Well, this is my farewell Hydrapinion post. I'm sorry to say that I just don't have time to contribute to this blog in a meaningful way anymore. My side project, ITRadio.com.au, has more or less turned into a full time gig and I really need to focus on it.

Sadly that means PROTECT is no more -- it's being replaced with a weekly Mac blog penned by Stephen Withers. Ian Grayson is taking over Work.

I've really enjoyed writing all those nasty, off-base rants for everyone over the last year (it went fast) and I hope you enjoyed reading them.

I'm still around though. If you stop by ITRadio to listen to my weekly security podcast, Risky Business, you'll still get your fill of my poorly reasoned opinions on the wonderful world of information security. That's right, thanks to new media technology my aggressive diatribes are available in low-fidelity, 56kbps mono! Technology is amazing!

I hope you've got some headphones, and I'll catch you around the intertubes.

So long, thank you, goodbye.

Pat Gray

Those of you who read Tuesday's IT section in The Age and Sydney Morning Herald may have seen my story about the NSW Department of Commerce getting hammered by spam.

A deluge of spam crippled the NSW Department of Commerce's computer network two weeks ago, effectively severing its connection to the internet for at least two days.

A sudden influx of spam emails from more than 4000 domains and locations brought the department's Sydney office network to a standstill, forcing system administrators to block outbound web browsing access to help restore email services.

I'd like to be a tad self indulgent here and discuss the way this story came together. It highlights the problems faced by the press these days in dealing with governments, both state and federal.

Now, call me old fashioned, but I believe governments should provide adequate responses to press enquiries. It's how they're held accountable.

In this instance, sadly, the NSW Department of Commerce brushed enquiries aside with an air of arrogance that was quite astonishing.

Here are the questions I sent to the department:

q1: Can you describe the nature of the computer problems experienced by Department staff?

q2: What was the root cause of the problems?

q3: Did the problems affect the Department's entire network?

q4: What action was taken to resolve the network issues?

q5: If the problems were caused by a DDoS attack, were the police notified?

q6: What sort of disruptive effect have the problems had on the normal operations of the Department?

q7: What action has been taken to mitigate resulting administrative
headaches caused by the attack?

After a couple of days, I received this response:

"The Department of Commerce recently experienced a large influx of SPAM internet emails from over 4000 different domains and locations from around the world.

As a result of the attack, the Department experienced some disruption to internet email delivery over a period of two days. A series of actions were taken to mitigate the risk including intermittently blocking internet (web browsing) services.

Departmental operations ensured all websites remained fully functional and restored email services as efficiently as possible.

During the incident, the Department of Commerce provided information and sought advice from AusCert (a National Computer Emergency Response Team)."

Ok, so it's a response, but it's not exactly forthcoming. I'd even call it evasive. I decided to ask some more specific follow-up questions, in addition to requesting an interview with a spokesperson from the Department. The questions were:

> "The Department of Commerce recently experienced a
> large influx of SPAM internet emails from over 4000
> different domains and locations from around the world.

Was this a sudden influx? How does this compare to normal spam volumes? If it was a sudden influx, do your propeller heads heave any idea why? Is it a deliberate attack or attempt to cripple the Department's e-mail infrastructure? If so, who would want to cripple the Department's e-mail systems?

> As a result of the attack, the Department experienced
> some disruption to internet email delivery over a
> period of two days. A series of actions were taken
> to mitigate the risk including intermittently
> blocking internet (web browsing) services.

Why would you block staff access to the Internet because of a sudden influx of spam? Was it to save bandwidth? How long was Internet browsing blocked for?

Also, I understand you're still having some e-mail trouble. I received a call from NAME OMMITED 90 minutes after sending her an e-mail yesterday. She wanted to know if I'd sent it, which suggests to me that the problems are far from resolved.

When I called to make sure she'd received it, another staff member said the department was experiencing problems with e-mail, indicating the issue isn't fully resolved yet.

We're interested to find out what the impact of this attack was on the normal operations of the department. I have been informed that tender documents couldn't make it through to your network via e-mail and it was causing major procedural problems. My original questions eluded to this, but there is nothing in the response that refutes it.

Have you had to extend any tender deadlines?

> During the incident, the Department of Commerce
> provided information and sought advice from AusCert
> (a National Computer Emergency Response Team)."

Yup -- the guys and gals at AusCERT can be very helpful in situations like this, providing advice and mitigation strategies. Did you also call in external consultants to help out?

Now, there have been a number of assertions made by my source. If you choose to, you can refute them. If you choose not to, then they're frankly worth printing as assertions that have not been denied or directly addressed by the department.

The assertions made are:

1. Staff across the entire department were unable to browse the Internet or receive e-mail reliably for a period of no less than two days.

My questions around this assertion are:

A) Was the whole department impacted? If not, what proportion of staff lost access?
B) Why was Web browsing access restricted?
C) Are the problems ongoing or have they been completely resolved?

2. The "attack" lead to problems associated with the transmission of tender documents and significantly impacted the day-to-day operations of the Department.

A) Were tender documents "lost"?
B) Were any tender deadlines extended?

I also need to know how many staff work for the NSW Department of Commerce.

If you would like your second round of responses included in the story, you will need to get back to me by 2pm tomorrow (Friday) for me to make deadline.

As you can see, my questions were aimed at finding out precisely what had happened in this taxpayer-funded department. How could an entire department lose two days of productivity due to a "spam attack"? How can the department and other government institutions avoid similar situations?

Unfortunately, the NSW state government doesn't believe it should be at all transparent. It doesn't believe the public has a right to know about its inner workings or the problems it experienced, how those problems arose, or what's being done to ensure massive productivity losses like this aren't repeated. How do I know this? Because the response to my 500 words of questions was the following:

Please refer to our earlier comments as Commerce's response on this matter.

This is an appalling response of an all too common kind. If you think I'm exaggerating, read this piece.

For more on the Department of Commerce spam attack, check out my security podcast at ITRadio.com.au...

Back when I actually worked in security, as opposed to just writing about it and podcasting about it, I'd often sit around with other security types naval gazing about the horrid state of security on the 'net.

"What will happen when these malware writers actually get their shit together?" we'd wonder.

The answer to that little curiosity, unfortunately, is the Storm malware. It's a Swiss Army-like malware tool. Once it's on a targeted system it can load Trojans, keyloggers, send spam and launch distributed denial of service (DDoS) attacks. Neat.

This stuff is so well put together that even the guys and gals analysing it on behalf of various security companies and CERTs can't help but be massively impressed.

Take this from a recent ZDNet UK article by Tom Espiner:

The owners of the Storm botnet, whose identities are as yet unknown, could be preparing to sell off the "services" of segments of the network, according to Joe Stewart, a researcher from managed security services company SecureWorks.

Stewart claimed in a blog post on Sunday that the latest Storm variants now use a 40-byte key to encrypt their peer-to-peer traffic, meaning each node will only be able to communicate with nodes that use the same key.

Sorry, but that's just cool. These guys are actually segmenting their botnets with crypto features to make their management more effective.

We've long wondered what would happen when malware writers went pro. Storm is it, people. It's been hanging around like an onion fart for a long, long time now, and it's not going anywhere. It is... pure evil...

It might be time to invest in some upgraded DDoS protection and some decent spam filters -- this botnet's a stayer.

Coming next week, Village spared from deadly storm... bit of a journo in-joke there. Click on the link for enlightenment...

...and don't forget to check out my weekly security podcast, Risky Business on ITRadio. On this week's show we spoke to Melbourne-based CSO Adam Pointon about what keeps him awake at night.

So the Australian ran this piece yesterday:

THE Liberal Party website was hacked this morning to make Prime Minister John Howard appear to enjoy engaging in a lewd homosexual act.

Under the heading, The Liberal Party of Australia, the website read: John Howard Says "I like to s... d...!"

A spokesman for the Liberal Party's federal secretariat said that officials were investigating the matter. "It appears to be a hoax, but we're checking it out," the spokesman said.

The loophole in the site's security appeared to have been closed by 11am.

The site was a victim of a HTML injection attack, whereby the hacker exploits a security flaw in the site structure to alter the content displayed to the user. It is a simple hack but can be a precursor to more malicious Cross-Site Scripting, or "XSS", attacks, which allow data to be sent to a user's computer.

Ummm... HTML injection? XSS? These aren't "hacks"... Data on the actual web-server isn't modified by these so-called "attacks". The only way to get someone to see the modified version of the page is to send them a carefully crafted link which merges content of the target pages with something else you've set up elsewhere. Alternatively, the extra content, like text, could be embedded in the link.

But it requires user intervention -- they have to click on that link!

To suggest the Lib's web-server was hacked is misleading in the EXTREME. Also, XSS attacks do not allow "data to be sent to a user's computer" unless you've tricked someone into clicking a link and THEN exploited a vulnerability on the user's side, for example a browser bug. But you still need the user to click on the link in the first place.

XSS is the most basic and least severe example of sloppy web-programming... You can't do anything useful with it, except steal session cookies under very unlikely sets of circumstances.

This whole thing boils down to some sloppy programming on behalf of the Libs, but their site was NOT pwned. In this case The Australian's reporting is much sloppier than the code-monkey who belted out the Lib's Web-site.

This is one of the poorest security related reports I've ever seen. XSS flaws were worth writing about, in context and accurately, five years ago. This is just shameless sensationalism...

Speaking of IT security reporting that doesn't suck, don't forget to check out my podcast on ITRadio.com.au. This week we're speaking to Marty Roesch about the future of Snort.

Hey all -- back from my holiday in Indo. Feeling very relaxed, but sadly out of touch with recent developments in the world of information security. So this will be a short and highly nerdy post. It's about the Blue Pill -- root-kits that install themselves as virtualisation layers, underneath operating systems, in order to evade detection.

The news is some clever propeller-heads have figured out how to detect them... for now.

ZDNet has reported researchers from Carnegie Melon and Stanford universities in the US have figured out that it's not actually that hard for software to detect when it's dealing with real hardware as opposed to virtualised hardware. Here's the money quote:

No matter how minimal the hostile VMM [virtual machine monitor] is, it must consume physical resources, perturb timings and take measures to protect itself from the guest, leaving it no less susceptible to detection than other VMMs

Now, here's the part that's going to bake your noodle: While it's possible to detect the root-kitting of a normal PC with "hypervisor malware", how on Earth will you detect the Trojaning of a virtual image running on something like a VMWare box?

That's right, a virtualised root-kit affecting a virtualised OS. Try measuring "perturbed timings" then!

I suppose you could bloat up the actual virtualisation layer (like VMWare's hypervisor, for example) with an AV detection engine designed to scan for this sort of stuff, but ye gads, that means running security software at the virtualisation layer to monitor the operating systems that your other security software runs on! It's enough to turn a reasonable person quite insane.

At Hydrapinion we're all about opinions, and here's mine: The latest news from Carnegie Melon and Stanford is fantastic, but virtualised root-kits will remain a significant pain in the arse for a long, long time; at least a four out of 10 on the patented Hydrapinion "ouch" scale.