of the DMCA”, 19 Berkeley Tech. L.J. 405, 408.

14. Kraakman, Reinier H. (1984) “857 CORPORATE LIABILITY STRATEGIES AND THE COSTS OF LEGAL CONTROLS”, Yale Law Journal April, 1984 (93 Yale L.J. 857)

15. Landes, William & Lichtman, Douglas, (2003) “Indirect Liability for Copyright Infringement: An Economic Perspective”, 16 HARV. J.L. & TECH. 395.

16. Lemley Mark A. & Reese, R. A., (2004) “Reducing Digital Copyright Infringement without Restricting Innovation”, 56 STAN. L. REV. 1345.

17. Leroux, Olivier (2004) “Legal admissibility of electronic evidence 1”, International Review of Law, Computers & Technology; Volume 18, Number 2 / July 2004; Pp 193-220

18. Lichtman, Douglas Gary & Posner, Eric A., (July 2004). "Holding Internet Service Providers Accountable". U Chicago Law & Economics, Olin Working Paper No. 217. Available at SSRN: http://ssrn.com/abstract=573502 or DOI: 10.2139/ssrn.573502 (viewed 15 Jan 2008)

19. Lim, YF, (1997) “Internet Service Providers and Liability for Copyright Infringement through Authorisation” 8 Australian Intellectual Property Law Journal 192.

20. Loughnan, S., (1997) “Service Provider Liability for User Copyright Infringement on the Internet” 8 Australian Intellectual Property Law Journal 18

21. MacMillian, Blakeney “The Internet and Communications Carriers’ Copyright Liability” [1998] EIPR 52

22. Mann, Ronald J., (2004) “Regulating Internet Payment Intermediaries”, 82 Texas L. Rev. 681, 681

23. Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 <http://ssrn.com/abstract=696601> at 27 July 2007]

24. Olovsson, Tomas, (1992) “A Structured Approach to Computer Security”, Department of Computer Engineering Chalmers University of Technology, Gothenburg SWEDEN, Technical Report No 122, 1992

25. Paynter, H & Foreman, R (1998) “Liability of Internet Service Providers for Copyright Infringement”, University of NSW Law Journal, [1998] UNSWLJ 61

26. Quimbo, Rodolfo Noel S (2003) “Legal Regulatory Issues in the Information Economy”, e-ASEAN Task Force, UNDP-APDIP (MAY 2003)

27. Reidenberg, J (2004) “States and Internet Enforcement”, 1 UNIV. OTTAWA L. & TECH. J. 1

28. Scandariato, R.; Knight, J.C. (2004) “The design and evaluation of a defense system for Internet worms” Proceedings of the 23rd IEEE International Symposium on Reliable Distributed Systems, 2004. Volume, Issue, 18-20 Oct. 2004 Pp 164 - 173

29. 28Shapiro, Andrew L., (1998) “Digital Middlemen and the Architecture of Electronic Commerce”, 24 OHIO N.U. L. REV. 795

30. Slawotsky, Joel (2005) “Doing Business around the World: Corporate Liability under the Alien Tort Claims Act” 2005 MICH. ST. L. REV. 1065

31. 30Smith, Russell. (2000) “Confronting fraud in the digital age”, Presented at Fraud prevention and control conference, Gold Coast Australia 24-25 August 2000

32. Tickle, K. (1995) “The Vicarious Liability of Electronic Bulletin Board Operators for the Copyright Infringement Occurring on Their Bulletin Boards”, 80 Iowa Law Review 391 at 397

33. Williams, K. S. (2003) “Child Pornography and Regulation on the Internet in the United Kingdom: The Impact on Fundamental Rights and International Relations”, Child Abuse Review, Volume 14, Issue 6 , Pages 415 – 429 (Special Issue: New Technologies . Issue Edited by Bernard Gallagher). Published Online: 20 Dec 2005, John Wiley & Sons, Ltd.

34. Wu, Tim, (2003) “When Code Isn’t Law”, 89 Va. L. Rev. 679

35. Zittrain, Jonathan (2003) “Internet Points of Control”, 44 B.C. L. REV. 65

[1] The distributed nature of the Internet means that a publisher can reach far more people. A company with a web site in the UK for instance has direct access to the US, Canada, Australia and many other countries with the primary limitations being language.

[2] It has been argued that the digital contract may appear on the computer screen to consist of words in a written form but merely consist of a virtual representation . The Electronic Communications Act 2000 [ECA] has removed the uncertainty and doubt surrounding the question as to the nature of electronic form used in the construction of a contract. In this, the ECA specifies that the electronic form of a contract is to be accepted as equivalent to a contract in writing

[3].See A & M Records, Inc. v. Napster, Inc., 114 F. Supp. 2d 896 (N.D. Cal. 2000).

[4].For criticism of this perspective, see Landes & Lichtman.

[5].The most obvious example of this action can be found in the history of the Communications Decency Act. Congress directly responded to the ISP liability found in Stratton Oakmont, Inc. v. Prodigy Services, 23 Media L. Rep. (BNA) 1794 (N.Y. Sup. Ct. 1995), 1995 WL 323710, by including immunity for ISPs in the CDA, 47 U.S.C. § 230(c)(1) (2004) (exempting ISPs for liability as the “publisher or speaker of any information provided by another information content provider”), which was pending at the time of the case. Similarly, Title II of the Digital Millennium Copyright Act, codified at 17 U.S.C. § 512, settled tension over ISP liability for copyright infringement committed by their subscribers that had been created by the opposite approaches to the issue by courts. Compare Playboy Enters., Inc. v. Frena, 839 F. Supp. 1552, 1556 (M.D. Fla. 1993) (finding liability), with Religious Tech. Ctr. v. Netcom, Inc., 907 F. Supp. 1361, 1372 (N.D. Cal. 1995) (refusing to find liability).

[6] Mann, R. & Belzley, S (2005) “The Promise of the Internet Intermediary Liability” 47 William and Mary Law Review 1 <http://ssrn.com/abstract=696601> at 27 July 2007]

[7] The Communications Decency Act of 1996 (CDA)

[8].47 U.S.C. § 230(b) (2004) (emphasis added)

“It is the policy of the United States—

(1) to promote the continued development of the Internet and other interactive computer services and other interactive media;

(2) to preserve the vibrant and competitive free market that presently exists for the Internet and other interactive computer services, unfettered by Federal or State regulation;

(3) to encourage the development of technologies which maximize user control over what information is received by individuals, families, and schools who use the Internet and other interactive computer services;

(4) to remove disincentives for the development and utilization of blocking and filtering technologies that empower parents to restrict their children’s access to objectionable or inappropriate online material; and

(5) to ensure vigorous enforcement of Federal criminal laws to deter and punish trafficking in obscenity, stalking, and harassment by means of computer”.

[9] WL 2717865 (3rd Cir. Sept. 19, 2007); See also Fair Housing Council of San Fernando Valley v. Roommates.com, LLC , CV-03-09386-PA (9th Cir. May 15, 2007); and Universal Communication Systems, Inc. v. Lycos, Inc. , 2007 WL 549111 (1st Cir. Feb. 23, 2007)

[10].1996, Pub. L. 104-104, Title I, § 509.

[11].1998, Pub. L. 105-277, Div. C, Title XIV, § 1404(a).

[12].There remains, however, the fear that additional regulation will stifle innovation in the industry. Would, for instance, eBay enter the market as a new company today if it were liable for trademark infringement it facilitated? Such liability adds new start-up and ongoing costs that may make some new ventures unprofitable (or even more unprofitable). For an article addressing regulation in this way, see Lemley & Reese.

[13].There is at least the possibility that the statute would permit a State to require intermediaries to act. See Doe v. GTE Corp. 347 F.3d 655 (7th Cir. 2003) (per Easterbrook, J.) (suggesting that Section 230(e)(3) “would not pre-empt state laws or common-law doctrines that induce or require ISPs to protect the interests of third parties”).

[14].Thus minimising the likelihood of a decision such as Godfrey in the United States. See supra note 102.

[15].Gentry v. eBay, Inc., 121 Cal. Rptr. 2d 703 (Ct. App. 2002)

[16] Proximity, a notion first established in Caparo Industries Plc. v. Dickman, [1990] 2 A.C. 605, is the initial phase of the assessment. The subsequent phase enquires as to whether there are policy considerations which would reduce or counteract the duty created under the initial stage. Mutually, the phases are to be met with reference to the facts of cases previously determined. The dearth of such cases would not however avert the courts from finding a duty of care.

[17] [1990] 2 A.C. 605

[18] [1978] A.C. 728

[19] Modbury Triangle Shopping Centre Pty Ltd v Anzil [2000] HCA 61.

[20] (1985) 157 CLR 424.

[21] Dixon J elucidated how a “special relationship” of this variety may occur in Smith v Leurs (1945) 70 CLR 256. This case was derived from an indication of occurrences that entail a special danger and the control or of actions or conduct of the third person; See also [2000] HCA 61, para 140.

[22] See: Clerk and Lindsell on Torts, 19th Edition (2006), Chapter 28, paragraph 28-05

[23] PCI-DSS (version 1.1) is the Payment Card Industry Data Security Standard and is contractually required to be adhered to by all merchants that process VISA, Mastercard and other payment card products. This requirement and standard is maintained by the PCI Standards Council at https://www.pcisecuritystandards.org/

[24] COBIT v 4.1 is the computer control objectives and standard maintained by ISACA at http://www.cobitonline.info

[25] CIS benchmark and scoring tools are available from http://www.cisecurity.org/

[26] No. 50549 of 1990.

[27] (1701) 1 Salk 289

[28] Id., at 358.

[29] Dorothy E. Denning, Information Warfare and Security, ACM Press, New York, 1999

[30] See for instance Hazen (1977); Gagnon, Macklin & Simons (2003) and Slawotsky (2005)

[31] Ibid, Gibbs J at 12-13; cf Jacobs J at 21-2. See also Microsoft Corporation v Marks (1995) 33 IPR 15.

[32] Ibid, University of New South Wales v Moorhouse, supra, per Gibbs J at 12; WEA International Inc v Hanimex Corp Limited (1987) 10 IPR 349 at 362; Australasian Performing Right Association v Jain (1990) 18 IPR 663. See also Lim YF, 199-201; S Loughnan, See also BF Fitzgerald, “Internet Service Provider Liability” in Fitzgerald, A., Fitzgerald, B., Cook, P. & Cifuentes, C. (Eds.), Going Digital: Legal Issues for Electronic Commerce, Multimedia and the Internet, Prospect (1998) 153.