The Hacker Factor Blog

Digital image manipulation is becoming a constant feature in the news. Recently Newsweek had an article about photo-editing services for your kid's school picture. Forget the retakes -- just pay $6 to have that grimace photoshopped into a sweet smile.

However, one photoshopped picture recently hit the mass media. A photographer in China reportedly took a picture of an antelope herd near a passing high-speed train. The Chinese government used the picture to show how the train was not having a negative impact on the environment. However, there is a problem: the picture was fake. According to the Wall Street Journal:

Earlier this week, Xinhua, China's state-run news agency, issued an unusual public apology for publishing a doctored photograph of Tibetan wildlife frolicking near a high-speed train.

The deception -- uncovered by Chinese Internet users who sniffed out a Photoshop scam in the award-winning picture -- has brought on a big debate about media ethics, China's troubled relationship with Tibet, and how pregnant antelope react to noise.

The WSJ pointed out a number of inconsistencies. However, I didn't see many of them. Here's what I noticed:

• Error level analysis (mouse over the image to see it) reveals four different areas in the image: (1) train and pillars, (2) a horizontal swath containing the antelope and ground, (3) a swath of ground above the antelope, and (4) the rocks closest to the camera. If this picture were real, then the entire picture should be near the same error level.
  
  
  
  (What about the sky? It is a uniform color, so I expect it to have an even error level.)
  
  
• Luminance gradient indicates three different light sources. (Mouse over the image and look for the dark-to-light transitions.) The first light source is on the train, tracks, and pillars. They all show sharp light changes along the edges. The second light source is on the antelope; they do not have the same sharp lighting as the train. The final light source is on the front rocks -- the light is hitting the rocks from the opposite direction compared to the train. Three light sources indicate three images spliced together.
  
  
  
  
• Antelope experts criticized the photo for having too many pregnant antelope with no young'uns. (E.g., the 2nd antelope on the left has a big belly.) They also said that the running herd was too tightly clustered.
  
  I'm not an antelope expert, but I noticed something else: all of the pregnant antelope seem to be running in single-file and have the same dark spot on their neck. In contrast, the males do not have the spot. While this could be specific to the breed, I think it may be the same animal. In fact, this appears to be a collage of frames. There were probably only 4-5 antelope photographed running by a camera that took a series of pictures. These individual photos were then merged to form one "herd" . Cynthia Baron commented that some of the legs may have been modified.

Following my talk at Black Hat, I was asked how many pictures were likely modified. Perhaps I am cynical, but I suspect that most of the popular, impressive, or significant pictures in the mass media are modified in one way or another. And soon, the "real" pictures of plain kids in elementary school year books will all be modified, too.

I am finally home from Black Hat DC 2008. This is the fourth year that they have held this conference (and the first one that has actually been in DC). While I have spoken at Black Hat in Seattle and Las Vegas, this was my first Black Hat DC conference.

Conference Atmosphere

Black Hat holds their big show in Las Vegas each year, right before Defcon (near the end of July or early August). Last year, there were thousands of attendees and nine (9) simultaneous tracks. The hardest part was deciding which talk to attend, because there were probably 2 or 3 at any given time slot that sounded interesting.

Outside of the big show, Black Hat holds satellite conferences. This year's DC conference had two simultaneous tracks, and neither room had more than a few hundred seats. This is a smaller and tamer conference than the big show. And pretty much every speaker was getting stopped on the floor or stairwell or bar and asked questions about their talk. (While this does happen at the big show, it is nowhere near as personal as at the smaller shows.)

Being held in DC, many of the attendees worked for government contractors or unspecified agencies. However, unlike Infowarcon (I spoke there in 2003), most of the government attendees were not visibly carrying weapons.

The Talks

The keynote by Jerry Dixon (Infragard's National Member Alliance's Vice President for Government Relations) and Andy Fried (IRS and frequent "Meet the Fed" panel member) covered online fraud and phishing. They discussed trends, observations, and some reaction approaches. (Search google for "Tax returns" and see all of the vulnerable people. Many are shared on P2P networks. Ugh.) The talk was very good, but I left with many questions... For example, why are phishers not targeting some specific low-handing fruit? Also, there was one thing that bothered me. Dixon did an informal room survey asking who had received IRS phish -- about a third of the room. He was actually surprised that it was not higher since he is aware of an increase in phishing against the IRS. However, this discrepancy does not surprise me. I have repeatedly stated that phishers are targeting their victims (not blanket mass mailings) and while there are more phish emails being sent, there are fewer being received because the industry is getting better at catching and filtering phish.

The talks started with a bang. David Hulton (h1kari) and Steve gave a great presentation on cracking GSM phone security using less than $1000 in parts. The main components: one FPGA (Field Programmable Gate Array) for generating a rainbow table for 64-bit encryption in a few months, and a terabyte of disk space for storing the rainbow table. They expect to crack encrypted phone conversations within 30 minutes, and plan to develop a system that can crack conversation in 15 seconds. (After the crypto is cracked, you can decode saved messages or listen in on live conversations.)

Oliver Friedrichs (Symantec Security Response) surprised me. His talk was on "Threats to the 2008 Presidential Election" so I thought it would be on voting machine exploits. Boy was I wrong. His talk was actually on misrepresentation and name-based attacks. He had a great set of examples about DNS domain name squatters and typo domains (like "baarakobama.com" instead of "barakobama.com") and how Google adwords make a legitimate candidate appear to endorse an illegitimate site.

Nitesh Dhanjani and Billy Rios (Microsoft) gave a great presentation titled "Bad Sushi - Beating Phishers at Their Own Game". (Their intro was slow due to their ongoing jokes, but the content was great.) Rather than focusing on statistics, they actually traced a single phishing scam from the email to the server to the blind drop and so on. While I believe some of their conclusions were arguable, their presentation was both interesting and informative. (One of their conclusions was that phishers are stupid -- actually, most are script kiddies with little or no programming skill, but there are a few developers who are smart enough to create tools for everyone else.)

For the second day, I tried some of the hardware talks (keep in mind, I'm strictly a software person). The "Security Failures in Secure Devices" talk by Christopher Tarnovsky (Flylogic Engineering) was interesting but way over my head. (When he began talking about acid and needles, it went beyond me.) Basically, he dissected chips made by prominent security device vendors and showed how to pull out data and keys. A guy sitting two seats in front of me worked in the crypto lab for one of the vendors. He was nodding the entire time (clearly the talk was not over his head). When it came to analyzing a different vendor, this guy shouted out "Please tear them apart like you did us." While the techniques were way beyond my understanding, the conclusion was clear: don't trust vendors why say their hardware crypto is secure, because it isn't.

Brian Chess and Jacob West had a good talk on "Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking". They covered some of the general risks and approaches, but did not go into any specific examples. This was followed by Shawn Moyer's talk on "(un)Smashing the Stack: Overflows, Countermeasures, and the Real World". He showed that overflows still exist and technologies to counter them are neither widely used nor universally available.

Felix "FX" Linder gave an interesting talk on "Developments in Cisco IOS Forensics". (The "write core" command is your friend.) He definitely had the best quote of the conference: "C is the language that can most elegantly shoot yourself in the foot while simultaneously hitting your head."

Missed Talks

Unfortunately, I was not able to attend all of the talks, and I missed some that I wanted to attend.

I missed the presentation by David Litchfield (NGS Software) on Oracle Security. I was really looking forward to this, but since my own talk was right after him, I knew I would be too nervous to sit still. However, I did have a couple of chats with David, his brother, and his father both evenings -- really sharp people. (David thinks I should profile vulnerability authors based on the opcodes that they use. It's an interesting idea, but I am currently focused on text, images, audio, and video. Perhaps opcode usage will be next. Similarly, I think David should focus on more than just Oracle Enterprise software in case these risks are symptomatic across all Oracle software and all DB vendors -- PostgreSQL, MySQL, Microsoft, IBM, etc.)

I also missed the Meet the Fed panel featuring Jim Christy (Director of Futures Exploration for the Defense Cyber Crime Center) and Ovie Carroll (Director for the Cybercrime Lab at the Department of Justice). I did manage to chat a little with Jim, but didn't get the chance to ask him how he hurt his wrist! And I have never met Ovie Carroll, but I like his podcast.

Other Notes

Finally, there were a bunch of people who I just enjoyed talking with. Each evening, a group met at the bar to just chat -- on computers, security, politics, whatever. This kind of informal peer get-together is one kind of event that I really enjoy.

Also, I saw a few friends that I only run into at conferences (Toorcon, Defcon, Black Hat, etc.) Greg S., Grifter, Chris ("oh sure, he knows my name but I don't know who he is."), and others. It's always good to get back in touch with these people.

This belongs under the "I can't make this up" category. Loyal reader, W., sent me this one:

TrenchMice is hiring freelancers to dig up rumors and news about companies.

We aren't the typical site that opines about new products, company financing, or market trends. Instead, we're about what's going down in the office. I.e., what it's like to work for a company, or for a particular manager.

If you've ever listened to friends vent about their jobs, you know the kind of information we're looking for!

Responsibilities:

Write about company rumors and news that you get from friends, colleagues, web surfing, or you just overheard at a party

Write up interviews with founders or managers of small companies

...

The compensation:

$20 – $30 per published scoop, depending on length

Cogito, Inc. stock options for multiple months of continuous stringing

What can I say... They are paying for rumors about companies and office gossip. Nothing says the rumor has to be true or accurate. How about "Ann Coulter is a man! Outed by her own writings!" -- I read it on the Interweb, so it must be true. I wonder what they will pay for "Gadi Evron will drink a beer tonight!"? At $20 a pop, this could be more fun than BugTraq.

One caveat in case you are considering the submission of rumors: nothing in their privacy policy or terms of use says that they will protect their sources. If you give real insider info, you could be exposed. Similarly, they may not protect you if you provide libelous material. (Their terms of use explicitly forbids "violating ... intellectual property rights" or "defaming a third party", but it doesn't say what will happen if you get it past their screening.)

[Update: 21-Feb-2008: The citation about volcanoes was too debatable. Climatologists say one thing, volcanologists say something else. This citation has been removed.]

I recently participated in an online Q/A session about global warming. The question was: What can we do about global warming?

Here's my response:

The propaganda machine is great at making people believe that global warming is man-made. However, they cannot seem to agree on the fine details.

For example, global warming was initially blamed on cow farts. (I'm not kidding.) Then they blamed pollution; first carbon monoxide, then carbon dioxide.

And let's not forget the ozone hole over the South Pole. Some scientists say it is growing, others say shrinking, and still others say it is stable. (That's right, in December 2000 it was reported as shrinking, but in 2006 is was called both "growing" and "stable". Never mind that we have only been measuring it since 1970's.) If scientists cannot agree on a consistent scenario, then they are probably not seeing the cause.

Measuring Biases

Much of the data on global warming appears to have other biases. For example, an environment measuring station in Texas has shown a very steep temperature increase in recent years.



However, there is a problem with this data. According to the site Watts Up With That?, the "NOAA USHCN climate station of record #415018 in Lampasas, TX was found to be tucked between a building, and two parking lots, one with nearby vehicles." The sensor was moved there in October of 2000, right before the measured temperature rise. The increase in temperature is likely due to the asphalt, concrete, brick, and vehicles a few feet away from the sensor.



The faulty Texas data seemed pretty amazing to me, so I looked up my own home town: Fort Collins, Colorado. While I don't know where the sensor is located, the temperature curve seems to match the city's population.




I suspect that the Fort Collins weather station is located downtown, or near a busy intersection. (Actually, I think it is near the major intersection of Shields and Prospect, close to the University.)

The site Watts Up With That? has identified many recording stations that are providing false information. (I think he's up to 52 so far.) It seems that many of the measuring stations are not in ideal locations for taking accurate readings.

(This reminds me of a conversation with Mark Rasch on precision and accuracy. Saying "PI is 3.1872956823" is precise, but inaccurate.)

Seeking Proof

There is no doubt that the weather is changing and global warming is happening. (The shrinking antarctic ice shelf and increase in hurricanes is proof enough.) There is also no doubt that pollution is bad for humans. However, there is little definitive proof that man-made pollution is the cause of global warming.

Rather than looking internally, try looking externally. For example, at the same time that the Earth is increasing in temperature, so is Mars. I seriously doubt that the Mars rovers are generating enough pollution to increase the temperature on Mars. Instead, we should look to another common source: the sun.

We know that the sun increases and decreases in output. When the output is low, it gets cold -- for a long duration (millions of years). There have been four major ice ages, and technically, we are currently in an ice age. According to the Illinois State Museum, "Our modern climate represents a very short, warm period between glacial advances." It began to warm up about 10,000 years ago -- which is a blink in geological time. And what happens when we come out of an ice age? "Global warming". Scientists have even measured an increase in the sun's output. More solar output means higher temperatures -- on Earth and Mars.

Saving The Earth

Does the Earth need saving? Yes, but not from global warming. We need to save ourselves from the FUD spread by organizations with agendas. And that starts with information.

NOTE: This does not mean that we should not try to reduce pollution, save the environment, and strive for energy efficiency. It just means that we should call "global warming" was it is: a natural process.

Last week the Internet Storm Center had a diary entry on audit and penetration testing. This led to a debate with a good friend about the need for penetration testing in corporate and SOHO environments.

Nearly every security outfit offers some kind of penetration testing services. The question is: When is a pen-test necessary? Simply showing a viable attack vector is usually enough to identify what needs patching and what processes need to be established. Sure, it is fun to show your skills and hack into a system, but that rarely improves security.

Audits vs Penetration

To back up a little: there are two ways to evaluate a system's security profile. First, there are audits. An audit is a surface-level evaluation that identifies potential exploits. This is similar to walking around a house, jiggling the door knobs, testing the windows, and pushing on the walls. Occasionally the auditor may find an entrance into the system or valuable information, but the auditor stops there -- finding the vector is important, but exploiting it is not.

More extreme than audits are "penetration tests". Audits find potential attack vectors. Penetration tests exploit the vectors in order to gain additional access or privileges. Following a successful exploit, another audit may be performed (and then a pen-test then audit then pen-test) in order to see how deep the attacker can go.

As an analogy for system penetration testing, the Discovery Channel has a show called It Takes a Thief. In this show, thieves break into a home to show the home owner how unprotected they are. However, the show does not just stop there -- they actually burglarize the home. They bring in a truck for loading the loot, ransack the home, and usually break property in the process.

For getting through the security message, it would be just as effective for the TV show to have a person enter the home and walk around. The person could even show how easy it is to steal things; pointing out items of value and showing how to burglarize the home without causing actual damage. But since that doesn't make for good TV, they actually destroy the place and remove valuable items.

In contrast, security audits evaluate systems without actively burglarizing the premises. This is analogous to rape prevention and training courses. These classes show common attack and defense methods, and applies them -- students are placed in simulated attack scenarios and taught to defend themselves. However, unlike a pen-test, students are not actually raped during the course.

When to Audit

I have performed many security audits. I have never needed to ransack a system, install a rootkit, or even exploit a buffer overflow to gain access. While I identify probable attack vectors and subsystems vulnerable to overflows, I don't actually exploit them. Sure, there have been a few isolated cases when the customer asks for a proof-of-concept (they see the attack vector but want proof of the threat). Even in these situations, exploiting the vulnerability never needs to go beyond the single exploit. (Look, I'm on the system. There's no need to rape you.)

Actually, I shouldn't say never. In incident response training, there are tactical "red teams" or "tiger teams". These are used in controlled environments to simulate full attack, detection, and response scenarios. In this situation, full exploitation and penetration is required and expected.

However, most customers do not need a full attack. Simply pointing out vectors and using a few proof-of-concept exploits as demonstrations is enough. Unfortunately, I have seen too many "security outfits" who do not seem to understand this distinction. They are more than eager to break into your site. The claim is that they will show you how vulnerable you are, but the truth is more likely for stroking their own egos ("Look how l33t we are!"). On occasion, full-penetration testers end up out of control and get arrested.

When to Pen-Test

There are a few occasions when pen-testing is essential. For example, following an audit and installation of detection systems and establishment of policies and procedures for handling attacks, a full pen-test can really identify the effectiveness of the whole system. However, any company missing intrusion detection tools or missing active monitoring or lacking established policies and procedures will not benefit from an actual penetration test. (They won't notice the attack, and if they do notice, they won't be able to react.) Again, an audit is just as effective. (It Takes a Thief actually burglarizes homes to show that the burglars have the time and access, but they would be just as effective if they showed that they had the time and access without doing the actual burglary.)

Shopping Around

My advice to any company looking for a security evaluation partner: If the outfit initially talks about pen-testing or offers a penetration test before asking about your ability to detect and react to attacks, then you should walk away and find someone else. 99% of the time, you will only need an audit. Similarly, if you don't know if you need an audit or a penetration test, then you probably need an audit and not a penetration test.

There are a few industries that really need full penetration testing; banking, government, military, utilities, and medical sectors immediately come to mind. (If you manage valuable personal information, weapons, or water/power for homes, then you need to periodically pen-test your system.) The few organizations that need full penetration tests already know it, and usually have their own tiger teams. However, it can be very beneficial to bring in an external (black-box) team for testing the system from an outsider's viewpoint; using the same tiger team can miss creative attack vectors due to complacency from repeatedly testing the same systems with the same people.