If your a Firefox user there is a new add-on available called Lightbeam.  Lightbeam is useful for understanding how personal data is shared on the Internet like web browsing habits, sites you frequent, etc.  Lightbeam works by recording sites you visit and also recording any included third party sites that may be required by the sites you visit.

Lightbeam does not reveal how companies leverage your personal data for their business uses or if they even store your personal data.  A good general rule of thumb, if someone has the capability to snoop your personal data assume they are.  This way you will not be unpleasantly surprised at the next big privacy headline in the media.

“A good general rule of thumb, if someone has the capability to snoop your personal data assume they are.  This way you will not be unpleasantly surprised at the next big privacy headline in the media.”

To get a better look at Lightbeam, double-click my thumbnail picture (top) to view an enlarged photo.  You will notice in my browsing history, I visited 37 sites which referenced 149 third party sites.   Third party sites are sites included by the site you visited and most likely, many without your knowledge.  Some might argue without consent as well but most of us click through those 60+ page licensee agreements anyway (don’t we).

The Lightbeam user interface allows you to move nodes around, toggle controls on/off, etc.  In looking over my results, some common third parties emerge like Google Adsense and DoubleClick.  Many sites use Google advertising on their pages so nothing too surprising here, we see ads everyday.  However, you may have not considered the implications of third party content on the many pages you visit.

photo: Paros Proxy, HTTP Request

To best illustrate what’s happening between the web browser and server, on the left is a screen fragment from a tool called Paros Proxy.  Paros sits between your web browser and sites on the Internet you wish to view.  When you request site content, Paros intercepts the HTTP request, displays it, and forwards the request on to the server.  Paros facilitates request introspection or even modifies requests en route if you wish.  For our purposes, we are interested in viewing HTTP requests.  In this example, I visited the usatoday.com web site but many sites access Google services.   To begin, usatoday.com requests a third party Google syndication link, first red circle.  In the second link, also circled in red, the web browser specifies a Referer.  The referer is part of the HTTP protocol and sent to the site to specify which page the browser was on before the link was clicked.  Said a simpler way, the web site your navigating to knows the web site you came from.  Often it’s another page on the same web site like switching between tabs on a news site but it could be from an entirely different web site like one of your browser bookmarks.

The concern is that when site content is loaded, the third party site is notified of the site you browsed previously.  In this case, since Google content is ubiquitous so it means Google knows which sites you browsed even if you didn’t get their via their search engine or web browser.  There are many more ways to leak information than the referer so it’s only part of the problem and referer does have legitimate uses.  Cookies and URL rewriting are also combined to make your browsing experience personal or tied directly to you as an individual.

What is or should be private is evolving and everyone has an opinion.  Internet service providers desire more access to end-user personal information.  Individuals are continually surprised to see how their private information is shared between companies.  Whatever your views, Lightbeam provides provides transparency about personal data shared between third parties in a way many can understand.  Lightbeam is released at a time when the public concerns about privacy and transparency are at an all time high.  It will be interesting to see if the tool gains traction with the public.


This years computer security conference Black Hat 2013 USA was held at Caesars Palace in Las Vegas Nevada.  DEFCON 21, a follow-up security conference was about a block away at the Rio hotel.

I have attended a number of security conferences over the years but I must admit I’m a bit of Black Hat and DEFCON noob.  In any case, many people asked if I was attending so I though I should experience these events myself firsthand.  By pure happenstance, the Black Hat staff asked me to present (my previous post) about a month prior to the conference.  I only mention the session briefly since some have criticized me for the closed session.  Please keep in mind, the summit rules are not my rules.  I was privileged to be invited and I will respect their rules.  It’s also the first time I have ever been invited.

There’s a few things I noticed immediately as a new attendee.  Both conferences are a little rougher or raw around the edges.  Often a heckler in the audience would belch out a contrary opinion to the speaker or even obscenities at times.  In one case, a speaker retaliated telling a heckler to “-uck off”.  There were a few uncomfortable moments where I considered slipping down into my chair and low crawling out the door.  I was not sure what was going to happen next.  The leader of the National Security Agency,  General Alexander’s, keynote presentation was a great example of the electric atmosphere at Black Hat.

Photo:  Mohawks at DEFCON21

A few impressions from a first-timer, one of things you will notice is that the crowd is a little different than some of the conferences you may be accustomed.  But a little background first, over the years I have developed what I affectionately call the, 1000 yard gaze.  The 1000 yard gaze, shared by most Californian’s, is simply the blissful indifference to shocking sights and sounds.  So for example, if you want to walk around me with a purple mohawk and sparklers for ear rings it’s OK.  I will pretend I don’t notice and you can feel like we all have purple hair.  Even with a trained gaze, there are a few sights you are likely to encounter at these conferences that will test your abilities.  Also presenters, while undeniably experts at what they do, are sometimes not the best communicators, lack of eye contact, mumbling, etc.  One would think communications ability is a requirement for presenting at a conference but you might be wrong.  My impression is innovative content is sometimes favored over presentation ability.  It’s a tough tradeoff for conference planners I suspect but I can understand how that makes sense for these innovative conferences.  Still during a couple sessions, I had to tap a fellow attendee on the shoulder and ask what the heck the speaker just said, only to receive a shoulder shrug.  I wondered if anyone in the room understood what was said at the time.  It’s definitely the exception rather than the rule but it surprised me.

In the end, the raw edginess (if that’s a word) gives these conferences their charm.  Both conferences were super fantastic and I should have attended them many years ago.  Following are a few highlights from the conferences to challenge what you know about the state of the art in security.

Mobile platforms are a security nightmare
Most security professionals realize the tools for mobile security are woefully inadequate.  In fact, intrusion detection and prevention tools are simply not available to consumers.  Mobile consumers are running on the “trust me” security model.  One particular presentation at DEFCON21 stands out, Do-It-Yourself Cellular IDS Sherri Davidoff & Panel.  They demonstrated how to turn a femtocell into a Intrusion Detection System (IDS).  The project was a considerable effort by a team lasting almost a year.  Incidentally, there are a few ways to sniff your mobile traffic like connecting your phone to a local WIFI network and sniffing outbound traffic with standard tools.  The limitation with the approach is that you can’t see IP traffic going back through the carrier networks.  The presenters claimed around 50% of the audience phones were infected, ouch!  Also that some malware allows listening to conversations or viewing what is happening in a room — downright creepy.

Hardware hacks

Photo:  Hardware hacking lab

There were a ton of good hardware hacks and spy gear.  ACE Hackware was selling a device called the r00tabaga for penetration testers.  The device is self-contained computer, smaller than a pack of cigarettes running a modified Linux kernel.  It’s mostly for executing remote pentest assessments, surveillance, and Man in the Middle(MITM) attacks.  The device appears to be a 3G mobile hotspot, exploited, and reflashed with a modified version of OpenWRT.  The device is a little too polished to be manufactured by a niche vendor in my opinion.  Nevertheless, whatever it is it’s great and the price at the show was $110USD.  There are other popular long standing competitors like the Pineapple.  Likewise, Raspberry PI maybe a good contender for such a project but I’m not aware of any flash images/plans for ready to go solutions.

The lock pickers also had a strong presence.  If I knew they had a Lock Pick Village maybe I would have considered bringing my picks.  Although, I’m done with traveling abroad with my picks

Exploitation of office equipment
Stepping p3wns: Adventures in Full Spectrum Embedded Exploitation by Ang Gui and Michael Costello showed how an entire office environment may be exploited by an adversary.  In his demonstration, Ang exploited an HP printer to gain a foothold in a mock office environment.  The printer was used for office reconnaissance to find other IP enabled devices.  An attack from the printer was launched to exploit a Cisco IP phone and other devices were captured.  The presentation crescendo was a denial of service attack against a Cisco 2851 router by the printer rendering it useless.  The point of the presentation was that many common office devices are IP enabled.  These devices may have interesting information (e.g., phone numbers last dialed, contacts, last document scanned), valuable platforms for reconnaissance, or even to launch attacks.  Given the proprietary nature of hardware these devices are difficult to secure.  Ang mentioned some technology he’s developed to help secure these legacy environments.

Trading privacy for security
ACLU and EFF had a strong presence and generated interest from attendees.  These groups highlighted many of the current issues(e.g., Snowden, FISA courts) and the need for more privacy and transparency.  The greatest challenge presented was how can the government ensure the safety for American’s without violating their privacy?  Unfortunately, there didn’t seem to be any satisfying answers for attendees.

Celebrity appearances
Brian Krebs (Krebs on Security) and Lance James session Spy Jacking the Booters covers Brian’s SWAT’ing ordeal.  For those who don’t know SWAT’ing is, it’s like it sounds.  Bad guys fabricate a story to bringing the SWAT to your home.  Unfortunately, SWAT don’t have a good sense of humor so it’s guaranteed to inconvenience the victim for an evening.  Not to mention the price for door repair which, according to Brian, some cities don’t cover.  The lesson learned here, it’s no fun to be SWAT’ed.  Interestingly, I did get to shake Brian’s hand as he was walking out the door.  He was in a hurry so we did not talk long but it was fun to watch his expression as I introduced myself.  Anyway, I enjoy reading Brian’s articles.  Maybe someday I will be able to communicate so expertly.

Will Smith appeared at DEFCON21.  I really have no idea why he was attending the conference.  I didn’t notice him on the schedule.  Maybe his giving up movie making for life in security?  I didn’t see him at the conference myself but I saw a few Tweets.  If anyone has details feel free to drop a comment on this posting or send a tweet.

Equipment failures

Photo:  Crashed phone system?

I noticed a rather higher than usual occurrence of failure for hotel hardware at the event.  I really have no figures to back up my feelings, consider it a hunch.  First was the phone in my room.  Take a look at the screen in the photo, “Server Unreachable”.  I’m not sure what that’s trying to tell me but it does not look good.  The next event was a fire alarm at the Rio hotel during DEFCON.  There were flashing lights all throughout the halls and audible warnings followed by a voice message.  The alarm sounded for at least 10 minutes.  Following the alarm termination a voice indicated it was a test.  I don’t ever remember tests like this in any fully occupied hotel during a large event.  The last time I heard a flashing lights and sounds like that Halon was about to dump and I was sprinting out of the data center.   If anyone has any hardware failures please share them.

A parting thought…
Evidently there’s not much you can’t do in Vegas.  Including shooting fully automatic weapons — geek bait.  I wonder how many attendees tried this?  Send me a Tweet or something if you got to shoot any of these firearms.

Photo: The Gun Store
I found the following YouTube video link on EFF.org of Senator Ron Wyden (D-OR).  The Senator speaks out for American rights and privacy before the Senate.  In spite of legislation trends, Congress may not be so one sided against individual rights as you might imagine.  Senator Wyden provides an interesting pro-privacy perspective along with some lessons from history.  Likewise, contrary Senate opinion would be interesting to hear.  Unfortunately, understanding lawmaker decisions fully is difficult since they are predicated upon material non-public or classified information in part.

Media:  Wyden Floor Statement on FISA Reauthorization Act and Proposed Amendments
Of course, the FISA extension passed by a landslide.  If your curious to see how your state represented you please refer to the following link, FISA Amendments Act of 2008 Five Year Extension.

We are Legion:  The Story of Hactivists[1] is a documentary taking viewers inside the security hacktivist organization, Anonymous.  The film explores computer hacking subculture, early hacker organizations like Cult of the Dead Cow and Electronic Disturbance Theater, and provides history around Anonymous and where it’s heading.

Many of us have heard news about the group Anonymous in the popular media and press lately.  But what is the group Anonymous?  Who is in charge?  What are their goals?  Following is the quick rundown.

What is Anonymous?
Anonymous not a group of angry teenagers pranking computers for fun.  Anonymous is a large group of hacktivists spanning many countries.

Who is in charge?
To quote the movie, “Anonymous is like a flock of birds”.  When one bird changes direction sometimes the entire flock follows.  Leaders emerge from the group from time to time and people with like interests rally behind the leader.  For leaders, group relevance is determined by the number of people rallying behind your cause.  There is more than one leader since there is more than one cause.

What are Anonymous’s goals?
The goals of the group change as group leadership changes.  The goals today are not the same goals as when the group started.  In fact, some of Anonymous original leadership discusses their differences in opinion with the newer leadership.

A number of individuals where interviewed throughout the program in particular, Chris Wysopal (Twitter @weldpond) CTO of Veracode.  Chris is a very talented and outspoken security researcher[2] and provides some hacking commentary including Blackhat conference origins.  The film also raises interesting points of view.  For instance, the film frames Anonymous as, hactivists, and describes their activities largely as forms of political protest or civil disobedience   The group uses technology means to demonstrate their causes like, Distributed Denial of Service (DDoS), web site defacement,  DOSing phone lines, trolling, even fake pizza delivery orders to harass individuals are considered fair game.  All of these are activities are painted as forms of political protest.  Sure, DDoS attacks are disruptive but no different than “sit ins” or picket lines (in the groups eyes).  I never thought of a DDoS attack as a form of political protest but it surely could be.  The world is changing fast and how we organize and protest is changing as well.

Thumbs up!  If your a security professional or interested in computer security it’s a good movie to see.

[1] “We Are Legion | The Story of Hactivists.” We Are Legion. Luminantmedia.com, n.d. Web. 06 Nov. 2012. <http://wearelegionthedocumentary.com/>.
[2] “Chris Wysopal.” Wikipedia. Wikimedia Foundation, 29 Oct. 2012. Web. 06 Nov. 2012. <http://en.wikipedia.org/wiki/Chris_Wysopal>.
Figure [1]: Do Not Track

If your a software developer or browser power user it’s likely you’ve heard some discussion around Do Not Track(DNT) features[2].  Like the name implies, DNT communicates the user’s desire to the application not to be tracked[3] — simple enough.  The fire storm around DNT is the implications for individual privacy and industry access to your personal information.

From a technical perspective, DNT is implemented as an HTTP header and sent by the web browser to the web application.  The application receives the DNT header and hopefully honors the user’s wishes.  The setting is user adjustable via browser configuration settings, if supported.  The technologies are well established and relatively simple to implement.

The meaning of DNT is clear enough to many users and hardly requires explanation.  However, advertisers steadfastly refuse DNT since it impacts access to user personal data.  Favoring instead to self-regulate or other measures.  The Digital Advertising Alliance(DAA), representing over 5000 advertisers, does not support DNT[7].  So what’s the problem?  Are the specifications not clear enough?  Nobody understands that user’s value their privacy?  No, not at all.  So if industry understands what we want why don’t they keep our information private?  To understand the industry viewpoint about your data a Verizon exec captures it succinctly — “Data is the new oil”[8].  To me that says, our personal data is an incredibly valuable product.  A trip to the gas pump helps put the comparison in perspective.

The challenges of DNT are…

  • How best to implement within the applications.
  • Industry favors unfettered access to your personal information.
  • Support for DNT is voluntary.  Few rules and consequences around use or even abuse of your data.
  • Incredible financial incentive exists not to implement DNT.
  • It’s not clear when — if ever — DNT will be formally adopted by IETF.  In fact, it’s not looking good at all.

Beyond the commercialization of your data, there are practical reasons to retain some user information.  Clearly, information about the user must be retained to promote a good experience with the application.  Imagine if Facebook didn’t have access to your list of friends — the service would not be very useful.  Implementation of “no tracking” in the strictest sense is not desirable for anyone.  On the other end of the spectrum, data brokers gathering your personal information for resale is likely considered abusive to most users; that is, if they were even aware their data was being sold.  All this begs the question, what is considered good and bad tracking?

A Stanford University team did a pretty good job at defining good and bad tracking[6].  Their starting point was to consider tracking from the user’s perspective.  A site you visit and interact directly is considered a 1st party.  Sites you do not directly interact with directly are considered 3rd parties.  The scope of DNT applies specifically to 3rd parties.  Any practices defining bad tracking apply to 3rd party use of your information.  Of course, there are some legitimate 3rd party uses like supporting infrastructure services so definition is tricky.

Thinking more about data again.  On deeper and more personal level, information about your present medical and financial conditions and history you post to friends on social media can be gathered and used by potential employers, insurance companies, to their benefit.  Be mindful of everything you discuss online and every bit of personal information you enter.  Unlike derogatory credit reporting data there is no limitation on life span of derogatory social media or even rules about how your personal Internet data may be traded or brokered[5].  My rule of thumb, if it’s technologically possible to achieve and beneficial to someone or group, than I assume it’s being done.

“If you don’t know who the customer of the product you are using is, you don’t know what the product is for. We are not the customers…we are the product”.  –Doug Rushkoff[4] 

So to answer, why does DNT matter?  DNT matters because it communicates the individual’s desire not to be tracked.  Any web site that does not comply with your privacy wishes runs the risk of a flogging by the court of public opinion.  DNT stabs at the very heart of information profiteers benefiting by knowing everything about you.

Individual privacy is an unfolding drama that will take years to sort out but I have every confidence it will be sorted out.  I have faith the industry will continue to misbehave, and regulators will do what they do best — nothing or error on the side of more money for business.  Eventually, the confluence of injustice will produce a public outcry for privacy the likes we have never seen.  Already privacy is in the news every day.

Most people understand, to use a really good web site for free they must give up something.  Most think in terms of tolerating some advertisements in the web page.  However, many don’t have a good understanding of what is being negotiated away and industry likes it that way — but people are learning fast.

[1] Bug. Digital image. http://donottrack.us/. Stanford, n.d. Web. 10 Oct. 2012 <https://www.securitycurmudgeon.com/wp-content/uploads/2012/10/bug.png>.
[2] “Do Not Track.” – Universal Web Tracking Opt Out. Standford, n.d. Web. 10 Oct. 2012. <http://donottrack.us/>.
[3] Mayer, J., A. Narayanan, and S. Stamm. “Do Not Track: A Universal Third-Party Web Tracking Opt Out Draft-mayer-do-not-track-00.” Ietf.org. Internet Engineering Task Force, 7 Mar. 2011. Web. 10 Oct. 2012. <http://tools.ietf.org/id/draft-mayer-do-not-track-00.txt>.
[4] Solon, Olivia. “You Are Facebook’s Product, Not Customer.” Wired UK. Wired.co.uk, 21 Sept. 2011. Web. 11 Oct. 2012. <http://www.wired.co.uk/news/archive/2011-09/21/doug-rushkoff-hello-etsy>.
[5] Singer, Natasha. “Senator Opens Investigation of Data Brokers.” The New York Times. The New York Times, 11 Oct. 2012. Web. 11 Oct. 2012. <http://www.nytimes.com/2012/10/11/technology/senator-opens-investigation-of-data-brokers.html?_r=0>.
[6] Mayer, Jonathan, and Arvind Narayanan, Ph.D. “Re: Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.” Letter to Federal Trade Commission, Office of the Secretary. 18 Feb. 2011. Donottrack.us. Stanford University, n.d. Web. 12 Oct. 2012. <http://donottrack.us/docs/FTC_Privacy_Comment_Stanford.pdf>.
[7] Naples, Mark. “DAA Statement on DNT Browser Settings.” BusinessWire.com. WIT Strategy, For the DAA, 9 Oct. 2012. Web. 16 Oct. 2012. <http://www.businesswire.com/news/home/20121009005980/en/DAA-Statement-DNT-Browser-Settings>.
[8] Morran, Chris. “Does Verizon’s Monitoring Of Customer Behavior Violate Wiretap Laws?” Http://consumerist.com/. The Consumerist, 16 Oct. 2012. Web. 17 Oct. 2012. <http://consumerist.com/2012/10/16/does-verizons-monitoring-of-customer-behavior-violate-wiretap-laws/>.

I recently purchased a 2012 Toyota Prius C hybrid, great car.  I really love the gas millage and the fact it’s easy on the environment is an added bonus.  Returning to the house with my new car, I cracked open the owners manual[1] for the first time.  On pages 18 and 19 I noticed a section, “Vehicle control and operational data recording”, hum this is interesting.  The manual goes on to say the vehicle is equipped with sophisticated computers recording vehicle operation.  My first thought was — black box — like type found on modern aircraft, only in my car.  Toyota calls the black box the Event Data Recorder (EDR).

The Prius manual describes the following operational parameters subject to recording.

  • engine speed
  • electric motor speed
  • accelerator status
  • brake status
  • vehicle speed
  • shift position

While it’s clear these settings are recorded, it’s not clear what else may be recorded.  For instance, Prius purchased with navigation system options also have GPS coordinates and time/date information.  Knowing where and when events occur makes them much more valuable.  The manual specifically notes no conversations are recorded, sound, or pictures.  Oh, what a relief.  Toyota notes the data is used for research development and to improve quality.

Finally, the Prius manual goes on to say Toyota will not disclose EDR data to third parties except…

  • Upon consent of owner/lessee
  • Official request by police, court, or government agency
  • Research not specific to owner or vehicle

The first bullet is Me, the Prius owner.  I can approve the distribution of my EDR data to a 3rd party.  Ok, makes sense.  The second bullet, police, court, or government agencies — this concerns me.  The effect of this is that if your involved in a crash, local, state, or federal officials can collect your EDR data without your knowledge or consent.  Similarly, EDR data could be gathered during a surveillance operation when you take your car to the dealers for an oil change.  Not likely, I admin, but if it’s possible then it’s safe to assume such surveillance will occur at some point.  The concern is that EDR data can be used against owners in a court of law or for surveillance purposes.  While you may be able to exercise your 5th Amendment Rights in court, it’s likely your car is not subject to such laws.  One trip the Electronic Frontier Foundation[2] will convince you our laws have not caught up to our technology capabilities — to the detriment of our privacy.

In my opinion, until privacy laws improve, I wish manufactures would not provide features with no immediate consumer benefit that may potentially be used to violate privacy.  I’m not talking out doing away with the Internet or light bulbs — these have huge consumer benefits.  I considered writing Toyota and asking how to deactivate the EDR, after all it’s for research and quality control according to them.  It should not be important to the operation of the vehicle — right?  Perhaps there is some Prius hack info on the net.

[1] “Toyota Prius C Owners Manual.” Toyota. Web.<http://www.toyota.com/t3Portal/document/om/OM52B58U/pdf/Forward.pdf>.
[2] Electronic Frontier Foundation, <https://www.eff.org/>