Information Ethics.. an interesting discussion

 

Where does one actually draw the line of what is right and wrong in technology ethics, and how does one make the decisions.  Are things really black and white?

What if, let’s say, you were asked by your employer to steal data from another organization to give it a competitive advantage?  I think most of us would say that it is unethical.  Now, what if your employer is the NSA or the CIA and you’re a covert operative, and you are being asked to steal information from an enemy that can give your country a competitive edge, or protect the safety and welfare of your country. 

Now, in this case, and in many respects, we’re starting to get into territory that isn’t as black and white, I think many more people would be divided over this question than the original one.  But what is so different between the two scenarios that makes one so different than the other?

For example, in my job sometimes I am asked by an organization to execute penetration tests against their own organizational body.  So when when executing a risk assessment through penetration testing I call up the company, get a sweet gal on the other line of the phone, I make up some fictitious name, fictitious problem, and basically lie to her to deceive her into giving me secret and protected information. 

In so doing, I then build a report that outlines to the members of the organization where their weaknesses are, so that they can protect their systems against real hackers that would be out to deceive and retrieve real data for real harm.  But in this case, was it o.k. that I was lying and deceiving and breaking laws to prevent other bad people from lying and deceiving and breaking laws?

These questions in ethics aren’t necessary tied to Information Technology either; what about policemen that speed down the road so that they can get to the speed trap and catch speeders that are speeding down the road?

The intrigue of all these types of discussions is what so tightly draws me to questions of Information Ethics, and ethics as a whole.

Vulnerability in Windows Internet Explorer 6 & 7

Almost a month ago, I reported this vulnerability to Microsoft, and they came back and confirmed it was a problem, but then came back and said “It’s no big deal, we’ll fix it in the next release”.


Microsoft has this track record with me of saying “It’s no big deal”, and then later making it a big deal, and never giving me credit for helping them. So I told them I was bringing this one public if they really thought it was no big deal, then no harm done… – they never asked me not to…


So I tried posting it to bugtraq – 24 hours after my first post didn’t show up, I reposted with a second account, thinking that the first post was blocked because I used an email address that wasn’t subscribed – almost 15 hours later, and the second post hasn’t shown up – I’m begining to wonder if someone is blocking the post (for whatever reason).


I emailed the list owner, and no response and after about 18 hours no response… so I guess it’s up to me to just start posting the problem around on the internet to get the word out.


I’ve tried posting this thread on two different security forums, and each forum throws an exception and doesn’t let me post… I think the world is out to squash Microsoft Internet Explorer Vulnerabilities….. at least I can post here!




This vulnerability may have limited destructive powers based on the current description that I’ve come up with, because of it requiring both the server owner and the client user to practice poor security habits – but isn’t that what the world is filled with – people that don’t practice safe security habits? It is also possible that someone else with more time on their hands can come up with other variants that would be a bit more destructive.


Web application Scenario:


1.Website accepts file uploads from users
2.Website follows recommended security for file uploads including two that are important to this discussion:
a.The document being uploaded is not stored in a directory that is accessible by Web Users (it is served up from a back end process when requested by users)
b.The users do not have execute permissions on the documents that are stored on the server (only permissions that are granted for download)


Attack scenario:


1.Attacker uploads HTML file to site
a.This HTML file contains:
i.Copy of logon form from the website, including relative pathing to website for cascading style sheets, images, etc.
ii.Attacker modifies form post location, so form posts go to a site the attacker controls
2.Website provides other users the ability based on their authorization to download and view the HTML file that the attacker uploads


IE Response:


1.Authenticated users click on HTML file and are presented with the download popup, file is streamed from a repository other than a web accessible location from the server
2.When prompted, users choose “Open” from the download popup, allowing default application to open the downloaded file
3.IE opens the HTML page in the current IE window (this has been verified against both IE 6 and IE 7), but IE does not change the security zone, or the URL of the IE address bar, so now the user sees the (modified) logon page of the site, but is given no indication (apart from opening and reviewing source code) that this page is not hosted on the site they are visiting
4.IE, thinking the HTML page has been served up from the remote site in the normal use case, also resolves all relative paths (cascading style sheets, images, etc) from the server
5.User – while thinking it odd that they are being prompted to logon again, looks and sees they are still in the same security zone, and URL of their trusted website
6.User logs on again (sending credentials to the attacker), and attacker does anything he wants with the post (serve up the actual file, redirect back to the original site, etc.)



Contrast IE’s response to FireFox’s response.


FireFox response:


1.Authenticated users click on HTML file and choose to download, when prompted, users choose “Open” for HTML file, allowing default application to open the downloaded file
2.Default browser (or alternate browser) opens the HTML page from local internet cache after download complete
3.Browser does not resolve relative paths, and URL is changed to show it’s running from a local location
4.Attack is obvious, User doesn’t proceed.



Perhaps I’ve missed something that makes this of no use to an attacker, and perhaps I’ve missed something that makes this an even bigger problem than I realized – but none-the-less, here it is.


r/Darth Jedi

What I do in my spare time…

Well – I’m always looking for ways to fine tune my skills with computers. Often I’m doing security assessments of web sites and applications; a lot of times I’m disassembling code; writing and reading computer assembly; and lately I’ve been really into Code Breaking.


I have a website that I am posting some of the Cipher’s I am breaking from the book “Codebreaker” – the site is Here.


I’ve been recently writing routines in C# to Encrypt and Decrypt using Asymmetric and Symmetric Encryption Algorithm’s – specifically AES and RSA – I will make them available on that website soon.


But in the mean time, to better understand how Base64 Encoding works (This is very important in the world of computers) – I’m currently writing a raw implementation of a base64 encoding/decoding engine (if you can call it that).


The Base64 encoder – if you’re interested, and you have .Net 2.0 installed; and you have the default CASPOL settings – can be located Here, or you can find it under the above like with the link called “Interlude”.


Yep – told you I’m nerdy.