Crossing the Border with Your Laptop

Posted by Robb Beggs on 10/19 at 08:48 AM

Just a reminder - you have no expectation of privacy when your cross the US border carrying your laptop, cell phone, or PDA - so what do you do to protect your data?

If you enter Canada with a laptop computer, don’t be surprised if it is searched for the presence of child pornography. It’s an automated search tool that reveals images, and these are inspected for contraband. No child porn? Thank you very much Sir, and have a nice day!

If you enter the United States with a laptop, things are a bit more draconian.

Under Department of Homeland Security policy:

• Officers may “detain” laptops “for a reasonable period of time” to “review and analyze information.” This may take place “absent individualized suspicion”
• Officials may share copies of the laptop’s contents with other agencies and private entities for language translation, data decryption or other reasons
• When a review is completed and no probable cause exists to keep the information, any copies of the data must be destroyed. Copies sent to non-federal entities must be returned to DHS. But the documents specify that there is no limitation on authorities keeping written notes or reports about the materials
• There are no provisions in place for ensuring the security or privacy of data obtained during this process
• Policies cover “any device capable of storing information in digital or analog form,” including hard drives, flash drives, cellphones, iPods, pagers, beepers, and video and audio tapes. They also cover “all papers and other written documentation,” including books, pamphlets and “written materials commonly referred to as ‘pocket trash’ or ‘pocket litter.’ “

And yes, the policy applies to Canadians visiting the States.

The concern is how do you secure corporate data against an increasingly hostile and xenophobic neighbor? What about personal e-mails that you don’t want to share, or discussions of medical conditions? What if you just want to maintain the privacy or your own data as much as possible?

What can you do to protect yourself?

If you encrypt some or all of the hard drive, expect to be asked for the password. If you don’t want to freely give it the agents at the border, expect “intense questioning” as a minimum.

Some people remove critical data from their laptops, and place it on a USB key or flash drive, which they carry in their pockets. However, agents have full authority to go thru your “pocket litter” in the search of evidence (as there is no criteria in place for why they would choose to search one laptop versus another, the term “evidence” is used loosly!).

Best solution? Assume that your laptop will be seized and viewed. If there is anything on the hard drive or residing in the system’s memory, it can be accessed during the review process … so COMPLETELY scrub your laptop. Run a low-level format, install the operating system, update it, install key office work applications, install remote access applications, and then install nothing else. That will become a “travel laptop”. Configure your system, and network, to allow secure remote access. When you need e-mail or documents from work, log on, access and use them, and when they are no longer needed by you, make sure you securely delete or wipe them.

It’s not perfect, but it is better than surrendering your corproate and personal data.

Powersploiting with HD Moore

Posted by Robb Beggs on 10/06 at 10:50 PM

HD Moore, lead developer of the Metasploit Project, delivered his one-day advanced "powersploiting" course to an enthusiastic audience at the Toronto Sector security conference.

How much can you pack into a single day of advanced metasploit framework training? Quite a bit, thank you!

Today, HD Moore delivered the innaugaral version of his powersploiting course to a group of devotees at the Toronto Sector security conference.

The only negative points: (1) it would probably benefit from an extra day or two of training, especially if a real target network could be used by the students, and (2) the existing documentation for Metasploit is somewhat ‘sparse’. Generally, HD’s presentations are the best publicly available documents, but there are still some gaps between what lies in his head and what exists on the paper. Maybe the project’s next move is to bring on a technical writer!

Those very minor points aside, HD introduced the Metasploit framework with an overview of its history – did you know that it started out as a text-based MUD? In the original game, your scored points for compromising systems. HD moved quickly from developing a game to delivering one of the most effective open-source tools on the market (accolades and more available at: http://www.metasploit.com.

The framework, tailored for the consistent development and implementation of exploits that can be used against a variety of operating systems and applications, has continued to evolve. The latest version is 3.2, which is not due to be released until later this week. It will introduce several new changes, including:

• A new license system, allowing contributors to retain ownership of everything they create that supports the framework;
• A built-in web vulnerability scanner, WMAP;
• Full support for IPv6[
• Scruby and PacketFu, two Ruby-based applications for the creation and manipulation of packets;
• Assembler language support that allows for conversion of C-based exploits to the lower-level language;
• Strong support for WiFi recon and exploits; and,
• Support for reflective DLL injection, which will load DLLs from memory and not the hard disk. This will allow attacks to avoid anti-virus and forensic tools

The remainder of the day was spent learning advanced Metasploit attacks from HD. We learned how to write a simple scanner, and how exploits are written. After reviewing the meteterpreter, we saw how effective it can be when used in a hostile role in wireless environments

After the class, I talked the students, and all were impressed – there’s more to Metasploit than most people really understand, and the real shortcut to gaining the necessary knowledge to effectively use it is to take a class like HD’s powersploiting. Hopefully, he will continue to extend the skills that are taught, and the supporting documentation.

HD’s training course was one of 4 that was offered at Sector. The others covered cutting-edge hacking techniques, wireless and RFID attacks and defences, and Johnny Long’s “no-tech hacking”. For most of these courses, it was the first time they’ve been offered in the Toronto area, particularly by instructors of that calibre. Based on student recommendations that I heard today, I recommend taking advantage of this training when it’s offered at next year’s SECTOR conference!

Copyright Politics … Reduced to a Comic Book

Posted by Robb Beggs on 06/17 at 07:48 AM

If you’re tuning in late to the Canadian copyright reform debate, the Appropriation Art Coalition has created a "free comic book":http://www.appropriationart.ca/wp-content/uploads/2008/06/51_state.pdf (2.8 MB) that it says will get you up to speed on the issue

The Appropriation Art Coalition has created The 51st State, a free comic book that provides commentary on Canada’s Bill C-61, designed to revamp Canadian copyright law.

Bill C-61 was tabled in consultation with US and major entertainment associations; sadly, there was little to no consultant with the citizens who’s rights its supposed to protect. The proposals have draw significant criticism, particularly when compared to the American government’s Digital Millennium Copyright Act, DMCA. Michael Geist has demonstrated how certain provisions of Canada’s C-61 are even more heavy handed than the DMCA, particularly in areas such as security research – a vital requirement for Canada to protect its data resources.

Interestingly, analysis of American legal actions against downloaders of music indicates that the DMCA is not even being used; offenders are being charged under existing copyright laws.

So, what will a Canadian version of the DMCA accomplish? Are new laws really needed, or do we need to develop a new perspective on intellectual property that will directly reward the creator of the content, and allow a proper degree of intellectual freedom?

The 51st State provides a good overview of the issues, and the format is compelling – an artistic comic book, where every quote bubble is a hyperlink to web sites, articles, and other resources. It brings together politicians (Charlie Angus, NDP), lawyers (Michael Geist), and artists (Stephen Page of the Barenaked Ladies) to promote freedom of expression and protection of intellectual property.

Canadian PM Stephen Harper, Industry Minister Jim Prentice, and the president of the Canadian Recording Industry Association, CIRA, sadly are represented as little more than American stooges.

After reading the 51st State, its possible to come away feeling like you’ve been “US bashing”, rather than learning about Canadian opposition to copyright law. Others will argue that you have to critisize the US, because that country and some of its entertainment lobbies are providing the global influence for the oppresive copyright laws that have been emerging.

Should nationalism drive the international response to copyright and intellectual property protection? Let us know what you think!

Federal Government’s New Mindbender Law: Copyright? Copywrong?

Posted by Robb Beggs on 06/13 at 07:36 AM

The federal government has introduced a controversial bill it says balances the rights of copyright holders and consumers — but it opens millions of Canadians to huge lawsuits, prompting critics to warn it will create a "police state." Even worse, some provisions of the law make compliance of other parts of the law impossible! Read more to see what you can do!

The Conservative government has finally introduced changes to the Federal Copyright Act (designated Bill C-61), designed to bring Canada into compliance with global copyright standards, particularly as it pertains to digital content. In preparing their changes, they carefully sidestepped public input and consultation with experts. Including, it would appear, consultant with anyone who understands logic.

Here’s the deal: Under the new provisions, consumers are expressly allowed to make one copy of each item per device owned, such as a computer or MP3 player. The bill would also expressly allow consumers to record television and radio programs for later viewing.

But …

The bill also contains an anti-circumvention clause that will make it illegal to break digital locks on copyrighted material. So, if you are legally entitled to make a backup copy of your new music DVD, but the vendor puts a digital lock on the material (remember the Sony rootkit?), then how do you make the legal copy without committing the illegal act?

In short, every positive reform that the bill could introduce is automatically “trumped” by the anti-circumvention clause, leaving consumers at risk from the very bill that was supposed to provide positive guidance in fairly using digital media!

In fact, according to Michael Geist, the Ottawa lawyer and law professor who’s leading the charge against the proposed changes, Bill C-61 is advocating anti-circumvention rules that are more extreme than the US’s DMCA – widely regarded as one of the most draconian and ill-conceived laws to be passed in recent memory

Another proposal is that people caught downloading music or video files illegally could also be sued for a maximum of $500, but uploading a file to a peer-to-peer network or YouTube could result in lawsuits of $20,000 per file. Which raises an interesting question – you are legally entitled to make a backup copy of the latest Barenaked Ladies album, but are prohibited from doing so because the vendor has protected its content. You could break that copyright protection, but that would be breaking the law. So, you’re online, and see that someone else (maybe not subject to Canadian law) has uploaded the album. You download the album in digital format … you have done nothing illegal, BUT now you can be fined a maximum of $500 for doing something that you’re legally entitled to do!

Some of the other provisions of the proposed changes to the Act include:

• Educational institutions will now be able to copy materials from the internet that they previously could not
• Cellphones would also be locked down, so when consumers buy a device from one carrier, they would be unable to use it with another. Breaking any of these locks could result in lawsuits seeking up to $20,000 in damages
• Canadian internet service providers will continue to be immune to lawsuits from copyright holders for infringements over their networks. The bill recognizes ISPs as intermediaries and would only require them to pass on violation notices from copyright holders to their customers

The Act will get its second reading after the summer break, so if you’re interested in making your voice heard about the proposed changes, now is the time.

External References

• Bill C-61: An Act to amend the Copyright Act
• Government’s fact sheet on Copyright Act changes
• Interesting in finding out more, or changing the Act to ensure that it is actually fair? Start with Michael Geist’s blog

Few Canadians are ‘very confident’ their personal data is safe with retailers, banks and governments

Posted by Robb Beggs on 06/11 at 04:39 PM

Only seven per cent of Canadians say they are very confident in the ability of Canadian retailers, governments and banks to protect their personal information, a new national survey by CA Canada, a leading enterprise software company, has revealed. Of the three types of organizations, Canadian retailers fared the worst, with less than one per cent (O.5 per cent) of consumers saying they are very confident retailers can protect their customers' on-line personal and private information. Canada's "Big Banks" also performed poorly, with only nine per cent of Canadians reporting they are very confident that large financial institutions can protect on-line customer information.

Though far from a ringing endorsement, federal and provincial governments performed the best in the opinion of Canadians. Of those polled, 12 per cent said they are very confident that Canadian governments can protect on-line personal and private information.

According to the CA Canada 2008 Security and Privacy Survey, Canadian security executives echoed consumers’ concerns, with only 36 per cent of those surveyed saying they are very confident in their organization’s ability to protect itself against losing customer or transaction data. Additionally, the consumer survey indicated that 85 per cent of Canadian consumers cite loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of major security and privacy breaches suffered by the business or government organizations that they deal with.

“Canadian businesses and governments that are managing consumer data and information without robust data security are performing a high wire act without a net,” said Renee Lalonde, regional vice president, CA Canada. “All it takes is one major security or privacy breach and the confidence and satisfaction customers have in those organizations is severely compromised.”

As more personal information makes its way on-line, a growing number of Canadians have fallen victim to theft of their personal information, like their Social Insurance Number or credit card information. Of those polled, 14 per cent said they have experienced personal information theft and nearly half (44 per cent) said they know someone who has had their personal information stolen.

The CA Canada survey also revealed that a significant majority of consumers feel that businesses and governments do not spend enough on improving on-line security and privacy:

– 84 per cent think retailers do not spend enough on on-line security and privacy. – 67 per cent think the governments do not spend enough on on-line security and privacy. – 62 per cent think major financial institutions do not spend enough on on-line security and privacy.

Interestingly, four in ten (39 per cent) of Canadian security executives agree that the percentage of their company’s IT budget invested in security is too low.

Canadians’ concerns about the privacy and security of their data are not unfounded. There has been significant growth in the number of organizations suffering known security attacks over the past five years. More than 86 per cent of large Canadian organizations surveyed have suffered an identified security attack over the past 12 months compared to only 67 per cent in 2003. Of particular concern is the finding that internal security breaches, those that come from within the organization, have seen the most dramatic rise, from less than 5 per cent of Canadian organizations reporting them in 2003 to 33 per cent of large Canadian organizations identifying them over the past 12 months – a six-fold increase.

About the 2008 CA Canada Security and Privacy Survey
This survey was commissioned by CA Canada as a follow-up to the 2006 CA Canada Security Survey. A total of 200 telephone and on-line surveys were conducted among a random sample of large Canadian firms/organizations. Those interviewed included Chief Security Officers, Chief Information Officers, Chief Technology officers and other senior executives responsible for IT security. All surveys were completed during the period March-April 2008 by The Strategic Counsel on behalf of CA Canada. Margin of error is plus/minus 4.5%, at a confidence level of 95%.

For the consumer portion of the study, a total of 400 telephone surveys were conducted among a random sample of the Canadian general population aged 18-65. All surveys were completed during April 2008 by The Strategic Counsel. Margin of error is plus/minus 4.9%, at a confidence level of 95%.