Wednesday, July 11, 2007

Insecure Bureaucracy in Germany

First, it was data mining 22 million credit cards to see who purchased access to a set of child porn sites to figure out the obvious - that the accounts were purchased with stolen credit cards, and now, declaring that hacking tools are illegal is nothing more but creating a bureaucratic safe heaven on the local scene. And while pen-testers in Germany will do password cracking with a paper and a pen to verify their passwords best practices are indeed enforced and taken seriously, script kiddies that just compiled yet another 5GB rainbow table will have a competitive advantage by default :

"The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run denial of service attacks and one designed to stress-test a network, are not properly covered in the legislation, critics argue. Taken as read, the law might even even make use of data recovery software to bypass file access permissions and gain access to deleted data potentially illegal."

The idea is greatly hoping that Germany's Internet is an isolated Intranet where if noone can have access to hacking tools than noone will be able to find vulnerable hosts and actually exploit them. But the reality is that it's all a matter of perspective. By not wanting to conduct a security audit of your assets, and with the lack of any (detected) breaches, you're enjoying a nice false sense of security. This story is a great example of bureaucrats evangelizing security through obscurity on a wide scale, where every single script kiddie on the other side of the world will have access to a commodity set of pen-testing tools to showcase age-old vulnerabilities in Germany's infrastructure. Of course, you're secure in your own twisted reality, but limiting access to pen-testing tools for a security consultant, and evil hacking programs to others, in order for you to improve security is nost just unpragmatic, but naive as well. Here's an interview with Marco Gercke, a local expert on the topic.

This is not just a seperate case in Germany, to what looks like a growing trends with a previous discussion on whether or not German law enforcement should code and use malware on a suspect's PC, something by the way the FBI is doing in the form of keyloggers to obtain passphrasess of impossible crack at least in respect to bruteforcing PGP and Hushmail accounts. So what could be a next? A law that would open up a cooperation with anti virus vendors doing business in the country in the form of either not detecting or delaying signatures of law enforcement coded malware? Or law enforcement will start bidding for zero day vulnerabilities right next to an intelligence agency without both of them knowing who's the challenging bidder?

Another bureaucratic development from the past is related to U.K's perspective on how to obtain access to encrypted material without coding malware and keyloggers - by requesting that everyone should provide their private encryption keys. It gets even more interesting with Australia joining the trend by using spyware on suspects.

Never let a bureaucrat do an ethical pen-tester's job.

Related articles: