Friday, 10 December 2010

Wikileaks, Assange, Insurance, US Cables, Anonymous, LOIC and all that jazz.

There are so many aspects to this story, it's very difficult to know where to start.

First, it was clear that once Julian Assange got his hands on the leaked cables, it was only a matter of time before some or all of them were released. The nature of many of the released cables is pretty tedious to be honest and I suspect that a number of them have been 'over-marked' that is to say, have been afforded a protective marking above the marking that they actually warrant but it's not my call. There are some leaked cables that are significant and whoever Assange has employed to vet/ redact them may be working to a different agenda.

Second, the issue of the 'insurance' file and Assange. It is clear that the huge insurance file could be the complete collection of cables, perhaps we'll never know as, if Assange releases the password for it, there will be absolutely nothing left for him to bargain with therefore he is only likely to release the password if he has nothing left to lose.
Regarding the accusations levelled against him in Sweden, we should always take the attitude of 'innocent until proven guilty', even if sexual crimes are seen as the most distasteful. It is possible he is guilty, it is possible that the accusations have been made in an attempt to discredit him. The timing would seem to suggest the latter or it could be a coincidence. Certainly the initial prosecutor in Sweden felt as though there was no case to answer.

Regarding Anonymous and their attempts to avenge Assange. From what I've seen of Anonymous, it is rare for them to be so united behind one cause. They also seem to be garnering support from other sections of society. Historically, Anonymous has a pretty short attention span and I would not expect their assault to run and run but if the momentum thay have gathered can continue it is possible that a sustained campaign could be achieved.

The LOIC. I'll admit, I've not submitted the code to any analysis, I do have some concerns though. A malware developer is a malware developer. It is entirely possible that anyone putting together the LOIC code could have included an update function that could change the nature of the tool entirely. While the LOIC will only be attacking anti-Wikileaks targets at the moment, it could trivially be modified for the operators to target sites for blackmail purposes or to install additional trojan software onto the host computer to assist in the collection of personal details, banking details, passwords, etc. The bottom line is, the LOIC has not come from a 'trusted' source and therefore there is no recourse to the developers if it starts acting in a manner that was not advertised. If you're tempted to download and run the software, please bear this in mind. You might also find that your actions would be considered illegal. IANAL.

Finally, a quick word about the 'need to know' There has been some discussion concerning the need to know and if it would be considered illegal to view the wikileaks cables. I would suggest that if you are working in Government, it would be beneficial to discover what has been released. I'm sure the Intelligence community is reviewing the cables but I am less confident that they will pass on the relevant information to other Government departments.

Saturday, 27 November 2010

Police to ask Nominet to close 'criminal' domains

This is of concern to me.

While it is right, proper and for the common good for criminal sites to be removed, there is a danger that 'grey' area websites will fall foul of this law.

For example, if a website is set up to provide hacking tutorials, discussions and tools to the community, it might be deemed by the police that the site is 'criminal' and it's registration removed without any recourse for the owner. It is conceivable that such a site, while possibly frequented by criminal hackers, it could also be a hugely useful resource for ethical hackers and security professionals.

There are plenty of other sites that could be described as 'dual purpose' to one degree or another and having the police decide which remain and which go is suggesting the principal of 'Innocent until proven guilty' is all but dead.

Wednesday, 24 November 2010

New Windows 0day vulnerability

All Windows XP/Vista/7 32bit and 64bit are vulnerable to a new 0day attack.

The vulnerability does not have any known exploits but it will only be a matter of time before they are seen in the wild.

The vulnerability centres on the win32k.sys NtGdiEnableEUDC API which is not validating some inputs correctly, allowing it to be exploited via a stack overflow. The result is that an attacker can cause their malicious code to be executed  with kernel mode privileges, meaning, even if the malicious code is executed by an account with restricted privileges, the resultant code would  be executed with the highest privileges, bypassing the need for confirmation via UAC in Vista and Windows 7.

The vulnerability is not remotely explotable but it would be susceptible to standard delivery methods such as email, drive by and,more recently, USB infection.

Sunday, 21 November 2010

Security Awareness Training

An interesting article here:,294698,sid14_gci1523943,00.html?track=sy160

I was very pleased to see that Tony Neate was highlighting the virtues of providing security awareness training to help organisational users improve their own, personal online security. I have been using this strategy for several years now and I have found attendence is improved and audiences are more attentive and retain more information.
The only section of the organisation I have found to be resistant to security awareness training tends to be the IT support section but since I work closely with them, I am given the opportunity to point out where they are breaching security and why it is a Bad Idea. I think they hate me.

Saturday, 20 November 2010

52 percent of firms have no IT security guidelines for staff

OK, the headline is misleading, the UK survey, carried out by AVG, suggests that 52% of 'Small Firms' have no security policy for their staff.
That's still disappointing although not suprising.
It's disappointing as it takes very little effort to produce a basic policy document, without which the employees of the organisation are pretty much given free reign to take whatever actions they see fit. This may engender a culture of achiving the organisational goals but it exposes the organisation to risks of software piracy, copyright infringements and malware. When users of a system are given such freedom, it is often the organisation that is held accountable (and liable) when the proverbial hits the fan.
There is a very high chance that some of these organisations are processing personal information which makes this even more worrysome. Data protection Act, anyone?

Adobe Reader X

Fianlly, and after some long wait, Adobe hae announced Adobe Reader X.
Only available for Windows at the time of writing, the new version of this heavily exploited software has sandbox functionality, thus greatly reducing the possibility of malware being delivered via PDF documents.

I have noticed a worrying trend among many organisations to ensure all their Microsoft estate is fully patched and up to date via WSUS or a similar mechanism where other software, and Adobe Reader is probably the most widespread, is largely ignored.

Friday, 17 September 2010

About Bogwitch

In my real life, I am an Information Security Consultant. I have worked primarily in the Central Government sector but I have worked for commercial organisations and charities alike.

As Bogwitch, I have been commenting on InfoSec issues on many forums and boards so I thought it was about time for me to start blogging about what interests me.

My particular areas of interest include cryptography, user security awareness and UK specific InfoSec related law. Primarily, these areas interest me as I see them as being the aspects of Information Security that are most liable to mature significantly over the next few years.


No longer working as a consultant, bored rigid of producing paperwork, performing audits and dull stuff like that. Now I'm an IT Security Architect in the commercial sector. My focus has shifted to stuff like cloud security but I remain interested and I keep a watchful eye and useful contact in the HMG arena, particularly MoD.